Opening a port in the Linux firewall allows external hosts to reach a listening service, such as a web server, database, or custom application, instead of having packets silently dropped at the edge of the system.
The firewall on most modern Linux distributions filters traffic using kernel packet filtering (iptables or nftables) and exposes friendlier tools, such as ufw on Ubuntu, for managing rules. Allowing a port adds an inbound rule so that new connections to a specific port and protocol are accepted rather than denied by the default policy.
Changing firewall rules requires administrative privileges and a clear understanding of which services should be reachable from the network, especially on remote servers where a mistake can cut off access. Instructions here target Ubuntu and other Debian-derived systems using ufw as a front-end to iptables and nftables, while other distributions commonly use firewalld or raw nftables rules.
Steps to allow a port through the firewall in Linux:
- Open a terminal with sudo privileges.
$ whoami user - Check whether ufw is active.
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
ufw reports Status: inactive when not yet enabled, which is common on fresh installations.
- Allow incoming SSH connections before enabling ufw on a remote server.
$ sudo ufw allow OpenSSH Rule added Rule added (v6)
Enabling ufw without permitting SSH can block future remote logins and require console or out-of-band access to fix the configuration.
- Enable ufw if it is reported as inactive.
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Enabling ufw turns the configured defaults into live rules, typically denying incoming connections except for explicitly allowed ports.
- Allow an incoming TCP port for a service, replacing 8080 with the desired port number.
$ sudo ufw allow 8080/tcp Rule added Rule added (v6)
Specifying /tcp constrains the rule to TCP traffic, which is typical for HTTP, HTTPS, and many custom application protocols.
- Allow an incoming UDP port when the application uses UDP instead of TCP, replacing 1194 with the required port number.
$ sudo ufw allow 1194/udp Rule added Rule added (v6)
VPN protocols such as OpenVPN often listen on UDP ports, so matching the protocol type avoids confusing partial connectivity issues.
- List numbered rules to confirm that the new allow rule is present.
$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW Anywhere [ 2] 8080/tcp ALLOW Anywhere [ 3] 1194/udp ALLOW Anywhere [ 4] 22/tcp (v6) ALLOW Anywhere (v6) [ 5] 8080/tcp (v6) ALLOW Anywhere (v6) [ 6] 1194/udp (v6) ALLOW Anywhere (v6)
Numbered rules provide stable references for later changes, such as deleting a specific entry by its index.
- Remove an allow rule when a port no longer needs to be reachable from the network.
$ sudo ufw delete allow 8080/tcp Rule deleted Rule deleted (v6)
Closing unused ports reduces exposure to accidental misconfiguration and opportunistic scans that probe for open services.
- Test from another system that the port is reachable over the network.
$ nc -vz server.example.com 8080 Connection to server.example.com 8080 port [tcp/*] succeeded!
If nc is unavailable, an equivalent tool such as telnet or a browser for HTTP ports can verify that the service responds through the firewall.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.