Configure UFW Application Profiles on Ubuntu VPS: Port Management

Understanding UFW Application Profiles

UFW application profiles simplify firewall management by grouping related ports under readable names. Instead of remembering that Apache needs ports 80 and 443, you can enable the 'Apache Full' profile. This approach reduces errors and makes your VPS firewall configuration more maintainable.

Application profiles live in /etc/ufw/applications.d/ and define which ports specific services require. Ubuntu includes profiles for common services, but you can create custom ones for your hosting setup.

Viewing Available Application Profiles

Start by checking what profiles are already available on your system:

sudo ufw app list

You'll see output like this on a typical hosting server:

Available applications:
  Apache
  Apache Full
  Apache Secure
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

Each profile targets different use cases. 'Apache Full' opens both HTTP and HTTPS, while 'Apache Secure' only allows HTTPS traffic.

Examining Profile Details

Before enabling any profile, check what ports it will open:

sudo ufw app info "Apache Full"

This shows the exact configuration:

Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web server.
Ports:
  80,443/tcp

The profile name must match exactly, including capitalization and spaces. Use quotes when the name contains spaces.

How to Configure UFW Application Profiles

Enable profiles just like individual ports, but with clearer intent:

sudo ufw allow "Apache Full"

For SSH access (essential before enabling UFW):

sudo ufw allow OpenSSH

Then activate the firewall:

sudo ufw enable

Your hosting server now blocks unwanted traffic while allowing web and SSH connections. This is particularly useful when migrating sites to a new VPS, as covered in our website migration guide.

Creating Custom Application Profiles

Custom profiles help manage complex hosting setups. Create a new profile file:

sudo nano /etc/ufw/applications.d/custom-hosting

Add your profile definition:

[Custom Mail Server]
title=Custom Mail Server (SMTP, IMAP, POP3)
description=Mail server with standard ports
ports=25,587,993,995/tcp|110,143/tcp

[Development Server]
title=Development Server
description=Node.js and React dev server
ports=3000,8080/tcp

Reload UFW to recognize new profiles:

sudo ufw app update custom-hosting

Now you can reference these profiles by name:

sudo ufw app list
sudo ufw allow "Custom Mail Server"

Profile Syntax and Port Specifications

UFW profiles support flexible port definitions. Single ports use simple numbers:

ports=80/tcp

Port ranges use colons:

ports=8000:8999/tcp

Multiple ports separate with commas:

ports=80,443/tcp

Mixed TCP and UDP protocols use the pipe separator:

ports=53/tcp|53/udp

This flexibility lets you create precise profiles for hosting applications that need specific port combinations.

Managing Profile-Based Rules

View your current UFW status to see which profiles are active:

sudo ufw status verbose

Profile-based rules appear alongside manual port rules:

Status: active

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)          ALLOW IN    Anywhere
80,443/tcp (Apache Full)   ALLOW IN    Anywhere

Remove profile rules the same way you added them:

sudo ufw delete allow "Apache Full"

Best Practices for Hosting Environments

Group related services into logical profiles. Instead of opening individual ports for a mail server, create a comprehensive mail profile. This prevents gaps in your security configuration.

Name profiles descriptively. 'Web-Server-Production' is clearer than 'WebApp' when you're troubleshooting access issues at 2 AM.

Document custom profiles in your server documentation. Include the business purpose, not just the technical details. Future administrators (including yourself) will appreciate the context.

For hosting environments serving multiple clients, consider creating tenant-specific profiles. This makes it easier to track which ports belong to which customer project.

Common Profile Troubleshooting

If UFW doesn't recognize your custom profile, check the file syntax. Missing brackets around profile names or incorrect indentation cause parsing errors.

Profile names are case-sensitive. 'apache full' won't match 'Apache Full'. Use the exact name from ufw app list.

After editing profile files, always run ufw app update to reload the definitions. UFW doesn't automatically detect changes.

Test profile rules by checking the actual port status:

sudo netstat -tlnp | grep :80
sudo netstat -tlnp | grep :443

This confirms that your web server is actually listening on the ports your profile allows.

Integration with Control Panel Security

UFW profiles work alongside control panel firewalls. If you're running cPanel or Plesk, coordinate the firewall layers to avoid conflicts.

Many hosting control panels include their own application profiles. Check our guides on Plesk firewall setup for integrated security approaches.

When migrating from shared hosting to VPS, application profiles help replicate the port access your sites expect. This reduces post-migration connectivity issues.

Frequently Asked Questions

Can I modify existing UFW application profiles?

Don't edit the default profiles in /etc/ufw/applications.d/ufw-*. Package updates will overwrite your changes. Create custom profiles instead.

How do I allow a profile from specific IP addresses only?

UFW profiles work with IP restrictions: sudo ufw allow from 192.168.1.100 to any app "Apache Full"

Can profiles include port ranges and individual ports together?

Yes, separate different port specifications with commas: ports=80,443,8000:8999/tcp

What happens if I delete a profile file that's in use?

Existing rules continue working, but you can't reference the profile name anymore. Remove the rules manually before deleting profile files.

Do UFW profiles affect IPv6 traffic?

Yes, profiles apply to both IPv4 and IPv6 by default. UFW handles the dual-stack configuration automatically.