🦞OpenClaw Guide
← Back to BlogSecurity

UFW Firewall Setup for OpenClaw: Close Every Port You Don't Need

2026-03-176 min read

UFW Firewall Setup for OpenClaw: Close Every Port You Don't Need

By default, a fresh Linux server has no incoming firewall rules. Every service you run listens on a port, and those ports are potentially accessible from anywhere on the internet. UFW (Uncomplicated Firewall) fixes this with a simple model: block all incoming traffic by default, then explicitly open only what you need.

The setup takes 10 minutes and blocks the entire internet from accessing anything you haven't deliberately opened.

What UFW Does

UFW is a frontend for iptables, Linux's built-in packet filtering system. It makes managing firewall rules straightforward without needing to know iptables syntax.

The default posture you want for an OpenClaw server:

  • Incoming: deny everything by default
  • Outgoing: allow everything by default (your server needs to make outgoing calls)
  • Exceptions: explicitly allow SSH (so you can manage the server) and, if not using Tailscale, your OpenClaw port

That's it. Three or four rules total, covering the entire server.

The Core Setup

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Always add SSH before enabling UFW
# (never enable UFW without allowing SSH first — you'll lock yourself out)
sudo ufw allow ssh

# Enable UFW
sudo ufw enable

# Verify it's active
sudo ufw status

The order matters. If you ufw enable before allowing SSH, you lock yourself out of the server. Always add the SSH rule first.

When asked "Command may disrupt existing ssh connections. Proceed with operation (y|n)?", type y. As long as you've added the SSH allow rule, you won't lose your current connection.

When to Open the OpenClaw Port

If you're using Tailscale: don't open the OpenClaw port. Tailscale handles its own encrypted tunnel separately from UFW. Your OpenClaw port is bound to loopback and served through Tailscale — there's no reason to expose it in UFW.

If you're not using Tailscale: you need to open the port so you can access the gateway externally:

# Replace 39217 with your actual OpenClaw port
sudo ufw allow 39217

But be aware: opening a port in UFW means that port is accessible from any IP on the internet. If you're not using Tailscale, you're relying on your gateway password as the only authentication layer. This is the scenario that produces those 42,000 exposed instances — most of which have weak or no auth on an open port.

The strongly recommended approach: use Tailscale, don't open the port in UFW.

[→ See also: How to Set Up Tailscale with OpenClaw]

Checking UFW Status

sudo ufw status verbose

A properly configured server with Tailscale looks like:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

Only SSH (port 22) is open. Everything else is blocked.

A server without Tailscale that also needs OpenClaw accessible adds:

39217                      ALLOW IN    Anywhere
39217 (v6)                 ALLOW IN    Anywhere (v6)

Managing UFW Rules

List rules with numbers:

sudo ufw status numbered

Delete a rule by number:

sudo ufw delete 3

Delete a rule by specification:

sudo ufw delete allow 39217

Disable UFW temporarily (for troubleshooting):

sudo ufw disable

Re-enable:

sudo ufw enable

UFW and Tailscale: How They Interact

This confuses a lot of people. The key fact: Tailscale traffic bypasses UFW's standard rules.

Tailscale uses WireGuard, which runs on UDP port 41641. When you install Tailscale, it creates a network interface (tailscale0) and manages its own traffic routing. UFW's deny incoming default doesn't apply to traffic on that interface in the same way it applies to the public network interface.

What this means practically:

  • You don't need sudo ufw allow 41641 for Tailscale to work
  • You don't need to open your OpenClaw port if traffic comes through Tailscale
  • SSH (port 22) still needs to be explicitly allowed in UFW (Tailscale doesn't bypass SSH rules by default)

The safe rule: open SSH in UFW, nothing else, and let Tailscale handle OpenClaw traffic.

Checking What's Actually Listening

UFW tells you what's allowed. But what's actually accessible? Check with:

# Show all listening ports
sudo ss -tlnp

# Or with netstat
sudo netstat -tlnp

Look at the Local Address column:

  • 0.0.0.0:PORT — listening on all interfaces (potentially accessible externally if UFW allows it)
  • 127.0.0.1:PORT — listening only on loopback (only accessible locally, safe)
  • :::PORT (IPv6 equivalent of 0.0.0.0)

With a properly configured OpenClaw on Tailscale, your OpenClaw port should show 127.0.0.1:PORT — not 0.0.0.0:PORT.

Troubleshooting

Locked yourself out (forgot to allow SSH before enabling):

Use your VPS provider's browser-based console. From there:

sudo ufw allow ssh
sudo ufw enable

UFW enable fails:

sudo apt update && sudo apt install ufw -y

"ufw: command not found" on minimal installs:

sudo apt-get install ufw

UFW is active but seems to not be blocking:

# Check that UFW is actually loaded in iptables
sudo iptables -L | head -20

# Reload UFW
sudo ufw reload

The Complete UFW Setup for OpenClaw

For a server using Tailscale (recommended):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose

For a server without Tailscale:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow YOUR_OPENCLAW_PORT
sudo ufw enable
sudo ufw status verbose

Key Takeaways

  • UFW's default deny incoming posture closes every port on the server — attackers have nothing to probe
  • Always add ufw allow ssh before running ufw enable — failing to do this locks you out
  • With Tailscale: only SSH needs to be open; Tailscale handles OpenClaw traffic outside UFW's standard rules
  • Without Tailscale: you must open the OpenClaw port, which makes it internet-accessible (your gateway password is the only auth)
  • Use sudo ufw status verbose to see active rules, sudo ss -tlnp to see what's actually listening
  • Check Local Address in ss output: 127.0.0.1:PORT is safe, 0.0.0.0:PORT means the port is accessible externally

Skip the setup entirely

OpenClaw Cloud handles hosting, updates, and configuration for you — ready in 2 minutes.

Deploy on CloudAsk the Community

📚 Explore More

Integration

WhatsApp

Chat with your AI assistant through WhatsApp, the messaging app you already use every day. Send voice notes, share files, and get things done without switching apps.

Feature

AI Assistant with Memory That Remembers Everything

Stop re-explaining yourself to AI. OpenClaw remembers every conversation, preference, and detail forever. The only AI assistant with true persistent memory.

Help

OpenClaw Installation Guide — All Platforms (Linux, macOS, Unraid)

Complete installation guide covering gateway setup, Ollama integration, systemd services, and troubleshooting common setup errors like ECONNREFUSED and model loading issues.

Guide

How to Set Up an AI Email Assistant

Let your AI handle email drafts, sorting, and follow-ups so you can focus on what matters.

Keep reading

📄

Run OpenClaw on Railway — Get $20 Free

4 min

📄

How to Reduce Your OpenClaw API Costs by 97%: The Complete Guide (2026)

31 min