[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-/blog/tutorial/configurar-firewall-ufw-linux":3,"prev-/blog/tutorial/configurar-firewall-ufw-linux":1347,"next-/blog/tutorial/configurar-firewall-ufw-linux":1350,"related-/blog/tutorial/configurar-firewall-ufw-linux":1353},{"id":4,"title":5,"author":6,"authorUrl":7,"body":8,"category":1315,"cta":1316,"date":1317,"dateModified":1317,"description":1318,"draft":1319,"extension":1320,"faq":1321,"featured":1319,"image":1334,"imageAlt":1335,"meta":1336,"navigation":151,"path":1337,"readingTime":893,"seo":1338,"stem":1339,"tags":1340,"__hash__":1346},"blog/blog/tutorial/configurar-firewall-ufw-linux.md","Configurar firewall en Linux con UFW — reglas esenciales","Syswork México","/nosotros",{"type":9,"value":10,"toc":1287},"minimark",[11,15,18,23,26,71,79,83,100,107,111,119,174,177,180,184,187,241,248,252,255,269,276,292,295,299,302,307,352,356,407,411,446,450,486,490,526,528,532,536,561,565,568,599,602,606,669,673,717,721,725,739,742,750,754,798,802,821,823,827,841,1194,1197,1201,1204,1225,1232,1236,1239,1274,1283],[12,13,14],"p",{},"Un servidor expuesto a internet sin firewall es una invitación abierta. Cada minuto que tu servidor está en línea, bots automatizados escanean puertos, intentan accesos SSH por fuerza bruta y buscan servicios mal configurados. UFW (Uncomplicated Firewall) es la herramienta estándar en Ubuntu y Debian para cerrar todo lo que no necesitas y dejar abierto solo lo indispensable.",[12,16,17],{},"En esta guía vas a configurar UFW desde cero con las reglas que todo servidor de producción necesita.",[19,20,22],"h2",{"id":21},"requisitos-previos","Requisitos previos",[12,24,25],{},"Necesitas un servidor con Ubuntu 20.04+ o Debian 11+ y acceso SSH con privilegios sudo. UFW viene preinstalado en Ubuntu; en Debian instálalo con:",[27,28,33],"pre",{"className":29,"code":30,"language":31,"meta":32,"style":32},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark","sudo apt update && sudo apt install ufw -y\n","bash","",[34,35,36],"code",{"__ignoreMap":32},[37,38,41,45,49,52,56,59,61,64,67],"span",{"class":39,"line":40},"line",1,[37,42,44],{"class":43},"sbgvK","sudo",[37,46,48],{"class":47},"s_sjI"," apt",[37,50,51],{"class":47}," update",[37,53,55],{"class":54},"sP7_E"," &&",[37,57,58],{"class":43}," sudo",[37,60,48],{"class":47},[37,62,63],{"class":47}," install",[37,65,66],{"class":47}," ufw",[37,68,70],{"class":69},"stzsN"," -y\n",[72,73,76],"alert",{"title":74,"type":75},"¡Importante!","warning",[12,77,78],{},"Antes de habilitar UFW, asegúrate de crear la regla de SSH. Si activas el firewall sin permitir SSH, perderás el acceso al servidor.",[19,80,82],{"id":81},"paso-1-verificar-estado-actual","Paso 1: Verificar estado actual",[27,84,86],{"className":29,"code":85,"language":31,"meta":32,"style":32},"sudo ufw status verbose\n",[34,87,88],{"__ignoreMap":32},[37,89,90,92,94,97],{"class":39,"line":40},[37,91,44],{"class":43},[37,93,66],{"class":47},[37,95,96],{"class":47}," status",[37,98,99],{"class":47}," verbose\n",[12,101,102,103,106],{},"Si nunca has configurado UFW, verás ",[34,104,105],{},"Status: inactive",". Bien — vamos a configurarlo antes de activarlo.",[19,108,110],{"id":109},"paso-2-configurar-políticas-por-defecto","Paso 2: Configurar políticas por defecto",[12,112,113,114,118],{},"La filosofía correcta de firewall es ",[115,116,117],"strong",{},"denegar todo por defecto"," y permitir solo lo necesario:",[27,120,122],{"className":29,"code":121,"language":31,"meta":32,"style":32},"# Bloquear todo el tráfico entrante\nsudo ufw default deny incoming\n\n# Permitir todo el tráfico saliente\nsudo ufw default allow outgoing\n",[34,123,124,130,146,153,159],{"__ignoreMap":32},[37,125,126],{"class":39,"line":40},[37,127,129],{"class":128},"sutJx","# Bloquear todo el tráfico entrante\n",[37,131,133,135,137,140,143],{"class":39,"line":132},2,[37,134,44],{"class":43},[37,136,66],{"class":47},[37,138,139],{"class":47}," default",[37,141,142],{"class":47}," deny",[37,144,145],{"class":47}," incoming\n",[37,147,149],{"class":39,"line":148},3,[37,150,152],{"emptyLinePlaceholder":151},true,"\n",[37,154,156],{"class":39,"line":155},4,[37,157,158],{"class":128},"# Permitir todo el tráfico saliente\n",[37,160,162,164,166,168,171],{"class":39,"line":161},5,[37,163,44],{"class":43},[37,165,66],{"class":47},[37,167,139],{"class":47},[37,169,170],{"class":47}," allow",[37,172,173],{"class":47}," outgoing\n",[12,175,176],{},"Con esto, ningún servicio es accesible desde fuera hasta que tú lo permitas explícitamente.",[178,179],"ad-banner",{},[19,181,183],{"id":182},"paso-3-permitir-ssh-antes-de-activar","Paso 3: Permitir SSH (antes de activar)",[12,185,186],{},"Esta es la regla más importante. Sin ella, te quedas fuera del servidor:",[27,188,190],{"className":29,"code":189,"language":31,"meta":32,"style":32},"# SSH en puerto estándar (22)\nsudo ufw allow ssh\n\n# O si cambiaste el puerto SSH (recomendado en producción)\nsudo ufw allow 2222/tcp comment 'SSH puerto custom'\n",[34,191,192,197,208,212,217],{"__ignoreMap":32},[37,193,194],{"class":39,"line":40},[37,195,196],{"class":128},"# SSH en puerto estándar (22)\n",[37,198,199,201,203,205],{"class":39,"line":132},[37,200,44],{"class":43},[37,202,66],{"class":47},[37,204,170],{"class":47},[37,206,207],{"class":47}," ssh\n",[37,209,210],{"class":39,"line":148},[37,211,152],{"emptyLinePlaceholder":151},[37,213,214],{"class":39,"line":155},[37,215,216],{"class":128},"# O si cambiaste el puerto SSH (recomendado en producción)\n",[37,218,219,221,223,225,228,231,235,238],{"class":39,"line":161},[37,220,44],{"class":43},[37,222,66],{"class":47},[37,224,170],{"class":47},[37,226,227],{"class":47}," 2222/tcp",[37,229,230],{"class":47}," comment",[37,232,234],{"class":233},"sjJ54"," '",[37,236,237],{"class":47},"SSH puerto custom",[37,239,240],{"class":233},"'\n",[72,242,245],{"title":243,"type":244},"Buena práctica","info",[12,246,247],{},"Cambiar el puerto SSH del 22 a otro número reduce drásticamente los intentos de fuerza bruta automatizados. No es seguridad real (un escaneo de puertos lo encuentra), pero elimina el 99% del ruido en tus logs.",[19,249,251],{"id":250},"paso-4-activar-ufw","Paso 4: Activar UFW",[12,253,254],{},"Ahora sí, con SSH permitido, activa el firewall:",[27,256,258],{"className":29,"code":257,"language":31,"meta":32,"style":32},"sudo ufw enable\n",[34,259,260],{"__ignoreMap":32},[37,261,262,264,266],{"class":39,"line":40},[37,263,44],{"class":43},[37,265,66],{"class":47},[37,267,268],{"class":47}," enable\n",[12,270,271,272,275],{},"UFW te advierte que puede interrumpir conexiones SSH. Como ya creaste la regla, confirma con ",[34,273,274],{},"y",". Verifica:",[27,277,279],{"className":29,"code":278,"language":31,"meta":32,"style":32},"sudo ufw status numbered\n",[34,280,281],{"__ignoreMap":32},[37,282,283,285,287,289],{"class":39,"line":40},[37,284,44],{"class":43},[37,286,66],{"class":47},[37,288,96],{"class":47},[37,290,291],{"class":47}," numbered\n",[12,293,294],{},"Deberías ver tu regla de SSH listada.",[19,296,298],{"id":297},"paso-5-agregar-reglas-para-tus-servicios","Paso 5: Agregar reglas para tus servicios",[12,300,301],{},"Ahora agrega reglas solo para los servicios que tu servidor necesita exponer. Aquí las más comunes:",[303,304,306],"h3",{"id":305},"servidor-web-http-y-https","Servidor web (HTTP y HTTPS)",[27,308,310],{"className":29,"code":309,"language":31,"meta":32,"style":32},"sudo ufw allow 80/tcp comment 'HTTP'\nsudo ufw allow 443/tcp comment 'HTTPS'\n",[34,311,312,332],{"__ignoreMap":32},[37,313,314,316,318,320,323,325,327,330],{"class":39,"line":40},[37,315,44],{"class":43},[37,317,66],{"class":47},[37,319,170],{"class":47},[37,321,322],{"class":47}," 80/tcp",[37,324,230],{"class":47},[37,326,234],{"class":233},[37,328,329],{"class":47},"HTTP",[37,331,240],{"class":233},[37,333,334,336,338,340,343,345,347,350],{"class":39,"line":132},[37,335,44],{"class":43},[37,337,66],{"class":47},[37,339,170],{"class":47},[37,341,342],{"class":47}," 443/tcp",[37,344,230],{"class":47},[37,346,234],{"class":233},[37,348,349],{"class":47},"HTTPS",[37,351,240],{"class":233},[303,353,355],{"id":354},"base-de-datos-postgresql-solo-desde-ips-específicas","Base de datos PostgreSQL (solo desde IPs específicas)",[27,357,359],{"className":29,"code":358,"language":31,"meta":32,"style":32},"# NUNCA abras la base de datos a todo internet\n# Permite solo desde tu servidor de aplicación\nsudo ufw allow from 10.0.1.10 to any port 5432 comment 'PostgreSQL desde app server'\n",[34,360,361,366,371],{"__ignoreMap":32},[37,362,363],{"class":39,"line":40},[37,364,365],{"class":128},"# NUNCA abras la base de datos a todo internet\n",[37,367,368],{"class":39,"line":132},[37,369,370],{"class":128},"# Permite solo desde tu servidor de aplicación\n",[37,372,373,375,377,379,382,386,389,392,395,398,400,402,405],{"class":39,"line":148},[37,374,44],{"class":43},[37,376,66],{"class":47},[37,378,170],{"class":47},[37,380,381],{"class":47}," from",[37,383,385],{"class":384},"srdBf"," 10.0.1.10",[37,387,388],{"class":47}," to",[37,390,391],{"class":47}," any",[37,393,394],{"class":47}," port",[37,396,397],{"class":384}," 5432",[37,399,230],{"class":47},[37,401,234],{"class":233},[37,403,404],{"class":47},"PostgreSQL desde app server",[37,406,240],{"class":233},[303,408,410],{"id":409},"base-de-datos-mysql-solo-desde-ips-específicas","Base de datos MySQL (solo desde IPs específicas)",[27,412,414],{"className":29,"code":413,"language":31,"meta":32,"style":32},"sudo ufw allow from 10.0.1.10 to any port 3306 comment 'MySQL desde app server'\n",[34,415,416],{"__ignoreMap":32},[37,417,418,420,422,424,426,428,430,432,434,437,439,441,444],{"class":39,"line":40},[37,419,44],{"class":43},[37,421,66],{"class":47},[37,423,170],{"class":47},[37,425,381],{"class":47},[37,427,385],{"class":384},[37,429,388],{"class":47},[37,431,391],{"class":47},[37,433,394],{"class":47},[37,435,436],{"class":384}," 3306",[37,438,230],{"class":47},[37,440,234],{"class":233},[37,442,443],{"class":47},"MySQL desde app server",[37,445,240],{"class":233},[303,447,449],{"id":448},"redis-solo-desde-red-local","Redis (solo desde red local)",[27,451,453],{"className":29,"code":452,"language":31,"meta":32,"style":32},"sudo ufw allow from 10.0.1.0/24 to any port 6379 comment 'Redis desde red interna'\n",[34,454,455],{"__ignoreMap":32},[37,456,457,459,461,463,465,468,470,472,474,477,479,481,484],{"class":39,"line":40},[37,458,44],{"class":43},[37,460,66],{"class":47},[37,462,170],{"class":47},[37,464,381],{"class":47},[37,466,467],{"class":47}," 10.0.1.0/24",[37,469,388],{"class":47},[37,471,391],{"class":47},[37,473,394],{"class":47},[37,475,476],{"class":384}," 6379",[37,478,230],{"class":47},[37,480,234],{"class":233},[37,482,483],{"class":47},"Redis desde red interna",[37,485,240],{"class":233},[303,487,489],{"id":488},"monitoreo-zabbix-agent","Monitoreo (Zabbix agent)",[27,491,493],{"className":29,"code":492,"language":31,"meta":32,"style":32},"sudo ufw allow from 10.0.1.5 to any port 10050 comment 'Zabbix agent'\n",[34,494,495],{"__ignoreMap":32},[37,496,497,499,501,503,505,508,510,512,514,517,519,521,524],{"class":39,"line":40},[37,498,44],{"class":43},[37,500,66],{"class":47},[37,502,170],{"class":47},[37,504,381],{"class":47},[37,506,507],{"class":384}," 10.0.1.5",[37,509,388],{"class":47},[37,511,391],{"class":47},[37,513,394],{"class":47},[37,515,516],{"class":384}," 10050",[37,518,230],{"class":47},[37,520,234],{"class":233},[37,522,523],{"class":47},"Zabbix agent",[37,525,240],{"class":233},[178,527],{},[19,529,531],{"id":530},"reglas-avanzadas","Reglas avanzadas",[303,533,535],{"id":534},"permitir-un-rango-de-puertos","Permitir un rango de puertos",[27,537,539],{"className":29,"code":538,"language":31,"meta":32,"style":32},"sudo ufw allow 8000:8100/tcp comment 'Rango de puertos para apps'\n",[34,540,541],{"__ignoreMap":32},[37,542,543,545,547,549,552,554,556,559],{"class":39,"line":40},[37,544,44],{"class":43},[37,546,66],{"class":47},[37,548,170],{"class":47},[37,550,551],{"class":47}," 8000:8100/tcp",[37,553,230],{"class":47},[37,555,234],{"class":233},[37,557,558],{"class":47},"Rango de puertos para apps",[37,560,240],{"class":233},[303,562,564],{"id":563},"limitar-intentos-de-conexión-rate-limiting","Limitar intentos de conexión (rate limiting)",[12,566,567],{},"UFW puede limitar las conexiones por IP — útil para proteger SSH sin necesidad de fail2ban:",[27,569,571],{"className":29,"code":570,"language":31,"meta":32,"style":32},"# Máximo 6 conexiones en 30 segundos por IP\nsudo ufw limit ssh comment 'Rate limit SSH'\n",[34,572,573,578],{"__ignoreMap":32},[37,574,575],{"class":39,"line":40},[37,576,577],{"class":128},"# Máximo 6 conexiones en 30 segundos por IP\n",[37,579,580,582,584,587,590,592,594,597],{"class":39,"line":132},[37,581,44],{"class":43},[37,583,66],{"class":47},[37,585,586],{"class":47}," limit",[37,588,589],{"class":47}," ssh",[37,591,230],{"class":47},[37,593,234],{"class":233},[37,595,596],{"class":47},"Rate limit SSH",[37,598,240],{"class":233},[12,600,601],{},"Si una IP intenta más de 6 conexiones en 30 segundos, UFW la bloquea temporalmente.",[303,603,605],{"id":604},"bloquear-una-ip-específica","Bloquear una IP específica",[27,607,609],{"className":29,"code":608,"language":31,"meta":32,"style":32},"# Bloquear una IP que está atacando\nsudo ufw deny from 203.0.113.50 comment 'IP bloqueada por ataque'\n\n# Bloquear una subred completa\nsudo ufw deny from 203.0.113.0/24 comment 'Subred bloqueada'\n",[34,610,611,616,638,642,647],{"__ignoreMap":32},[37,612,613],{"class":39,"line":40},[37,614,615],{"class":128},"# Bloquear una IP que está atacando\n",[37,617,618,620,622,624,626,629,631,633,636],{"class":39,"line":132},[37,619,44],{"class":43},[37,621,66],{"class":47},[37,623,142],{"class":47},[37,625,381],{"class":47},[37,627,628],{"class":384}," 203.0.113.50",[37,630,230],{"class":47},[37,632,234],{"class":233},[37,634,635],{"class":47},"IP bloqueada por ataque",[37,637,240],{"class":233},[37,639,640],{"class":39,"line":148},[37,641,152],{"emptyLinePlaceholder":151},[37,643,644],{"class":39,"line":155},[37,645,646],{"class":128},"# Bloquear una subred completa\n",[37,648,649,651,653,655,657,660,662,664,667],{"class":39,"line":161},[37,650,44],{"class":43},[37,652,66],{"class":47},[37,654,142],{"class":47},[37,656,381],{"class":47},[37,658,659],{"class":47}," 203.0.113.0/24",[37,661,230],{"class":47},[37,663,234],{"class":233},[37,665,666],{"class":47},"Subred bloqueada",[37,668,240],{"class":233},[303,670,672],{"id":671},"permitir-tráfico-solo-por-interfaz-de-red","Permitir tráfico solo por interfaz de red",[27,674,676],{"className":29,"code":675,"language":31,"meta":32,"style":32},"# Permitir PostgreSQL solo en la interfaz de red interna\nsudo ufw allow in on eth1 to any port 5432 comment 'PostgreSQL solo red interna'\n",[34,677,678,683],{"__ignoreMap":32},[37,679,680],{"class":39,"line":40},[37,681,682],{"class":128},"# Permitir PostgreSQL solo en la interfaz de red interna\n",[37,684,685,687,689,691,694,697,700,702,704,706,708,710,712,715],{"class":39,"line":132},[37,686,44],{"class":43},[37,688,66],{"class":47},[37,690,170],{"class":47},[37,692,693],{"class":47}," in",[37,695,696],{"class":47}," on",[37,698,699],{"class":47}," eth1",[37,701,388],{"class":47},[37,703,391],{"class":47},[37,705,394],{"class":47},[37,707,397],{"class":384},[37,709,230],{"class":47},[37,711,234],{"class":233},[37,713,714],{"class":47},"PostgreSQL solo red interna",[37,716,240],{"class":233},[19,718,720],{"id":719},"gestionar-reglas-existentes","Gestionar reglas existentes",[303,722,724],{"id":723},"ver-reglas-numeradas","Ver reglas numeradas",[27,726,727],{"className":29,"code":278,"language":31,"meta":32,"style":32},[34,728,729],{"__ignoreMap":32},[37,730,731,733,735,737],{"class":39,"line":40},[37,732,44],{"class":43},[37,734,66],{"class":47},[37,736,96],{"class":47},[37,738,291],{"class":47},[12,740,741],{},"Ejemplo de salida:",[27,743,748],{"className":744,"code":746,"language":747},[745],"language-text","Status: active\n\n     To                         Action      From\n     --                         ------      ----\n[ 1] 22/tcp                     ALLOW IN    Anywhere        # SSH\n[ 2] 80/tcp                     ALLOW IN    Anywhere        # HTTP\n[ 3] 443/tcp                    ALLOW IN    Anywhere        # HTTPS\n[ 4] 5432                       ALLOW IN    10.0.1.10       # PostgreSQL desde app\n","text",[34,749,746],{"__ignoreMap":32},[303,751,753],{"id":752},"eliminar-una-regla","Eliminar una regla",[27,755,757],{"className":29,"code":756,"language":31,"meta":32,"style":32},"# Por número\nsudo ufw delete 4\n\n# Por definición\nsudo ufw delete allow 80/tcp\n",[34,758,759,764,776,780,785],{"__ignoreMap":32},[37,760,761],{"class":39,"line":40},[37,762,763],{"class":128},"# Por número\n",[37,765,766,768,770,773],{"class":39,"line":132},[37,767,44],{"class":43},[37,769,66],{"class":47},[37,771,772],{"class":47}," delete",[37,774,775],{"class":384}," 4\n",[37,777,778],{"class":39,"line":148},[37,779,152],{"emptyLinePlaceholder":151},[37,781,782],{"class":39,"line":155},[37,783,784],{"class":128},"# Por definición\n",[37,786,787,789,791,793,795],{"class":39,"line":161},[37,788,44],{"class":43},[37,790,66],{"class":47},[37,792,772],{"class":47},[37,794,170],{"class":47},[37,796,797],{"class":47}," 80/tcp\n",[303,799,801],{"id":800},"resetear-todo","Resetear todo",[27,803,805],{"className":29,"code":804,"language":31,"meta":32,"style":32},"# Borra todas las reglas y desactiva UFW\nsudo ufw reset\n",[34,806,807,812],{"__ignoreMap":32},[37,808,809],{"class":39,"line":40},[37,810,811],{"class":128},"# Borra todas las reglas y desactiva UFW\n",[37,813,814,816,818],{"class":39,"line":132},[37,815,44],{"class":43},[37,817,66],{"class":47},[37,819,820],{"class":47}," reset\n",[178,822],{},[19,824,826],{"id":825},"configuración-completa-para-un-servidor-típico","Configuración completa para un servidor típico",[12,828,829,830,835,836,840],{},"Aquí un ejemplo de configuración completa para un servidor que corre una aplicación web con ",[831,832,834],"a",{"href":833},"/tecnologias/postgresql","PostgreSQL",", ",[831,837,839],{"href":838},"/tecnologias/redis","Redis"," y monitoreo:",[27,842,844],{"className":29,"code":843,"language":31,"meta":32,"style":32},"#!/bin/bash\n# setup-firewall.sh — Configuración de UFW para servidor de producción\n\nset -e\n\n# Reset\nsudo ufw --force reset\n\n# Políticas por defecto\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\n\n# SSH (cambiar puerto en producción)\nsudo ufw limit 22/tcp comment 'SSH con rate limit'\n\n# Web\nsudo ufw allow 80/tcp comment 'HTTP'\nsudo ufw allow 443/tcp comment 'HTTPS'\n\n# PostgreSQL solo desde app server\nsudo ufw allow from 10.0.1.10 to any port 5432 comment 'PostgreSQL'\n\n# Redis solo desde red interna\nsudo ufw allow from 10.0.1.0/24 to any port 6379 comment 'Redis'\n\n# Zabbix agent desde servidor de monitoreo\nsudo ufw allow from 10.0.1.5 to any port 10050 comment 'Zabbix'\n\n# Activar\nsudo ufw --force enable\n\n# Verificar\nsudo ufw status verbose\n\necho \"Firewall configurado correctamente.\"\n",[34,845,846,851,856,860,869,873,879,891,896,902,915,928,933,939,960,965,971,990,1009,1014,1020,1049,1054,1060,1089,1094,1100,1130,1135,1141,1152,1157,1163,1174,1179],{"__ignoreMap":32},[37,847,848],{"class":39,"line":40},[37,849,850],{"class":128},"#!/bin/bash\n",[37,852,853],{"class":39,"line":132},[37,854,855],{"class":128},"# setup-firewall.sh — Configuración de UFW para servidor de producción\n",[37,857,858],{"class":39,"line":148},[37,859,152],{"emptyLinePlaceholder":151},[37,861,862,866],{"class":39,"line":155},[37,863,865],{"class":864},"sptTA","set",[37,867,868],{"class":69}," -e\n",[37,870,871],{"class":39,"line":161},[37,872,152],{"emptyLinePlaceholder":151},[37,874,876],{"class":39,"line":875},6,[37,877,878],{"class":128},"# Reset\n",[37,880,882,884,886,889],{"class":39,"line":881},7,[37,883,44],{"class":43},[37,885,66],{"class":47},[37,887,888],{"class":69}," --force",[37,890,820],{"class":47},[37,892,894],{"class":39,"line":893},8,[37,895,152],{"emptyLinePlaceholder":151},[37,897,899],{"class":39,"line":898},9,[37,900,901],{"class":128},"# Políticas por defecto\n",[37,903,905,907,909,911,913],{"class":39,"line":904},10,[37,906,44],{"class":43},[37,908,66],{"class":47},[37,910,139],{"class":47},[37,912,142],{"class":47},[37,914,145],{"class":47},[37,916,918,920,922,924,926],{"class":39,"line":917},11,[37,919,44],{"class":43},[37,921,66],{"class":47},[37,923,139],{"class":47},[37,925,170],{"class":47},[37,927,173],{"class":47},[37,929,931],{"class":39,"line":930},12,[37,932,152],{"emptyLinePlaceholder":151},[37,934,936],{"class":39,"line":935},13,[37,937,938],{"class":128},"# SSH (cambiar puerto en producción)\n",[37,940,942,944,946,948,951,953,955,958],{"class":39,"line":941},14,[37,943,44],{"class":43},[37,945,66],{"class":47},[37,947,586],{"class":47},[37,949,950],{"class":47}," 22/tcp",[37,952,230],{"class":47},[37,954,234],{"class":233},[37,956,957],{"class":47},"SSH con rate limit",[37,959,240],{"class":233},[37,961,963],{"class":39,"line":962},15,[37,964,152],{"emptyLinePlaceholder":151},[37,966,968],{"class":39,"line":967},16,[37,969,970],{"class":128},"# Web\n",[37,972,974,976,978,980,982,984,986,988],{"class":39,"line":973},17,[37,975,44],{"class":43},[37,977,66],{"class":47},[37,979,170],{"class":47},[37,981,322],{"class":47},[37,983,230],{"class":47},[37,985,234],{"class":233},[37,987,329],{"class":47},[37,989,240],{"class":233},[37,991,993,995,997,999,1001,1003,1005,1007],{"class":39,"line":992},18,[37,994,44],{"class":43},[37,996,66],{"class":47},[37,998,170],{"class":47},[37,1000,342],{"class":47},[37,1002,230],{"class":47},[37,1004,234],{"class":233},[37,1006,349],{"class":47},[37,1008,240],{"class":233},[37,1010,1012],{"class":39,"line":1011},19,[37,1013,152],{"emptyLinePlaceholder":151},[37,1015,1017],{"class":39,"line":1016},20,[37,1018,1019],{"class":128},"# PostgreSQL solo desde app server\n",[37,1021,1023,1025,1027,1029,1031,1033,1035,1037,1039,1041,1043,1045,1047],{"class":39,"line":1022},21,[37,1024,44],{"class":43},[37,1026,66],{"class":47},[37,1028,170],{"class":47},[37,1030,381],{"class":47},[37,1032,385],{"class":384},[37,1034,388],{"class":47},[37,1036,391],{"class":47},[37,1038,394],{"class":47},[37,1040,397],{"class":384},[37,1042,230],{"class":47},[37,1044,234],{"class":233},[37,1046,834],{"class":47},[37,1048,240],{"class":233},[37,1050,1052],{"class":39,"line":1051},22,[37,1053,152],{"emptyLinePlaceholder":151},[37,1055,1057],{"class":39,"line":1056},23,[37,1058,1059],{"class":128},"# Redis solo desde red interna\n",[37,1061,1063,1065,1067,1069,1071,1073,1075,1077,1079,1081,1083,1085,1087],{"class":39,"line":1062},24,[37,1064,44],{"class":43},[37,1066,66],{"class":47},[37,1068,170],{"class":47},[37,1070,381],{"class":47},[37,1072,467],{"class":47},[37,1074,388],{"class":47},[37,1076,391],{"class":47},[37,1078,394],{"class":47},[37,1080,476],{"class":384},[37,1082,230],{"class":47},[37,1084,234],{"class":233},[37,1086,839],{"class":47},[37,1088,240],{"class":233},[37,1090,1092],{"class":39,"line":1091},25,[37,1093,152],{"emptyLinePlaceholder":151},[37,1095,1097],{"class":39,"line":1096},26,[37,1098,1099],{"class":128},"# Zabbix agent desde servidor de monitoreo\n",[37,1101,1103,1105,1107,1109,1111,1113,1115,1117,1119,1121,1123,1125,1128],{"class":39,"line":1102},27,[37,1104,44],{"class":43},[37,1106,66],{"class":47},[37,1108,170],{"class":47},[37,1110,381],{"class":47},[37,1112,507],{"class":384},[37,1114,388],{"class":47},[37,1116,391],{"class":47},[37,1118,394],{"class":47},[37,1120,516],{"class":384},[37,1122,230],{"class":47},[37,1124,234],{"class":233},[37,1126,1127],{"class":47},"Zabbix",[37,1129,240],{"class":233},[37,1131,1133],{"class":39,"line":1132},28,[37,1134,152],{"emptyLinePlaceholder":151},[37,1136,1138],{"class":39,"line":1137},29,[37,1139,1140],{"class":128},"# Activar\n",[37,1142,1144,1146,1148,1150],{"class":39,"line":1143},30,[37,1145,44],{"class":43},[37,1147,66],{"class":47},[37,1149,888],{"class":69},[37,1151,268],{"class":47},[37,1153,1155],{"class":39,"line":1154},31,[37,1156,152],{"emptyLinePlaceholder":151},[37,1158,1160],{"class":39,"line":1159},32,[37,1161,1162],{"class":128},"# Verificar\n",[37,1164,1166,1168,1170,1172],{"class":39,"line":1165},33,[37,1167,44],{"class":43},[37,1169,66],{"class":47},[37,1171,96],{"class":47},[37,1173,99],{"class":47},[37,1175,1177],{"class":39,"line":1176},34,[37,1178,152],{"emptyLinePlaceholder":151},[37,1180,1182,1185,1188,1191],{"class":39,"line":1181},35,[37,1183,1184],{"class":864},"echo",[37,1186,1187],{"class":233}," \"",[37,1189,1190],{"class":47},"Firewall configurado correctamente.",[37,1192,1193],{"class":233},"\"\n",[12,1195,1196],{},"Guárdalo como script para poder reproducir la configuración en cualquier servidor nuevo.",[19,1198,1200],{"id":1199},"verificar-que-funciona","Verificar que funciona",[12,1202,1203],{},"Después de configurar UFW, verifica desde otra máquina que solo los puertos permitidos estén abiertos:",[27,1205,1207],{"className":29,"code":1206,"language":31,"meta":32,"style":32},"# Desde otra máquina, escanea los puertos del servidor\nnmap -Pn tuservidor.com\n",[34,1208,1209,1214],{"__ignoreMap":32},[37,1210,1211],{"class":39,"line":40},[37,1212,1213],{"class":128},"# Desde otra máquina, escanea los puertos del servidor\n",[37,1215,1216,1219,1222],{"class":39,"line":132},[37,1217,1218],{"class":43},"nmap",[37,1220,1221],{"class":69}," -Pn",[37,1223,1224],{"class":47}," tuservidor.com\n",[12,1226,1227,1228,1231],{},"Solo deberías ver los puertos que abriste (22, 80, 443). Todo lo demás debería aparecer como ",[34,1229,1230],{},"filtered",".",[19,1233,1235],{"id":1234},"siguientes-pasos","Siguientes pasos",[12,1237,1238],{},"UFW es tu primera línea de defensa. Para completar la seguridad de tu servidor:",[1240,1241,1242,1249,1255,1265],"ul",{},[1243,1244,1245,1248],"li",{},[115,1246,1247],{},"fail2ban"," — bloqueo automático de IPs que intentan fuerza bruta contra SSH, Nginx o cualquier servicio",[1243,1250,1251,1254],{},[115,1252,1253],{},"Hardening SSH"," — desactivar acceso con contraseña, solo llaves, cambiar puerto y desactivar root login",[1243,1256,1257,1260,1261,1264],{},[115,1258,1259],{},"Actualizaciones automáticas"," — ",[34,1262,1263],{},"unattended-upgrades"," para que los parches de seguridad se apliquen solos",[1243,1266,1267,1273],{},[115,1268,1269],{},[831,1270,1272],{"href":1271},"/servicios/ciberseguridad","Ciberseguridad completa"," — auditoría profesional, pentesting y hardening basado en CIS benchmarks",[1275,1276],"call-to-action",{"description":1277,"eyebrow":1278,"icon":1279,"label":1280,"title":1281,"to":1282},"Auditamos la seguridad de tu infraestructura y aplicamos hardening basado en benchmarks CIS para que tus servidores estén protegidos de verdad.","Seguridad empresarial","i-lucide-shield-check","Solicitar auditoría de seguridad","¿Necesitas un hardening profesional de tus servidores?","/contacto",[1284,1285,1286],"style",{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sP7_E, html code.shiki .sP7_E{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .sjJ54, html code.shiki .sjJ54{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sptTA, html code.shiki .sptTA{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF}",{"title":32,"searchDepth":132,"depth":148,"links":1288},[1289,1290,1291,1292,1293,1294,1301,1307,1312,1313,1314],{"id":21,"depth":132,"text":22},{"id":81,"depth":132,"text":82},{"id":109,"depth":132,"text":110},{"id":182,"depth":132,"text":183},{"id":250,"depth":132,"text":251},{"id":297,"depth":132,"text":298,"children":1295},[1296,1297,1298,1299,1300],{"id":305,"depth":148,"text":306},{"id":354,"depth":148,"text":355},{"id":409,"depth":148,"text":410},{"id":448,"depth":148,"text":449},{"id":488,"depth":148,"text":489},{"id":530,"depth":132,"text":531,"children":1302},[1303,1304,1305,1306],{"id":534,"depth":148,"text":535},{"id":563,"depth":148,"text":564},{"id":604,"depth":148,"text":605},{"id":671,"depth":148,"text":672},{"id":719,"depth":132,"text":720,"children":1308},[1309,1310,1311],{"id":723,"depth":148,"text":724},{"id":752,"depth":148,"text":753},{"id":800,"depth":148,"text":801},{"id":825,"depth":132,"text":826},{"id":1199,"depth":132,"text":1200},{"id":1234,"depth":132,"text":1235},"tutorial",{"title":1281,"description":1277,"label":1280,"to":1282,"icon":1279},"2026-03-01","Guía paso a paso para configurar UFW (Uncomplicated Firewall) en Ubuntu y Debian con las reglas esenciales para proteger servidores de producción.",false,"md",[1322,1325,1328,1331],{"question":1323,"answer":1324},"¿UFW es suficiente para proteger un servidor de producción?","UFW es una capa de protección esencial, pero no es la única que necesitas. Un servidor seguro combina UFW con hardening del sistema operativo, actualizaciones de seguridad, acceso SSH solo con llaves, fail2ban para bloquear ataques de fuerza bruta, y monitoreo de logs. UFW es el primer paso, no el único.",{"question":1326,"answer":1327},"¿Puedo bloquearme a mí mismo si configuro mal UFW?","Sí. Si habilitas UFW sin crear primero una regla para SSH, perderás el acceso remoto al servidor. Por eso la primera regla siempre es permitir SSH antes de activar el firewall. Si trabajas con un proveedor cloud, la mayoría ofrece consola web de emergencia para recuperar el acceso.",{"question":1329,"answer":1330},"¿UFW funciona con Docker?","Docker modifica iptables directamente y puede bypasear las reglas de UFW. Si usas Docker, necesitas configuración adicional para que UFW controle el tráfico de los contenedores. La solución más común es modificar /etc/docker/daemon.json para deshabilitar la manipulación de iptables por Docker y manejar las reglas manualmente.",{"question":1332,"answer":1333},"¿Cuál es la diferencia entre UFW e iptables?","iptables es el firewall real del kernel de Linux — potente pero complejo. UFW es una interfaz simplificada sobre iptables que traduce comandos legibles a reglas de iptables. Para la mayoría de los servidores, UFW es suficiente y mucho más fácil de administrar.","/images/blog/ufw-firewall-linux.jpg","Terminal de Linux mostrando reglas de firewall UFW activas protegiendo un servidor de producción",{},"/blog/tutorial/configurar-firewall-ufw-linux",{"title":5,"description":1318},"blog/tutorial/configurar-firewall-ufw-linux",[1341,1342,1343,1344,1345,1315],"linux","seguridad","firewall","ufw","ubuntu","1Ahb1K-drrqfygkuoLFuL6z2qS_YiDp2lx5lNLpn5ag",{"path":1348,"title":1349},"/blog/tutorial/traefik-reverse-proxy-docker","Configurar Traefik como reverse proxy para contenedores Docker",{"path":1351,"title":1352},"/blog/tutorial/apis-rest-python-fastapi","Crear APIs REST con Python y FastAPI para integraciones empresariales",[1354,1359,1364],{"path":1351,"title":1352,"description":1355,"date":1356,"category":1315,"image":1357,"imageAlt":1358,"readingTime":930},"Guía paso a paso para construir una API REST profesional con Python y FastAPI que conecte tu ERP, CRM o cualquier sistema con validación, autenticación y documentación automática.","2026-03-04","/images/blog/fastapi-api-rest.jpg","Editor de código mostrando una API FastAPI con documentación Swagger generada automáticamente",{"path":1348,"title":1349,"description":1360,"date":1361,"category":1315,"image":1362,"imageAlt":1363,"readingTime":904},"Guía paso a paso para instalar Traefik como reverse proxy con descubrimiento automático de contenedores Docker, SSL con Let's Encrypt y dashboard de monitoreo.","2026-02-28","/images/blog/traefik-docker.jpg","Dashboard de Traefik mostrando rutas automáticas hacia múltiples contenedores Docker con SSL activo",{"path":1365,"title":1366,"description":1367,"date":1368,"category":1315,"image":1369,"imageAlt":1370,"readingTime":898},"/blog/tutorial/nginx-reverse-proxy-ssl","Configurar Nginx como reverse proxy con SSL gratuito","Guía paso a paso para configurar Nginx como proxy inverso con certificados SSL de Let's Encrypt para exponer aplicaciones web de forma segura en producción.","2026-02-25","/images/blog/nginx-reverse-proxy.jpg","Diagrama de arquitectura mostrando Nginx como reverse proxy con SSL frente a múltiples aplicaciones backend"]