UFW: simple, predictable, enough
You do not need fancy firewalls for an OpenClaw VPS. UFW + Caddy + a few rules is enough.
Default deny inbound
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow only what you need
sudo ufw allow 2222/tcp comment 'SSH (custom port)'
sudo ufw allow 80/tcp comment 'HTTP (Caddy ACME)'
sudo ufw allow 443/tcp comment 'HTTPS (Caddy)'
sudo ufw enable
sudo ufw status verbose
What this gets you
- Port 7777 (OpenClaw raw) — closed; only Caddy can reach it on localhost
- Anything Ollama exposes — closed; bind it to
127.0.0.1and never expose - Random other ports — closed by default
Verifying
From your laptop:
nmap -Pn -p- <vps-ip>
Only 2222, 80, 443 should be visible. If you see anything else, find and close it.
When the rules need to change
- Adding a new public service: add the port, add a Caddy block, restart
- Temporary allow during debugging:
ufw allow from <my-ip> to any port 7777 - After debugging:
ufw delete allow from <my-ip> to any port 7777
Try it
Run nmap against your VPS now. Screenshot the result. After the next lesson, run it again and compare.