0 / 5 waves cleared
wave 1 / 5
Lock down the door
You run a simple public website on port 80. The host has no other services. Block everything else.
// available rules — tick the ones to enable
0 selectedready when you are
// waves
$
Port Patrol
Defend your server through 5 waves of incoming connections. Read the scenario, tick the UFW rules you want enabled, then launch the wave. Each connection animates through your firewall live.
teaches default deny + allow one port
What is Port Patrol?
Port Patrol is a browser game that teaches UFW, the Uncomplicated Firewall, through five waves of incoming traffic. Each wave gives you a scenario, a list of candidate UFW rules to tick, and a mix of legitimate users, attackers, and port scanners. Launch the wave and watch every connection get evaluated against your chosen rules live. You clear a wave by handling every connection correctly — blocking the attacks without locking out the real users.
What is UFW and how does it relate to iptables?
UFW (Uncomplicated Firewall) is the friendly front end that ships with Ubuntu and Debian. Commands like sudo ufw allow 22/tcp are translated into iptables or nftables rules underneath, so you get kernel-level packet filtering without writing raw chains by hand. Check what is active with sudo ufw status verbose. UFW manages its own rule chains, so mixing hand-written iptables rules with UFW on the same machine is a frequent source of confusion.
What does default deny incoming mean?
sudo ufw default deny incoming drops every inbound connection unless a rule explicitly allows it, while outgoing traffic stays open. This deny-by-default posture is the foundation of the whole game — and of real server hardening. Instead of chasing every port an attacker might probe, you start from zero and open only what your services actually need: perhaps 22 for SSH, 80 and 443 for the web stack, and nothing else.
How do I allow SSH from only one IP address?
Use a source-restricted rule: sudo ufw allow from 203.0.113.50 to any port 22 proto tcp. Only that address can reach SSH; everyone else hits the default deny. Widen it to an office network with CIDR notation, such as from 203.0.113.0/24. Wave 3 drills exactly this pattern, and wave 4 applies the same idea to a database port that should only ever accept connections from its application server.
Can I lock myself out with a firewall?
Easily — it is the classic UFW mistake. Running sudo ufw enable before adding an allow rule for port 22 drops your own SSH session along with everything else. The safe order is ufw allow OpenSSH first, enable second. On real servers, keep a console session open through your hosting provider while testing changes. Port Patrol lets you make this exact mistake consequence-free: a blocked legitimate user only costs you the wave, not server access.
What do the five waves teach?
Wave 1 covers default deny plus allowing a single port. Wave 2 adds multiple allow rules for an HTTP-and-HTTPS stack. Wave 3 introduces source-restricted SSH so only your office subnet gets in. Wave 4 locks a database port down to a single application host. Wave 5 combines everything into a full production stack. A hint button highlights recommended rules, you can retry or skip any wave, and progress is tracked across your session.
Is this a real firewall?
No — it is a simulation that runs entirely in your browser. No packets are sent, no server is configured, and nothing you do here can break a machine. That is the point: you can experiment with rule combinations that would be risky to try on a live host. When you are ready for the real thing, the rules you practiced map one-to-one onto actual ufw commands you can run on any Ubuntu or Debian server.