UFW firewall for PicoClaw servers

UFW is a simple front-end to iptables. Before exposing PicoClaw, default-deny incoming and allow only SSH, HTTPS, and any custom webhook ports you truly need.

1. Safe order

Allow SSH first, then enable UFW—avoid locking yourself out. Use limit rules for SSH where appropriate.

2. Webhook ports

If PicoClaw listens on a high port behind nginx/Caddy, you may not need a public rule for it at all—only the reverse proxy port.

3. Tailnet-only services

Combine with Tailscale so sensitive admin UIs never touch the public internet.

4. Read next

• Security
• Webhook hardening (blog)