blog » self-hosted » orchestration » minimalistic-ufw-config-for-k3s

Minimalistic UFW config for K3s

If you install Kubernetes (K3s in my case) and hit an error like:

2025-11-04T11:43:39Z ERR Error watching kubernetes events error=
"could not retrieve server version: Get \"https://10.43.0.1:443/version\": 
dial tcp 10.43.0.1:443: connect: connection refused" providerName=kubernetes

…it might be your firewall. That was the issue on my node.

I had a very restrictive UFW configuration, only allowing 80/tcp, 443/tcp, and 22/tcp. But Kubernetes needs additional ports and internal ranges to function correctly.

The K3s documentation for Ubuntu/Debian recommends opening:

ufw allow 6443/tcp #apiserver
ufw allow from 10.42.0.0/16 to any #pods
ufw allow from 10.43.0.0/16 to any #services

If you want a minimalistic but functional setup, you can refine the rules using the official inbound rules table. Here is the configuration I personally use:

# --- RESET & BASELINE RULES ---
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing

# --- PUBLIC SERVICES: HTTP, HTTPS, SSH  ---
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp

# --- INTERNAL CLUSTER NETWORK (10.42.0.0/16) ---
# K3s / Kubernetes API
sudo ufw allow from 10.42.0.0/16 to any port 6443 proto tcp

# Kubelet metrics
sudo ufw allow from 10.42.0.0/16 to any port 10250 proto tcp

# Flannel VXLAN
sudo ufw allow from 10.42.0.0/16 to any port 8472 proto udp

# --- LOCALHOST ACCESS ---
sudo ufw allow in on lo

# --- ENABLE FIREWALL ---
sudo ufw enable
sudo ufw status numbered

Briefly Explaining the Rules

What is 10.42.0.0/16?

10.42.0.0/16 is a CIDR range. It describes all IP addresses from: 10.42.0.0 to 10.42.255.255

This is the default pod network managed by K3s (via Flannel). Any pod-to-pod or pod-to-node traffic happens inside this range. Blocking it would break the cluster.

What does a rule like sudo ufw allow from 10.42.0.0/16 to any port 6443 proto tcp actually do?

This rule:

• allow: accepts incoming packets
• from 10.42.0.0/16: whose source IP is in the 10.42.0.0/16 pod network
• to any: destined to any local network interface
• port 6443 proto tcp: on TCP port 6443 (the Kubernetes API server)

In other words: “Allow traffic from pods to talk to the API server.” Without this, nodes and control-plane components can’t communicate.

What does sudo ufw allow in on lo mean?

The rule simply says: “Allow local traffic.”:

• in → the direction: allow packets entering the firewall
• on → specify the network interface
• lo → the loopback interface (localhost)

Many applications expect to freely talk to 127.0.0.1. Blocking it would break them.