> block everything, allow this handful of ports
This is trivial.
ufw default deny incoming ufw allow 22