Does order of UFW rules matter?

firewall spam ufw
6,398

Solution 1

Does the order of the rules actually matter?

Yes it does. Denies should be first in this case since they are more specific (more specific rules should go first). Example

Is there a more effective way to handle spammy requests than manually

fail2ban can scan logs, and add IPs to many types of filtering systems that match defined patterns.

Solution 2

You can instruct ufw to insert rules at a given position:

ufw insert 1 deny from <ip> to any

This inserts the deny rule in first position instead of last.

Share:
6,398

Related videos on Youtube

Thank you
Author by

Thank you

Updated on September 18, 2022

Comments

  • Thank you
    Thank you almost 2 years

    When I first initialized my ufw, I did

    ufw default allow outgoing
ufw default deny incoming
ufw allow 80/tcp
ufw allow 22/tcp

    Over the last week or so, I've been going through my access logs and banning IPs that are making malicious requests on my server

    I'd do so using

    ufw deny from <ip>

    Here's my ufw status verbose

    All the IPs pasted here are from sick-filth spammers; take no pity on them

    Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
Anywhere                   DENY IN     125.39.22.154
Anywhere                   DENY IN     222.124.200.250
Anywhere                   DENY IN     101.60.178.197
Anywhere                   DENY IN     115.184.115.200
Anywhere                   DENY IN     93.174.93.129
... more ips ...
80/tcp (v6)                ALLOW IN    Anywhere (v6)
22/tcp (v6)                ALLOW IN    Anywhere (v6)

    Question

    What I'm noticing is that the ALLOW actions are before the DENY actions.

    Does the order of the rules actually matter? Or can I rest peacefully knowing that my IP block has worked?

    Side question: Is there a more effective way to handle spammy requests than manually greping access/error logs for malicious requests and blocking those IPs from making future requests?

  • jbobbins
    jbobbins almost 4 years
    The example page you reference says "you must put the specific rules first". So if I wanted to deny from all except for a few trusted IP addresses, I would actually put the allow rules first, correct?
  • Zoredache
    Zoredache almost 4 years
    Yes, in that case you want your allow rules first.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

UFW as an active service on Ubuntu
UFW 'default deny incoming' doesn't work
Problem with ufw enable: libkmod: ERROR ../libkmod/libkmod.c
UFW rules disappear after manually adding them to user.rules ubuntu 16.04
ufw firewall deny outgoing but allow browser
How to configure UFW for a basic desktop / laptop?
why Ubuntu Firewall not showing verbose?
Firewall Settings for Personal File Sharing
14.04 missing "/etc/init.d/ufw"? my firewall never auto starts
I can't use ufw on WSL-Ubuntu