(UFW) allow incoming and outgoing connections to specific IP, deny everything else
There's an implicit "deny from all" (inbound) when using UFW, so you don't need to add a rule to do that. (And also an implicit "allow all outbound".)
If you don't specify a protocol when adding the UFW rule, it applies to TCP and UDP. Similarly, if you don't specify a port, it means "all ports".
This means ufw allow from 1.1.1.1 is shorthand for "allow from 1.1.1.1 to any interface, any port, any protocol".
You can inspect the resulting ruleset with iptables -L
Related videos on Youtube
00 : 49
13 : 16
01 : 41
09 : 31
01 : 42
Bluuee
Updated on September 18, 2022Comments
-
Bluuee over 1 year
I'm trying to set up an UFW firewall like this:
- Allow all incoming and outgoing connections to IP 1.1.1.1 (all ports);
- Deny all other connections (incoming and outgoing);
For the first item, the command below seems to work just fine:
sudo ufw allow from 1.1.1.1The status of UFW after that shows:
To Action From -- ------ ---- Anywhere ALLOW IN 1.1.1.1Do i need a port range for that? Or specify both UDP and TCP protocols?
-
Now, for the second item. Is it possible just to say "deny everything else" with UFW?
Or can i use some sort of wildcard? Like "deny from [^1.1.1.1]". (i tried)
-
Bluuee over 4 yearsI need to deny inbound AND outbound, excluding the specific IP address. Would i also have to use "sudo ufw default deny outgoing"? The "allow" command overrule the "deny" command?
-
Keith over 4 yearsYes, if you really want to deny all outbound connections, that is what you would do. There is no precedence of "allow" over "deny" commands. The order you specify them determines the precedence. When inserting rules, you can specify where to insert them, like "insert 1 deny from x.x.x.x".
