UFW Firewall Rules ordering?

ubuntu firewall ufw
53,868

Solution 1

If you're interested in reordering your UFW rules, this is one way to do it.

$ sudo ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 80 (v6)                    ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 7] Anywhere                   DENY IN     [ip-to-block]

Say you accidentally added a rule to the end, but you wanted up top.

First you will have remove it from the bottom (7) and add it back.

$ sudo ufw delete 7

Note, be careful of removing multiple rules one after another, their position can change!

Add back your rule to the very top (1):

$ sudo ufw insert 1 deny from [ip-to-block] to any

Solution 2

The command ufw status verbose will show you the default rule. For your configuration you probably want it to say

Default: deny (incoming), allow (outgoing)

In that case, you don't need a separate 'deny everything' rule, and the order of your other rules doesn't matter. If you do want to change the order, you can add a rule at a specific place by using ufw insert [position] [rule text]. You can get a numbered list of rules with ufw status numbered.

Solution 3

If you are familiar with the format of the rules generated by iptables-save command, you can just edit the config files for ufw in /etc/ufw/user.rules and /etc/ufw/user6.rules. Even if you aren't, for every user added rule there is a comment showing the matched ufw command for your reference.
Change the orders as you desire, and save it. Then run sudo ufw reload, the new order will be in place.
This way is quicker than delete and insert commands, but you probably should backup before editing if you are not very confident.

Share:
53,868

Related videos on Youtube

dannymcc
Author by

dannymcc

Updated on September 18, 2022

Comments

  • dannymcc
    dannymcc over 1 year

    I have the following rules on our server within UFW:

    To                         Action      From
--                         ------      ----
22                         ALLOW       217.22.12.111
22                         ALLOW       146.200.200.200
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22/tcp                     ALLOW       109.104.109.0/26

    The first two rules are our internal IP's which we want to ensure can always SSH in (port 22). The next two rules are to allow HTTP and HTTPS viewing from any IP addresses anywhere. The final rule is to allow SSH from our code deployment system.

    I set a ufw default deny rule up but it doesn't appear to be showing. Should I also have a final rule which denies everything?

    If I add a deny everything rule, does the order the rules appear above make a difference? Presumably if this list gets longer adding another allow rule above a deny rule is impossible, meaning I'll have to remove and re-add some rules?

    • errata
      errata about 4 years
      you can see default policies with sudo ufw status verbose

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

UFW as an active service on Ubuntu
How to allow outbound traffic with UFW?
Cannot open samba ports on Ubuntu 14.04
UFW - deny outbound except for apt-get updates?
Allow UFW access from IP wildcard
Opening port 5432 on ubuntu
Ubuntu ufw: set a rule on a per interface basis
Creating UFW rule to allow application to use dynamic ports
UFW is active but not enabled why?
Disabling the firewall in Ubuntu on an Amazon EC2 instance