UFW Firewall Rules ordering?
Solution 1
If you're interested in reordering your UFW rules, this is one way to do it.
$ sudo ufw status numbered
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] 22 (v6) ALLOW IN Anywhere (v6)
[ 5] 80 (v6) ALLOW IN Anywhere (v6)
[ 6] 443 (v6) ALLOW IN Anywhere (v6)
[ 7] Anywhere DENY IN [ip-to-block]
Say you accidentally added a rule to the end, but you wanted up top.
First you will have remove it from the bottom (7) and add it back.
$ sudo ufw delete 7
Note, be careful of removing multiple rules one after another, their position can change!
Add back your rule to the very top (1):
$ sudo ufw insert 1 deny from [ip-to-block] to any
Solution 2
The command ufw status verbose
will show you the default rule. For your configuration you probably want it to say
Default: deny (incoming), allow (outgoing)
In that case, you don't need a separate 'deny everything' rule, and the order of your other rules doesn't matter. If you do want to change the order, you can add a rule at a specific place by using ufw insert [position] [rule text]
. You can get a numbered list of rules with ufw status numbered
.
Solution 3
If you are familiar with the format of the rules generated by iptables-save
command, you can just edit the config files for ufw in /etc/ufw/user.rules
and /etc/ufw/user6.rules
. Even if you aren't, for every user added rule there is a comment showing the matched ufw command for your reference.
Change the orders as you desire, and save it. Then run sudo ufw reload
, the new order will be in place.
This way is quicker than delete
and insert
commands, but you probably should backup before editing if you are not very confident.
Related videos on Youtube
dannymcc
Updated on September 18, 2022Comments
-
dannymcc over 1 year
I have the following rules on our server within UFW:
To Action From -- ------ ---- 22 ALLOW 217.22.12.111 22 ALLOW 146.200.200.200 80 ALLOW Anywhere 443 ALLOW Anywhere 22/tcp ALLOW 109.104.109.0/26
The first two rules are our internal IP's which we want to ensure can always SSH in (port 22). The next two rules are to allow HTTP and HTTPS viewing from any IP addresses anywhere. The final rule is to allow SSH from our code deployment system.
I set a
ufw default deny
rule up but it doesn't appear to be showing. Should I also have a final rule which denies everything?If I add a deny everything rule, does the order the rules appear above make a difference? Presumably if this list gets longer adding another allow rule above a deny rule is impossible, meaning I'll have to remove and re-add some rules?
-
errata about 4 yearsyou can see default policies with
sudo ufw status verbose
-