UFW rules disappear after manually adding them to user.rules ubuntu 16.04

firewall ufw

7,458

Solution 1

I just bumped into this scripting a ruleset for automating a host build. The problem is with how UFW validates /etc/ufw/user.rules

Merely manually adding a rule to /etc/ufw/user.rules such as:

-A ufw-user-output -p tcp --dport 80 -j ACCEPT

Will get purged when the ruleset is sanity checked when UFW starts WITHOUT the accompanying comment:

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out

So in order to manually add a rule allowing TCP/80 that survives a reload of UFW would be:

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp --dport 80 -j ACCEPT

PLEASE NOTE:

The comment prefacing the manually added rule CANNOT BE arbitrary: it must be the comment UFW generates when you add a rule via the CLI. In this example using TCP/80 that would be:

sudo ufw allow http/tcp

Validating this solution:

Steps to reproduce the FAULT:

sudo ufw disable
sudo vi /etc/ufw/user.rules
Add -A ufw-user-output -p tcp --dport 80 -j ACCEPT WITHOUT comment
save and close /etc/ufw/user.rules
sudo ufw enable

Your manually added rule will be PURGED; it will not survive a restart of UFW

Steps to recreate SOLUTION:

sudo ufw disable
sudo vi /etc/ufw/user.rules
Add ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
Add -A ufw-user-output -p tcp --dport 80 -j ACCEPT
save and close /etc/ufw/user.rules
sudo ufw enable

Your manually added rule will PERSIST

Yes, absolutely insane that a rule with correct syntax which is not prefaced with a comment will fail validation and get purged. How ironic for a firewall interface professing to be UNCOMPLICATED ;-).

This drove me bananas. Hope this solution saved other people grief-

Solution 2

If you add your custom rules in /etc/ufw/before*.rules or after*.rules instead, it will not disappear after a reload.

When valid ufw commands are entered on the shell, i.e., custom user rules, they go into /etc/ufw/user*.rules files, and those persist.

root@ubuntu:~# ufw allow 22/tcp
Rule added
Rule added (v6)
root@ubuntu:~# grep tcp.*22 /etc/ufw/user*.rules
/etc/ufw/user6.rules:### tuple ### allow tcp 22 ::/0 any ::/0 in
/etc/ufw/user6.rules:-A ufw6-user-input -p tcp --dport 22 -j ACCEPT
/etc/ufw/user.rules:### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
/etc/ufw/user.rules:-A ufw-user-input -p tcp --dport 22 -j ACCEPT
root@ubuntu:~# iptables -L -n | grep dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

If you edit user*.rules directly, added rules (if valid) will be loaded in with ufw reload but will not persist at the next restart of the ufw service.

Therefore, add your custom rules in /etc/ufw/before*.rules or after*.rules instead.

References:

7,458

Waqar Afridi

Updated on September 18, 2022

Comments

Waqar Afridi over 1 year

I need to add rules to ufw by editing the user.rules for some reason, when I add rules to it and do sudo ufw reload, the rules are gone. Any reason why this happens and how can I add rules by manually editing the user.rules file?
Yehuda about 4 years

This should be the correct answer
Johnny Utahh almost 4 years

Great analysis. Furthermore: the data in the comments do not appear to be completely validated. eg: one can change the IP-address range in the comment associated with the -s parameter in an associated iptables rule, and ufw status will list what is in the comment and not the actual rule. However, if one sufficiently changes the syntax of the comment line (I replaced allow with blah blah) one might receive something like a WARN: Skipping malformed tuple: [...] message in ufw status (or at least I did) and the resulting iptables -nvL listing still showed the correct settings.
Johnny Utahh almost 4 years

Clarifying: it appears a comment line can be any legal statement that's parse-able by the ufw system, even if said comment line has not correlation with it's ip[6]tables paired command/rule.