UFW rules disappear after manually adding them to user.rules ubuntu 16.04
Solution 1
I just bumped into this scripting a ruleset for automating a host build. The problem is with how UFW validates /etc/ufw/user.rules
Merely manually adding a rule to /etc/ufw/user.rules
such as:
-A ufw-user-output -p tcp --dport 80 -j ACCEPT
Will get purged when the ruleset is sanity checked when UFW starts WITHOUT the accompanying comment:
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
So in order to manually add a rule allowing TCP/80 that survives a reload of UFW would be:
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp --dport 80 -j ACCEPT
PLEASE NOTE:
The comment prefacing the manually added rule CANNOT BE arbitrary: it must be the comment UFW generates when you add a rule via the CLI. In this example using TCP/80 that would be:
sudo ufw allow http/tcp
Validating this solution:
Steps to reproduce the FAULT:
sudo ufw disable
sudo vi /etc/ufw/user.rules
Add
-A ufw-user-output -p tcp --dport 80 -j ACCEPT
WITHOUT commentsave and close /etc/ufw/user.rules
sudo ufw enable
Your manually added rule will be PURGED; it will not survive a restart of UFW
Steps to recreate SOLUTION:
sudo ufw disable
sudo vi /etc/ufw/user.rules
Add
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
Add
-A ufw-user-output -p tcp --dport 80 -j ACCEPT
save and close /etc/ufw/user.rules
sudo ufw enable
Your manually added rule will PERSIST
Yes, absolutely insane that a rule with correct syntax which is not prefaced with a comment will fail validation and get purged. How ironic for a firewall interface professing to be UNCOMPLICATED ;-).
This drove me bananas. Hope this solution saved other people grief-
Solution 2
If you add your custom rules in /etc/ufw/before*.rules or after*.rules instead, it will not disappear after a reload.
When valid ufw commands are entered on the shell, i.e., custom user rules, they go into /etc/ufw/user*.rules files, and those persist.
root@ubuntu:~# ufw allow 22/tcp
Rule added
Rule added (v6)
root@ubuntu:~# grep tcp.*22 /etc/ufw/user*.rules
/etc/ufw/user6.rules:### tuple ### allow tcp 22 ::/0 any ::/0 in
/etc/ufw/user6.rules:-A ufw6-user-input -p tcp --dport 22 -j ACCEPT
/etc/ufw/user.rules:### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
/etc/ufw/user.rules:-A ufw-user-input -p tcp --dport 22 -j ACCEPT
root@ubuntu:~# iptables -L -n | grep dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
If you edit user*.rules directly, added rules (if valid) will be loaded in with ufw reload but will not persist at the next restart of the ufw service.
Therefore, add your custom rules in /etc/ufw/before*.rules or after*.rules instead.
References:
- https://serverfault.com/questions/198398/ubuntu-how-to-add-an-iptables-rule-that-ufw-cant-create
- https://bugs.launchpad.net/ufw/+bug/728128
Related videos on Youtube
Waqar Afridi
Updated on September 18, 2022Comments
-
Waqar Afridi over 1 year
I need to add rules to ufw by editing the user.rules for some reason, when I add rules to it and do
sudo ufw reload
, the rules are gone. Any reason why this happens and how can I add rules by manually editing theuser.rules
file? -
Yehuda about 4 yearsThis should be the correct answer
-
Johnny Utahh almost 4 yearsGreat analysis. Furthermore: the data in the comments do not appear to be completely validated. eg: one can change the IP-address range in the comment associated with the
-s
parameter in an associatediptables
rule, andufw status
will list what is in the comment and not the actual rule. However, if one sufficiently changes the syntax of the comment line (I replacedallow
withblah blah
) one might receive something like aWARN: Skipping malformed tuple: [...]
message inufw status
(or at least I did) and the resultingiptables -nvL
listing still showed the correct settings. -
Johnny Utahh almost 4 yearsClarifying: it appears a comment line can be any legal statement that's parse-able by the ufw system, even if said comment line has not correlation with it's
ip[6]tables
paired command/rule.