May 17, 2020

Ubuntu Firewall – UFW useful commands | Bots! Installing UFW. Debian does not install UFW by default. If you followed the entire Initial Server Setup … ufw - Manage firewall with UFW — Ansible Documentation # Allow everything and enable UFW-ufw: state: enabled policy: allow # Set logging-ufw: logging: on # Sometimes it is desirable to let the sender know when traffic is # being denied, rather than simply ignoring it. In these cases, use # reject instead of deny. In addition, log rejected connections:-ufw: rule: reject port: auth log: yes # ufw supports connection rate limiting, which is useful UFW not blocking traffic : linuxquestions sudo ufw deny from to any x.11 is a Roku machine I'm using for testing. So I issued the above command, and checked with "sudo ufw status" which revealed the rule was active.

$ sudo ufw deny 39163 Rule added Rule added (v6) I can check, and the rule is there: $ sudo ufw status Status: active To Action From -- ----- ---- 39163 DENY Anywhere 39163 DENY Anywhere (v6) But I can see in my application logs that it is still communicating to the remote service, and it also looks like this is the case from netstat:

sudo ufw status | grep -i deny This time we filter the status to display firewall rules that have configured to deny connections. As per above screenshot you can see we have block TCP port 80 from the Ubuntu firewall.

UFW Allow and UFW Deny We always try to balance security vs availability. A system that is too much locked out is difficult to use and harder to maintain, while a system with too generous a security profile is more prone to attacks and exploits. Firewalls are no different, you shoot for an optimal balance between operability and security.

The deny rules, must apparently come first. I can ensure it myself, but a naive use of ufw could expose the host. I would suggest that ufw always insert the deny rules in front of any allow rules as a …