1. Introduction

When working with firewalls, it’s important to keep rules in the correct positions. Otherwise, some of them might not work as expected.

In this tutorial, we’ll look at the rule ordering of the Uncomplicated Firewall (UFW). First, we’ll learn why the wrong rule order may break some rules. Secondly, we’ll study the UFW commands to reorder the rules.

2. Why Is UFW Rule Ordering Important?

One of the main principles of firewall rule order is to put specific rules first, and generic rules after them. This is because when a rule matches, no further rules get evaluated.

For example, in the firewall table below, there’s a generic rule to ALLOW all connections for the TCP port 22 from the IP range In addition, there’s a specific rule to DENY the connection from

$ sudo ufw status
Status: active

To             Action   From
--             ------   ----
22/tcp         ALLOW
22/tcp         DENY

Since the DENY rule is second, it won’t get evaluated because the ALLOW rule will always match first. Therefore, to have a chance at blocking traffic from, it’s essential to put the DENY rule before the ALLOW rule in this case.

3. How to Reorder Rules

Let’s look at the UFW commands for reordering rules.

3.1. Get the Rule Numbers

To reorder the rules, we first need to get the current rule numbers by running the sudo ufw status command with its numbered modifier:

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN            
[ 2] 22/tcp                     DENY IN 

As we can see, the rules now have numbers from one (1) to two (2).

3.2. Delete the Rule from the Wrong Position

To be able to change the order of a rule, we should first delete it from the table. Thus, we need to use the command sudo ufw delete <rule number>. Here, we’ll delete rule number 2:

$ sudo ufw delete 2

After running the command, we’ll have to confirm the Proceed with operation (y|n)? prompt via y and the Enter key.

Once done, the DENY rule will be deleted from the table.

3.3. Insert the Rule into the New Position

Let’s now put the DENY rule at the first position in the table. For that, we need to run the command: sudo ufw insert <position number> <rule info>. For example, to put the same DENY rule as above, but at position 1, we’ll run:

$ sudo ufw insert 1 deny from to any port 22 proto tcp

The DENY rule will now be first. Let’s verify by checking the current table:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     DENY               
22/tcp                     ALLOW 

As we can see, the rule ordering now is correct. Sending a packet from host to TCP port 22 of our local system would be blocked before the ALLOW rule for the whole subnet is reached.

4. Conclusion

In this tutorial, we learned how to reorder firewall rules when using UFW. First, we investigated why rule order is important. After that, we looked at the commands to reorder the rules.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.