Authors Top

If you have a few years of experience in the Linux ecosystem, and you’re interested in sharing that experience with the community, have a look at our Contribution Guidelines.

1. Introduction

When working with firewalls, it’s important to keep rules in the correct positions. Otherwise, some of them might not work as expected.

In this tutorial, we’ll look at the rule ordering of the Uncomplicated Firewall (UFW). First, we’ll learn why the wrong rule order may break some rules. Secondly, we’ll study the UFW commands to reorder the rules.

2. Why Is UFW Rule Ordering Important?

One of the main principles of firewall rule order is to put specific rules first, and generic rules after them. This is because when a rule matches, no further rules get evaluated.

For example, in the firewall table below, there’s a generic rule to ALLOW all connections for the TCP port 22 from the IP range 192.168.0.0-255. In addition, there’s a specific rule to DENY the connection from 192.168.0.3:

$ sudo ufw status
Status: active

To             Action   From
--             ------   ----
22/tcp         ALLOW    192.168.0.0/24
22/tcp         DENY     192.168.0.3

Since the DENY rule is second, it won’t get evaluated because the ALLOW rule will always match first. Therefore, to have a chance at blocking traffic from 192.168.0.3, it’s essential to put the DENY rule before the ALLOW rule in this case.

3. How to Reorder Rules

Let’s look at the UFW commands for reordering rules.

3.1. Get the Rule Numbers

To reorder the rules, we first need to get the current rule numbers by running the sudo ufw status command with its numbered modifier:

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    192.168.0.0/24            
[ 2] 22/tcp                     DENY IN     192.168.0.3 

As we can see, the rules now have numbers from one (1) to two (2).

3.2. Delete the Rule from the Wrong Position

To be able to change the order of a rule, we should first delete it from the table. Thus, we need to use the command sudo ufw delete <rule number>. Here, we’ll delete rule number 2:

$ sudo ufw delete 2

After running the command, we’ll have to confirm the Proceed with operation (y|n)? prompt via y and the Enter key.

Once done, the DENY rule will be deleted from the table.

3.3. Insert the Rule into the New Position

Let’s now put the DENY rule at the first position in the table. For that, we need to run the command: sudo ufw insert <position number> <rule info>. For example, to put the same DENY rule as above, but at position 1, we’ll run:

$ sudo ufw insert 1 deny from 192.168.0.3 to any port 22 proto tcp

The DENY rule will now be first. Let’s verify by checking the current table:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     DENY        192.168.0.3               
22/tcp                     ALLOW       192.168.0.0/24 

As we can see, the rule ordering now is correct. Sending a packet from host 192.168.0.3 to TCP port 22 of our local system would be blocked before the ALLOW rule for the whole subnet is reached.

4. Conclusion

In this tutorial, we learned how to reorder firewall rules when using UFW. First, we investigated why rule order is important. After that, we looked at the commands to reorder the rules.

Authors Bottom

If you have a few years of experience in the Linux ecosystem, and you’re interested in sharing that experience with the community, have a look at our Contribution Guidelines.

Comments are closed on this article!