When working with firewalls, it’s important to keep rules in the correct positions. Otherwise, some of them might not work as expected.
In this tutorial, we’ll look at the rule ordering of the Uncomplicated Firewall (UFW). First, we’ll learn why the wrong rule order may break some rules. Secondly, we’ll study the UFW commands to reorder the rules.
2. Why Is UFW Rule Ordering Important?
One of the main principles of firewall rule order is to put specific rules first, and generic rules after them. This is because when a rule matches, no further rules get evaluated.
For example, in the firewall table below, there’s a generic rule to ALLOW all connections for the TCP port 22 from the IP range 192.168.0.0-255. In addition, there’s a specific rule to DENY the connection from 192.168.0.3:
$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW 192.168.0.0/24 22/tcp DENY 192.168.0.3
Since the DENY rule is second, it won’t get evaluated because the ALLOW rule will always match first. Therefore, to have a chance at blocking traffic from 192.168.0.3, it’s essential to put the DENY rule before the ALLOW rule in this case.
3. How to Reorder Rules
Let’s look at the UFW commands for reordering rules.
3.1. Get the Rule Numbers
To reorder the rules, we first need to get the current rule numbers by running the sudo ufw status command with its numbered modifier:
$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN 192.168.0.0/24 [ 2] 22/tcp DENY IN 192.168.0.3
As we can see, the rules now have numbers from one (1) to two (2).
3.2. Delete the Rule from the Wrong Position
To be able to change the order of a rule, we should first delete it from the table. Thus, we need to use the command sudo ufw delete <rule number>. Here, we’ll delete rule number 2:
$ sudo ufw delete 2
After running the command, we’ll have to confirm the Proceed with operation (y|n)? prompt via y and the Enter key.
Once done, the DENY rule will be deleted from the table.
3.3. Insert the Rule into the New Position
Let’s now put the DENY rule at the first position in the table. For that, we need to run the command: sudo ufw insert <position number> <rule info>. For example, to put the same DENY rule as above, but at position 1, we’ll run:
$ sudo ufw insert 1 deny from 192.168.0.3 to any port 22 proto tcp
The DENY rule will now be first. Let’s verify by checking the current table:
$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp DENY 192.168.0.3 22/tcp ALLOW 192.168.0.0/24
As we can see, the rule ordering now is correct. Sending a packet from host 192.168.0.3 to TCP port 22 of our local system would be blocked before the ALLOW rule for the whole subnet is reached.
In this tutorial, we learned how to reorder firewall rules when using UFW. First, we investigated why rule order is important. After that, we looked at the commands to reorder the rules.