ufw should support insertion of rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Wishlist
|
Jamie Strandboge |
Bug Description
Binary package hint: ufw
I do not know if this is a "bug report" or a feature request ...
If there is a better mechanism to give feedback, feel free to let me know ;)
At any rate, it would be nice if there were an easier way to modify UFW rules. The "problem" is iptables processes rules in order.
So say we have a long list of ufw rules.
Start with default deny.
Now say we are running a mix of public and private servers ... so we generate a list of allows
# Public server
ufw allow 80
# "Public# ssh access
ufw allow 22
# Private Samba server
ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.0/24 port 135
ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.0/24 port 139
ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.0/24 port 445
ufw allow proto udp from 192.168.1.0/24 to 192.168.1.0/24 port 137
ufw allow proto udp from 192.168.1.0/24 to 192.168.1.0/24 port 138
Now say we are monitoring our network, and find someone is exploiting ssh and or port 80 :(
Say the ip address is 111.222.3.44
If we simply
ufw deny 111.222.3.44 => it will not block this IP (because it was allowed earlier in the chain).
So it is either a manual edit to /etc/ufw/
-A ufw-before-input -s 111.222.3.44 -j DROP #Assuming no loging is desired of course)
==================
So i suggest two things (sorry for the long background):
ufw -n # deny 111.222.3.44
where the -n # specifies where to insert the rule
ufw -n 1 111.222.3.44
which would put the rule at the top of the chain :)
Related branches
Changed in ufw: | |
status: | Confirmed → In Progress |
Changed in ufw: | |
status: | In Progress → Fix Committed |
Thanks for your feedback. I think having the ability to insert rules rather than simply append is a good idea and have marked the bug accordingly.