Rules for DROP actions are inserted after allow actions in user.rules and thus do not work

Bug #1606353 reported by graysky on 2016-07-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

ufw verion: 0.35
distro: Arch ARM (for aarch64)

summary: Unless I am doing this incorrectly, I am finding that DROP rules I add are inserted into /etc/ufw/user.rules above the ACCEPT rules and are thus ignored. If by contrast, I manually edit /etc/ufw/user.rules and place my DROP rule above the allow rules, ufw gives the expected behavior (ie no connections).

steps to reproduce:
1) Setup a fresh install of ufw like this:

ufw default deny
ufw allow from
ufw allow SSH
ufw allow 'WWW Secure'
ufw deny from

2) Enable ufw and look in /etc/ufw/user.rules, you will see:

### tuple ### allow tcp 443 any WWW%20Secure - in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT -m comment --comment 'dapp_WWW%20Secure'

### tuple ### deny any any any in
-A ufw-user-input -s -j DROP

As I understand it, rules are taken in order and the traffic in the ACCEPT comes through before the next line which is the DROP. Taken as such, I have repeat connections from the spammer at that IP address. Now, if I manually reverse the rules in /etc/ufw/user.rules the incoming connections are blocked as expected.

graysky (graysky) wrote :

Seems if I place these in /etc/ufw/before.rules right before the bottom, they are honored. Not a bug, sorry for the noise.

Changed in ufw:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers