17

UFW is working really well for me except in the cases where it doesn't...

I want to be able to add another rule manually that will be applied on boot?

  • where should i put this rule?
  • how should I make it start at boot?
  • how do I make it play nicely with UFW?
Arthur Ulfeldt
  • 3,249
  • 9
  • 33
  • 40
  • 1
    ufw is one of those "what you see is all you get" things that make it easier for newbies. If you need to do more than it can do, consider switching to iptables completely. That "working really well for me" is a good proof that you can try something (iptables) more complicated (but also more flexible). – halp Nov 05 '10 at 05:02

2 Answers2

20

According to this Ubuntu wiki page (scroll down to "Advanced Functionality"), you can achieve what you want by putting your own iptables rules into the following files:

  • /etc/ufw/before.rules
  • /etc/ufw/after.rules

The before file is evaluated before any ufw rules are applied; the after file is evaluated after. (There are also corresponding before6 and after6 rules files, for your ip6tables rules.)

These rules files are expected to be in iptables-restore-compatible syntax, presumably because ufw simply loads them using iptables-restore. Finally, note that you need to stop and restart ufw after you make any changes to the rules files.

Steven Monday
  • 13,599
  • 4
  • 36
  • 45
  • 4
    Note that you can (perhaps unintentionally) change the precedence of iptables rules if you forget to standardize the use of -I or -A when using these files. -I (insert) adds rules to the TOP of the chain, evaluated first, while the -A (append) adds them to the bottom of the chain. This might cause unexpected results if you use -I in the .after file, for example. Just a thought. – Sam Halicke Nov 05 '10 at 04:11
  • Does the order of the rules matters? How do I know if I want my rule before or after UFW? – Freedo Mar 28 '20 at 05:44
7

UFW will purge any MANUALLY added rule in /etc/ufw/user.rules which is NOT prefaced with a comment:

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 out
-A ufw-user-output -p tcp --dport 80 -j ACCEPT

When UFW sanity checks the rules on startup, it expects an accompanying comment. If it's NOT present, even if the syntax of the rule is correct, UFW will still purge it.

And don't just use any arbitrary comment: it MUST be the comment that UFW would insert when creating a user rule via the cli, ie:

sudo ufw allow http/tcp

So if you want to pre-seed a series of rules in a ruleset in a simple file, you'd still need to create the rules via UFW's CLI interface to learn the syntax of the comments it expects for the rule to pass validation and persist.

Try the foregoing with and WITHOUT the comment and reload the specimen HTTP rule above; you'll remark only with the comment does the manually added rule survive a restart (ufw enable) of UFW.

This is really counter-intuitive behaviour and not documented at all.

F1Linux
  • 355
  • 5
  • 12
  • 2
    Great explanation! It's a bit puzzling for me why this core behavior is not clarified clearly on most of the docs I've seen – weshouman Nov 06 '20 at 06:42
  • 1
    "UFW will purge any MANUALLY added rule in /etc/ufw/user.rules which is NOT prefaced with a comment:" so annoying. Why would they do that?! – spinkus Feb 22 '21 at 09:40
  • 1
    This is because the `user.rules` file is not supposed to be edited directly; it is used by ufw to store rules added via the `ufw` command by the user. From the Ubuntu documentation: `/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand) ` – Mei Mar 29 '21 at 16:52