Does order of UFW rules matter?

Question

When I first initialized my ufw, I did

ufw default allow outgoing
ufw default deny incoming
ufw allow 80/tcp
ufw allow 22/tcp

Over the last week or so, I've been going through my access logs and banning IPs that are making malicious requests on my server

I'd do so using

ufw deny from <ip>

---

Here's my ufw status verbose

All the IPs pasted here are from sick-filth spammers; take no pity on them

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
Anywhere                   DENY IN     125.39.22.154
Anywhere                   DENY IN     222.124.200.250
Anywhere                   DENY IN     101.60.178.197
Anywhere                   DENY IN     115.184.115.200
Anywhere                   DENY IN     93.174.93.129
... more ips ...
80/tcp (v6)                ALLOW IN    Anywhere (v6)
22/tcp (v6)                ALLOW IN    Anywhere (v6)

---

Question

What I'm noticing is that the ALLOW actions are before the DENY actions.

Does the order of the rules actually matter? Or can I rest peacefully knowing that my IP block has worked?

Side question: Is there a more effective way to handle spammy requests than manually greping access/error logs for malicious requests and blocking those IPs from making future requests?

Answer 1

Does the order of the rules actually matter?

Yes it does. Denies should be first in this case since they are more specific (more specific rules should go first). Example

Is there a more effective way to handle spammy requests than manually

fail2ban can scan logs, and add IPs to many types of filtering systems that match defined patterns.

Answer 2

You can instruct ufw to insert rules at a given position:

ufw insert 1 deny from <ip> to any

This inserts the deny rule in first position instead of last.