5

What is the difference between creating allow/deny rules via a service versus a port and protocol?

For example: ufw allow ssh versus ufw allow 22/tcp or even, ufw allow ssh/tcp.

Which is the 1) cleanest 2) most restrictive 3) best way to approach?

DanCat
  • 225
  • 2
  • 8

1 Answers1

7

ufw allow ssh

This inserts rules that allow udp and tcp packets destined for port 22.

ufw allow 22/tcp

This inserts rules that allow just tcp packets destined for port 22

ufw allow ssh/tcp

This inserts rules that allow just tcp packets destined for port 22

When you provide the name of a service rather than a port number ufw looks the name up in /etc/services and reads the port number from it. Ultimately 

ufw allow ssh/tcp

gets translated into ... 22/tcp and from there to iptables/netfilter.

The most restrictive are the ones that limit to service/protocol (obviously you can further restrict using source address(es) etc).

As to which is cleanest/best ... that's up to you some people will prefer service names and others port numbers.

chicks
  • 3,793
  • 10
  • 27
  • 36
user9517
  • 115,471
  • 20
  • 215
  • 297