15

Whenever I run a command like ufw allow 22, ufw automatically adds the firewall rules to both ipv4 and ipv6. If I want to only open a port on ipv4, is there a way to do so? Something like ufw allow 22 proto ipv4.

RalphORama
  • 293
  • 1
  • 3
  • 6

3 Answers3

25

You just have to use the fuller syntax and specify an address (range).

For example, allow connections to TCP port 22 on all IPv4 addresses:

ufw allow proto tcp to 0.0.0.0/0 port 22
Kontrollfreak
  • 406
  • 5
  • 8
22

I would edit the ufw config file itself to turn off IPv6:

sudo nano /etc/default/ufw

Change the line that says: IPV6=yes to IPV6=no then restart the ufw service. You can even run sudo ufw reload if the ufw instance is already enabled.

This worked for me to ensure that all the rules I add are only added to IPv4.

Thanks

james-see
  • 319
  • 2
  • 7
  • 1
    It works fantastic, and it even causes deletion of all the duplicate IPv6 rules immediately upon reload. Thank you – spaceman Feb 12 '20 at 12:35
  • @spaceman no problem, glad it worked out – james-see Feb 12 '20 at 19:57
  • 3
    Warning: All IPv6 rules will be deleted and **not** be restored if setting `IPV6=yes` again. – Kontrollfreak Sep 24 '20 at 13:58
  • Big question, does it gonna skip v6 ports and let them free/open? – M. Rostami Feb 04 '21 at 13:18
  • 1
    @M.Rostami no. It disables IPv6 completely and removes all current IPv6 rules. – james-see Feb 04 '21 at 16:00
  • This will block all the incoming ipv6 traffic, it will prevent ipv6 users from accessing your sites! – the_nuts Feb 04 '22 at 10:33
  • @james-see DNS amplification attacks are still possible using IPv4. – Michael Mior Aug 17 '22 at 11:44
  • @MichaelMior source? I would like to know more and test for this. – james-see Aug 17 '22 at 13:26
  • @james-see There's nothing inherent to DNS amplification attacks that requires IPv6. If you read any article that describes DNS amplification, you likely won't see any mention of IPv4 vs IPv6 because it's IPV6 is not necessary. – Michael Mior Aug 18 '22 at 12:29
  • @MichaelMior can you please read the cloudflare article I linked? “ The DNS configuration for IPv6 will be different from IPv4. In addition to the connection issues, there’s also a higher risk for DNS attacks, primarily DNS amplification attacks. They are usually used to strengthen distributed denial-of-service or botnet attacks.” Are you saying they are wrong? This is why I asked for a source. – james-see Aug 20 '22 at 23:08
  • @james-see I read the article and I'm not saying it's wrong. The article says there is a *higher* risk, not that there is no risk with IPv4. – Michael Mior Aug 21 '22 at 17:50
  • @MichaelMior ah, that makes more sense. you want me to fix my comment above that is not clear or specific regarding ip4 and may indicate the wrong thing depending on how you read it. I did not clearly say in the comment that there is not risk with IPv4. fixing now and probably just deleting the comment, thank you. – james-see Aug 23 '22 at 15:24
4

Maybe only by subnet:

sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22

More info: https://help.ubuntu.com/lts/serverguide/firewall.html

Chico3001
  • 243
  • 2
  • 11