[GH-ISSUE #336] [Question] UFW firewall rules. #76

New issue

Closed

opened 2026-03-03 13:58:57 +03:00 by kerem · 1 comment

kerem commented 2026-03-03 13:58:57 +03:00

Owner

Copy link

Originally created by @Cronvs on GitHub (Oct 29, 2023).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/336

Originally assigned to: @konstruktoid on GitHub.

The following code is used in the ufw script:

sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules

Would the first rule for ipv4 and 6 not cover both cases, with established and related already included?
Am I missing something?

Another thing why explicitly deny 127.0.0.0/8 if default is deny?

ufw allow in on lo
ufw allow out on lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1

ufw default deny incoming

I feel like there is something I am missing here.

Originally created by @Cronvs on GitHub (Oct 29, 2023). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/336 Originally assigned to: @konstruktoid on GitHub. The following code is used in the ufw script: ``` sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules ``` Would the first rule for ipv4 and 6 not cover both cases, with established and related already included? Am I missing something? Another thing why explicitly deny 127.0.0.0/8 if default is deny? ``` ufw allow in on lo ufw allow out on lo ufw deny in from 127.0.0.0/8 ufw deny in from ::1 ufw default deny incoming ``` I feel like there is something I am missing here.

kerem closed this issue 2026-03-03 13:58:57 +03:00

kerem commented 2026-03-03 13:58:58 +03:00

Author

Owner

Copy link

@konstruktoid commented on GitHub (Oct 29, 2023):

Hi @Xavantex, you are corrrect. Setting default deny does deny it as well, but it's to make sure (you might not want to deny by default) we configure the loopback interface to accept traffic and configure all other interfaces to deny traffic to the loopback networks.

This is also an requirement for the CIS Ubuntu benchmark (3.4.1.4).

<!-- gh-comment-id:1784253166 --> @konstruktoid commented on GitHub (Oct 29, 2023): Hi @Xavantex, you are corrrect. Setting default deny does deny it as well, but it's to make sure (you might not want to deny by default) we configure the loopback interface to accept traffic and configure all other interfaces to deny traffic to the loopback networks. This is also an requirement for the CIS Ubuntu benchmark (3.4.1.4).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/github-codeql-action-4.x

v2.2.0

v2.1.0

v2.0.0

v1.0.0

v1.0

Labels

Clear labels   

Stale

  

bug

  

bug

  

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

Stale

bug

bug

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hardening#76

No description provided.