Comments are annotations that accompany UFW rules, providing clarity on the rule’s intent, which is particularly useful when managing a large number of rules. Adding comments to UFW rules is a best practice for system administrators as it provides clarity on the purpose of each rule, making management and auditing of the firewall easier.
With the release of Ubuntu 24.04, adding comments to your UFW rules has become an essential practice for system administrators. This not only helps in understanding the purpose behind each rule but also aids in maintaining a clear and documented firewall policy.
Here’s a comprehensive guide on how to add, update, and remove comments from UFW rules.
Table of Content
How to Add Comments to UFW Rules
Adding Comments to New UFW Rules
Allowing HTTP and HTTPS Traffic
Restricting Access to a Specific IP
Updating Comments on Existing UFW Rules
Removing Comments from UFW Rules
How to Add Comments to UFW Rules
Before we dive into methods, it’s crucial to understand that UFW doesn’t inherently support comments within its rules. This means you can’t directly add explanatory text to a rule like you would in other configuration files. However, there are workarounds to enhance rule readability and maintainability.
Syntax
Adding comments to UFW rules is straightforward. When creating a new rule, you can include a comment by appending the comment keyword followed by the desired annotation in single quotes. Here’s the syntax:
sudo ufw allow from any to any port 22 proto tcp comment 'Allow SSH access'
This command allows TCP traffic on port 22 and includes a comment indicating that the rule is for allowing SSH access.
Let’s look at some practical examples of how to add comments to various UFW rules:
Example 1: Adding Comments to New UFW Rules
To add a comment to a new UFW rule, you can use the following syntax. This command allows SSH connections from the IP address 192.168.0.118 and adds a comment explaining the rule’s purpose:
sudo ufw allow from 192.168.0.118 to any port 22 comment 'SSH access for 192.168.0.118'
Note: Use clear and concise names for rules. This can often convey the rule’s purpose. While this doesn’t technically add a comment, the rule name serves a similar purpose.
Example 2: Allowing HTTP and HTTPS Traffic
This rule offers traffic on both HTTP as well as HTTPS ports with a comment explaining its purpose:
sudo ufw allow proto tcp from any to any port 80,443 comment 'Allow web server traffic'
Example 3: Restricting Access to a Specific IP
This rule permits MySQL traffic from a particular IP address, with the comment providing context:
sudo ufw allow from 192.168.0.118 to any port 3306 comment 'Allow MySQL from specific IP'
Example 4: Blocking a Spammer’s IP
During audits, comments can quickly convey the intent of each rule. Here, traffic from a known spammer’s IP is blocked, with the comment indicating the reason for the rule:
sudo ufw deny from 203.0.113.25 comment 'Block known spammer IP address'
Example 5: Updating Comments on Existing UFW Rules
They help other administrators understand the rules without having to decipher them from scratch. Simply reissue the rule with the new comment:
sudo ufw allow from 192.168.0.118 to any port 22 comment 'Updated comment for SSH rule'
This overwrites the previous comment with the new one.
Example 6: Removing Comments from UFW Rules
To remove a comment from an existing rule, use the same command as adding a comment but with an empty string for the comment text:
sudo ufw allow from 192.168.0.118 to any port 22 comment ''
This effectively removes the comment from the rule.
If you need to remove a comment from a rule, you can do so by reissuing the rule without the comment:
sudo ufw allow from any to any port 22 proto tcp
This output updates the rule to remove the comment.
Example 7: Viewing UFW Rules with Comments
Comments are incredibly useful for several reasons: They serve as documentation for why a particular rule was implemented. To view all UFW rules along with their comments, use the verbose status command:
sudo ufw status verbose
This displays a list of all rules with detailed information, including comments.
By following these methods and best practices, you can maintain a well-documented and manageable firewall configuration. Remember, a well-commented firewall is a sign of a well-managed security policy.
Bonus Tip: External Documentation
Maintain a separate text file or document to explain the rationale behind each rule.
Reference the file in a comment within the script or configuration file used to manage UFW rules.
# See ‘ufw_rules_explanation.txt’ for detailed comments on each rule:
sudo ufw allow from 192.168.1.0/24 to any port 22
Note: While these methods can significantly improve rule understanding, they are not a direct substitute for built-in comments. Always prioritize clear and descriptive rule names and maintain external documentation for complex firewall configurations.
Conclusion
Adding comments to UFW rules is a best practice that enhances the manageability and documentation of your firewall policies. By following the examples and guidelines provided, you can ensure that your firewall rules are well-documented and easier to understand for anyone who manages or audits your system’s security. They can describe the purpose of the rule, the services it affects, or any other relevant information that will assist in future rule audits or troubleshooting.
You can explore How to Set Up a Firewall with UFW on Ubuntu 24.04 LTS.
