UFW - Rules by Service Name Versus Port and Protocol

linux firewall iptables ufw

What is the difference between creating allow/deny rules via a service versus a port and protocol?

For example: ufw allow ssh versus ufw allow 22/tcp or even, ufw allow ssh/tcp.

Which is the 1) cleanest 2) most restrictive 3) best way to approach?


Solution 1:

ufw allow ssh

This inserts rules that allow udp and tcp packets destined for port 22.

ufw allow 22/tcp

This inserts rules that allow just tcp packets destined for port 22

ufw allow ssh/tcp

This inserts rules that allow just tcp packets destined for port 22

When you provide the name of a service rather than a port number ufw looks the name up in /etc/services and reads the port number from it. Ultimately 

ufw allow ssh/tcp

gets translated into ... 22/tcp and from there to iptables/netfilter.

The most restrictive are the ones that limit to service/protocol (obviously you can further restrict using source address(es) etc).

As to which is cleanest/best ... that's up to you some people will prefer service names and others port numbers.

Related

Why are messages queued and not sent with sendmail?
Apache 2.4 Unrecognized header format %
How do I route Cloudfront with multiple origins?
how to change the startup order of linux init scripts in Redhat, Centos
Is it possible to `include` a tasks file with a different set of hosts?
Calling powershell.exe is extremely slow
Nginx rewrite without redirect
Is this btrfs snapshot removal performance normal?
SAN - NFS and CIFS
Systemd restart service if it's not listening to a port
E-mail address for Certificate Signing Request
Watchguard mobile vpn: failed to get domain name