How do I allow multiple ports simultaneously in UFW?
You can allow multiple (TCP or UDP) ports in this way:
ufw allow 22,25,80,443,9000 proto tcp
Or you can add a range of ports in this way (source and more explanations):
ufw allow 11200:11299 proto tcp
For more complicated configurations you can create a custom configuration files that could contain one or more custom profiles. For example (man ufw
; complete example):
$ cat /etc/ufw/applications.d/my-custom-profiles
[MyCustomProfile]
title=Some title
desctiption=Some description
ports=22,25,80,443/tcp|9000,9005:9007/tcp
You can allow any profile in this way:
ufw allow MyCustomProfile
For anyone dealing with the message
WARN: "Invalid ports in profile 'cassandra'"
or just trying to set up Cassandra on UFW in Ubuntu I found the above pa4080 ports= example the only thing I could get to work. Having found that I carefully worked back through it and it seems that for more than one port UFW wants /tcp (or I assume something else equally as valid) on the last port.
[cassandra]
title=cassandra ufw rules
description=cassandra needs these ports to run
ports=22,7000,7001,7199,9042,9142,9160/tcp
I found this to be the complete, acceptable entry for UFW.
Having spent a fair amount of time on reading the documentation I will follow with my notes that may be of interest.
Public port
Port number. Description
22 SSH port
Cassandra inter-node ports
Port number. Description
7000 Cassandra inter-node cluster communication.
7001 Cassandra SSL inter-node cluster communication.
7199 Cassandra JMX monitoring port.
Cassandra client ports
Port number. Description
9042 Cassandra client port.
9160 Cassandra client port (Thrift).
9142 Default for native_transport_port_ssl, useful when both encrypted and unencrypted connections are required
To do this manually:
sudo ufw allow 22
sudo ufw allow 7001
sudo ufw allow 7199
sudo ufw allow 7000
sudo ufw allow 9042
sudo ufw allow 9160
sudo ufw allow 9142
Ports 7000 and 9042 must be available for external nodes to connect to. As a security measure, limit connections to these ports to only the IP addresses of any other nodes in the cluster.
ufw allow proto tcp from [external_node_ip_address] to any port 7000,9042 comment "Cassandra TCP"
Next step is ufw allow from 192.168.0.0/16 to any app cassandra
and test that.
I experimentally found that the message: "Invalid ports in profile *****"
occurs only if you do not specify the protocol. For example:
ports=5900:5910 - is incorrect!
ports=5900:5910/tcp - is correct!
This only applies to the situation of specifying a port range.