Thanks Lisa, having the commands to add and the rules to add is very helpful. A couple of clarifications will help me as well. sudo ufw deny from 192.168.0.1 to any port 22 ## assuming 192.168.0.1 was my router/gateway, the above rule would block any access for outside the LAN, yes? sudo ufw deny from 192.168.0.7 to any port 22 ## I believe you added this as just an example of blocking a single address on the LAN sudo ufw allow from 192.168.0.0/24 to any port 22 ## Clear but I have always wondered if the 0/24 just means the first 24 bits must match and the last 8 can be anything? Also: 1) If I normally plugged this machine into192.168.1.x, 192.168.2.x and 198.162.3.x LANs would I just repeat the 3 rules with changed numbers? Or is there an easier way? 2) Does UFW allow environment variable substitution in its rules? I already set such variables as part of the PXE server portability. 3) Do both TCP and UDP need blocking.allow for ssh on port 22? On Tue, Oct 16, 2012 at 4:27 PM, Lisa Kachold wrote: > Hi Larry! > > On Tue, Oct 16, 2012 at 4:14 PM, Dazed_75 wrote: > >> Can anyone tell me how to make a ufw (uncomplicated firewall) rule to >> allow incoming ssh but only from the LAN or even a specific LAN. Not sure >> I need to specify an alternate port, but that would be good to know as well. > > > UFW rule: > > *advanced allow example for allowing access from an ip address range > 10.120.0.1 - 10.120.0.255 to port 22* > sudo ufw allow from 10.0.0.0/24 to any port 22 > > you want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but > allow all other 192.168.0.x IPs to have access to port 22 > > Code: > > sudo ufw deny from 192.168.0.1 to any port 22 > sudo ufw deny from 192.168.0.7 to any port 22 > sudo ufw allow from 192.168.0.0/24 to any port 22 > > if you do the allow statement before either of the deny statements it will > be matched first and the deny will not be evaluated. > > you can check this by checking ufw status > Code: > > sudo ufw status > To Action From > -- ------ ---- > 22:tcp DENY 192.168.0.1 > 22:udp DENY 192.168.0.1 > 22:tcp DENY 192.168.0.7 > 22:udp DENY 192.168.0.7 > 22:tcp ALLOW 192.168.0.0/24 > 22:udp ALLOW 192.168.0.0/24 > > the allow is at the bottom and will be the last command evaluated if it > appeared above the deny rules the deny rules would not be evaluated. > > Reference: http://ubuntuforums.org/showthread.php?t=823741 > >> >> Dazed_75 a.k.a. Larry >> >> Please protect my address like I protect yours. When sending messages to >> multiple recipients, always use the BCC: (Blind carbon copy) and not To: or >> CC:. Remove all addresses from the message body before sending a Forwarded >> message. This can prevent spy programs capturing addresses from the >> recipient list and message body. >> > -- > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > it-clowns.com > Chief Clown > > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Dazed_75 a.k.a. Larry Please protect my address like I protect yours. When sending messages to multiple recipients, always use the BCC: (Blind carbon copy) and not To: or CC:. Remove all addresses from the message body before sending a Forwarded message. This can prevent spy programs capturing addresses from the recipient list and message body.