On Tue, Oct 16, 2012 at 4:14 PM, Dazed_75 <lthielster@gmail.com> wrote:

Can anyone tell me how to make a ufw (uncomplicated firewall) rule to allow incoming ssh but only from the LAN or even a specific LAN. Not sure I need to specify an alternate port, but that would be good to know as well.

UFW rule:

advanced allow example for allowing access from an ip address range 10.120.0.1 - 10.120.0.255 to port 22

sudo ufw allow from 10.0.0.0/24 to any port 22

you want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22

Code:

sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22

if you do the allow statement before either of the deny statements it will be matched first and the deny will not be evaluated.

you can check this by checking ufw status

Code:

sudo ufw status
To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24

the allow is at the bottom and will be the last command evaluated if it appeared above the deny rules the deny rules would not be evaluated.

Reference: http://ubuntuforums.org/showthread.php?t=823741

Dazed_75 a.k.a. Larry

Please protect my address like I protect yours. When sending messages to multiple recipients, always use the BCC: (Blind carbon copy) and not To: or CC:. Remove all addresses from the message body before sending a Forwarded message. This can prevent spy programs capturing addresses from the recipient list and message body.