# # rules.input-after # # Rules that should be run after the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-after-input # ufw-after-output # ufw-after-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-after-input - [0:0] :ufw-after-output - [0:0] :ufw-after-forward - [0:0] # End required lines ## allow connections to the local services from WAN # ssh 22/tcp -A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT # https 443/tcp -A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT # don't log noisy services by default -A ufw-after-input -p udp --dport 137 -j RETURN -A ufw-after-input -p udp --dport 138 -j RETURN -A ufw-after-input -p tcp --dport 139 -j RETURN -A ufw-after-input -p tcp --dport 445 -j RETURN -A ufw-after-input -p udp --dport 67 -j RETURN -A ufw-after-input -p udp --dport 68 -j RETURN # catchall for logging -A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err -A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err # don't delete the 'COMMIT' line or these rules won't be processed COMMIT