Skip to main content
Topic: How to block (filter) an ip address with UFW (Read 879 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

How to block (filter) an ip address with UFW

So because i've searched long time till I found the proper answer about how to block an ip address with UFW i thought it might be useful for newcomers to get it right. So long story short, to block an IP with UFW (uncomplicated firewall) you have to issue this command as root:

Code: [Select]
# ufw insert 1 deny out from any to x.x.x.x


where x.x.x.x is the ip you want to block, you can use ip ranges cidr format too like x.x.x.x/10

So this will do as follow: 1) will make this rule first so any more permissive rule would be ignored, 2) any traffic originating from any local ip (from your host) toward specified ip will be filtered (in n00bs terms blocked so use filtered instead;) 3) To test if your desired ip was filtered try to ping it "ping x.x.x.x" if you make it right ping will fail

It's enough to block only outgoing traffic as UFW blocks by default incoming traffic that was not requested by your machine. This would work for desktop pc but if you wanna run a server you have to filter incoming traffic too like like this

Code: [Select]
# ufw insert 1 deny from x.x.x.x to any

Hope i'm not missing anything on this topic anyone feel free to improve this. Cheers!


 

Re: How to block (filter) an ip address with UFW

Reply #1
Just a bit of vocabulary improvement.

At the moment you add a firewall, every packet is filtered since they go through the filter (your firewall) no matter if it is accepted or denied.

Blocked is actually not a "n00b" thing. Blocked packets include to subcategories: the rejected ones and the dropped ones.

The rejected packets get an answer saying the packet has failed to find his route to the peer so the packet can be emitted again or the connection can be directly closed. Also there are different ways of rejecting a packet that can be set depending on the needs.

The dropped packets will not get an answer and wait for a timeout to close the connection on TCP or will never know the packet was dropped on UDP.

I don't exactly know what ufw means by "deny", you would have to watch at the iptables (or nftables if they made the move) that it creates to have more information.

Re: How to block (filter) an ip address with UFW

Reply #2
I've heard many times from professionals they almost every time avoid saying block ip instead they choose the word filter/filtered ip. Of course a firewall filters all traffic but when you refer to an ip saying you filter that ip in networking means you gonna block it. Anyway it's not that important how you say it though.