Ubuntu – How does ufw handle conflicting rules


I recently had the following conflicting rules on ufw

445/tcp ALLOW

445 DENY anywhere

445 DENY anywhere IPV6

because I first blocked the 445 to then allow it only on my subnet. I was doing that as part of the samba configuration on my local network and I noticed that such conflicting rules did not impact some of my devices (2 pcs and a playstation connecting to the samba server) but impacted an android phone connecting to the server.

I could do some tests here to try to infer how does ufw handle those "conflicting rules", however I though I would probably get a more accurate answer here =D

Does ufw overwrite the ALLOWS on top of the DENYs? Or how does it handle those type of conflicts?

Best Answer

ufw does not "handle the conflicts" in any way, it just puts the rules into an iptables chain which follows the first-match policy.

So if a packet matches a rule which drops it, it will be dropped regardless of any other matching rules which may follow.

Related Question