In an earlier article we discussed how to add comments to iptables rules for clarity and documentation. In our opinion it is a good practice to comment anything someone else may have to work on in the future. Using comments in scripting is a common practice for good reason. We decided to write a quick tip on how to add a comment to UFW (Uncomplicated Firewall) rules.
I am not a huge fan of UFW or Firewalld. In my opinion they make managing netfilter harder, not easier. That is because I started using iptables over 20 years ago. I am very comfortable with it and tend to know the necessary syntax off the top of my head. That being said, adding a comment to UFW rules is much more intuitive than any other iptables front end.
Adding Comments to UFW Rules
Making UFW rules is beyond the scope of this quick tip. However, if you want a good article for learning the basics of UFW read "Introduction to UFW, Uncomplicated Firewall Basics".
Let's take a look at the basic syntax of a comment. Appending the following to any rule will add a comment. Simple.
comment 'This is a comment'
Here is an example of the full syntax of a UFW rule with a comment.
ufw <rule info here> comment 'This is a comment'
Examples of UFW Rules with Comments
Now let's take a look as some real world examples.
Here we are opening port 22 for SSH and adding a comment to reflect that.
sudo ufw allow 22 comment 'Allow SSH Access'
Now it may seem silly to add a comment to UFW rules that are so simple. But, let's take a look at something a little more complicated. Here we are allowing SSH from a specific subnet. The comment is helpful because we can tell someone looking at the config what the subnet/VLAN is used for.
sudo ufw allow from 192.168.1.0/24 to any port 22 comment 'Allow SSH from Admin VLAN'
Next we will allow a specific IP address to access to our Plex Media Server. When someone else looks at this they won't have to guess who's IP address this is. They can look at the comment and instantly understand why the rule is in place.
sudo ufw allow from 192.168.5.60 to any port 32400 comment 'Allow Mikes workstation to Access Plex Media Server'
As rules get more and more complex the comment becomes increasingly important. You can make the comments as detailed or as vague as you like. I even know one IT team that used comments to notate the ticket number for which the rule was requested and who made the change. It's just another tool at your disposal.
Viewing Rules and Comments on UFW
You can view the rules and comments you are adding to UFW by using the status option.
sudo ufw status verbose
Sample Output (I prefer verbose output, but it is not necessary)
savona@ubuntudev:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere # Allow Incoming SSH Connections
22 ALLOW IN 192.168.1.0/24 # Allow SSH from Admin VLAN
32400 ALLOW IN 192.168.5.60 # Allow Mikes workstation to Access Plex Media Server
22 (v6) ALLOW IN Anywhere (v6) # Allow Incoming SSH Connections
Add Comment to an Existing UFW Rule
It's simple to add comments to existing rules. Just type in the exact same rules and add the comment.
Here is a sample UFW configuration:
As you can see the first rule (22) does not have a comment. Let's enter the same rule, but this time include a comment.
sudo ufw allow 22 comment 'Allow Incoming SSH Connections'
As you can see in the screenshot below, the comment is added to the rule.