Question

How to activate ufw for Apache ?

Posted on December 26, 2019
Apache
Asked by ZajaczkowskiMathias

I followed your tutorial to install Apache/Tomcat 8.5 on Debian. Then I followed your advice to install ufw. However Apache does not show in “ufw app list” and it does not seem to filter IP addresses I added with “ufw deny from” Example: ufw deny from 46.229.0.0/16 /var/log/apache2/access.log … 46.229.168.131 - - [26/Dec/2019:07:41:24 +0100] "GET /myWebApp/servlet/ etc … What have I missed ?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys

Site Moderator

• December 26, 2019

Accepted Answer

Hi @ZajaczkowskiMathias,

I’ll most probably guess you have put the rule at the bottom. The order of the firewall rules is important. Since you have allowed port 80 for all( I would only assume) at the beginning, this rule will match for all request and the deny rule that comes later will never be matched.

So, if you need to block something particularly, put it at the beginning and then allow all.

To see your rules with a reference number, use this:

sudo ufw status numbered

Then remove the deny rule first that you have added:

sudo ufw delete rule_number_here

Then add it again at the top:

sudo ufw insert 1 deny from xx.xx.xx.xx to any

Regards, KDSys

ZajaczkowskiMathias • December 26, 2019

Hi KDSys, Thanks a lot for your help. Your guess about the place where I put the rule is right!

My ufw status says: Status: active

 To                         Action      From
 --                         ------      ----

[ 1] 22 DENY IN Anywhere [ 2] 50683 ALLOW IN Anywhere [ 3] 80 DENY IN Anywhere [ 4] 443 ALLOW IN Anywhere [ 5] Anywhere DENY IN 216.244.66.195 [ 6] 5432 ALLOW IN Anywhere [ 7] 5555 ALLOW IN Anywhere [ 8] Anywhere DENY IN 91.242.162.70 [ 9] Anywhere DENY IN 157.55.0.0/22 [10] Anywhere DENY IN 216.245.221.82 [11] Anywhere DENY IN 66.249.0.0/22 [12] Anywhere DENY IN 3.233.224.8 [13] Anywhere DENY IN 40.77.0.0/22 [14] Anywhere DENY IN 85.25.177.219 [15] Anywhere DENY IN 46.229.0.0/16 [16] Anywhere DENY IN 157.55.0.0/16 [17] Anywhere DENY IN 66.249.0.0/16 [18] Anywhere DENY IN 40.77.0.0/16 [19] Anywhere DENY IN 207.46.0.0/16 [20] Anywhere DENY IN 17.58.0.0/16 [21] 22 DENY IN Anywhere (v6) [22] 50683 ALLOW IN Anywhere (v6) [23] 80 DENY IN Anywhere (v6) [24] 443 ALLOW IN Anywhere (v6) [25] 5432 ALLOW IN Anywhere (v6) [26] 5555 ALLOW IN Anywhere (v6)

So if I understand you correctly I have to: ufw delete 15 ufw insert 1 deny from 46.229.0.0/16 to any

That’s what I did and now ufw staus says: Status: active

 To                         Action      From
 --                         ------      ----

[ 1] Anywhere DENY IN 46.229.0.0/16 [ 2] 22 DENY IN Anywhere [ 3] 50683 ALLOW IN Anywhere [ 4] 80 DENY IN Anywhere [ 5] 443 ALLOW IN Anywhere etc …

Does it look correct ? I’ll check soon my ufw.log and if I see some 46.229.xxx.yyy blocked, I’ll repeat it for my other DENY’s with ufw insert 2(3,4, etc) deny from …

Do I have to do something similar for v6 rules ?

Kind regards.