using gufw mydeny from rule keeps showing up as rule 12 - ahead of postfix allows. Does order matter?

Hi,

Yes, the order is important. You have a field in Add Rule popup for insert
a rule in a specific place.

Best regards.

Thanks - but no. It automatically inserts the rule as #12, after the last v4 and before the v6 ones. There's something I'm missing here - a manual sure would be nice! - Here's my ufw status:
ufw status
Status: active

To Action From
-- ------ ----
80,443/tcp ALLOW Anywhere
8008/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
25/tcp ALLOW Anywhere
465/tcp ALLOW Anywhere
587/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
143/tcp ALLOW Anywhere
993/tcp ALLOW Anywhere
Anywhere DENY 212.70.149.1
Anywhere DENY 212.70.149.19
Anywhere DENY 78.128.113.115
Anywhere DENY 212.70.149.0/24
80,443/tcp (v6) ALLOW Anywhere (v6)
8008/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
25/tcp (v6) ALLOW Anywhere (v6)
465/tcp (v6) ALLOW Anywhere (v6)
587/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
143/tcp (v6) ALLOW Anywhere (v6)

but I still see:

Jul 28 09:40:42 mail postfix/smtpd[13206]: disconnect from unknown[212.70.149.19] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 28 09:40:45 mail postfix/smtpd[14590]: warning: unknown[212.70.149.51]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

What am I missing?

Hi,

Moved to ufw.

Best regards.

The rules are applied from top to bottom, the first matching rule wins. So you have to insert your DENY rules before the ACCEPT rules.
See https://help.ubuntu.com/community/UFW#Advanced_Example for an example.

To get the line numbers, run `ufw status numbered`.

Not sure if your ufw has IPv6 enabled, because it contains no rules.

IP6 is not enabled.

The rule application order is as shown:
rt % ufw status numbered
Status: active

     To Action From
     -- ------ ----
[ 1] 80,443/tcp ALLOW IN Anywhere
[ 2] 8008/tcp ALLOW IN Anywhere
[ 3] 21/tcp ALLOW IN Anywhere
[ 4] 80/tcp ALLOW IN Anywhere
[ 5] 443/tcp ALLOW IN Anywhere
[ 6] 25/tcp ALLOW IN Anywhere
[ 7] 465/tcp ALLOW IN Anywhere
[ 8] 587/tcp ALLOW IN Anywhere
[ 9] 22/tcp ALLOW IN Anywhere
[10] 143/tcp ALLOW IN Anywhere
[11] 993/tcp ALLOW IN Anywhere
[12] Anywhere DENY IN 212.70.149.0/24
[13] Anywhere DENY IN 78.128.113.0/24
[14] Anywhere DENY IN 212.70.149.51
[15] Anywhere DENY IN 212.70.149.19
[16] Anywhere DENY IN 212.70.149.82
[17] 80,443/tcp (v6) ALLOW IN Anywhere (v6)
[18] 8008/tcp (v6) ALLOW IN Anywhere (v6)
[19] 21/tcp (v6) ALLOW IN Anywhere (v6)
[20] 80/tcp (v6) ALLOW IN Anywhere (v6)
[21] 443/tcp (v6) ALLOW IN Anywhere (v6)
[22] 25/tcp (v6) ALLOW IN Anywhere (v6)
[23] 465/tcp (v6) ALLOW IN Anywhere (v6)
[24] 587/tcp (v6) ALLOW IN Anywhere (v6)
[25] 22/tcp (v6) ALLOW IN Anywhere (v6)
[26] 143/tcp (v6) ALLOW IN Anywhere (v6)
[27] 993/tcp (v6) ALLOW IN Anywhere (v6)

Sorry, I do not get your goal. What result do you expect? That some port or address is open or blocked? Which one?

There is no rule number 0, so you can not insert before 0. Use 1 to insert it at top.

This works for me:
```shell
$ sudo ufw status numbered
Status: active

     To Action From
     -- ------ ----
[ 1] 8080:8090/tcp ALLOW IN Anywhere # mywww
[ 2] WWW Full ALLOW IN Anywhere
[ 3] 8080:8090/tcp (v6) ALLOW IN Anywhere (v6) # mywww
[ 4] WWW Full (v6) ALLOW IN Anywhere (v6)

$ sudo ufw insert 1 deny in 58888/tcp
Rule inserted
Rule added (v6)

$ sudo ufw status numbered
Status: active

     To Action From
     -- ------ ----
[ 1] 58888/tcp DENY IN Anywhere
[ 2] 8080:8090/tcp ALLOW IN Anywhere # mywww
[ 3] WWW Full ALLOW IN Anywhere
[ 4] 8080:8090/tcp (v6) ALLOW IN Anywhere (v6) # mywww
[ 5] WWW Full (v6) ALLOW IN Anywhere (v6)
[ 6] 58888/tcp (v6) DENY IN Anywhere (v6)

$ sudo ufw insert 1 deny in from 8.8.8.8

$ sudo ufw status numbered
Status: active

     To Action From
     -- ------ ----
[ 1] Anywhere DENY IN 8.8.8.8
[ 2] 58888/tcp DENY IN Anywhere
[ 3] 8080:8090/tcp ALLOW IN Anywhere # mywww
[ 4] WWW Full ALLOW IN Anywhere
[ 5] 8080:8090/tcp (v6) ALLOW IN Anywhere (v6) # mywww
[ 6] WWW Full (v6) ALLOW IN Anywhere (v6)
[ 7] 58888/tcp (v6) DENY IN Anywhere (v6)

$ # to insert an ipv6 only rule (ipv6 address):
sudo ufw insert 1 deny in from ::8:8:8
ERROR: Invalid position '1'
$ sudo ufw insert 5 deny in from ::8:8:8
Rule inserted (v6)
```
(ipv6 is enabled for ufw, but 8.8.8.8 is an ipv4 address, so it is only there. Same for your setup.)

By the way, there are two orders. One for ipv4 (1 to 16 in your example) and one for ipv6 (17 to 27). Only ipv4 OR ipv6 is checked (so for us usually ipv4). Maybe we should propose to show a deliminator between.

My goal was to:

Anywhere DENY IN 212.70.149.0/24

i.e. drop any incoming from the 212.70.149. subnet.

In the end I got hold of the ISP serving that group and got them to stop it.

You have to place DENY before ALLOW (because the first of DENY/ALLOW/REJECT/... wins). So insert them before rule 1 (at least in cli, there is no insert after).

cli: ufw insert 1 deny from 212.70.149.0/24

I do not see how to configure ordering in GUI on https://help.ubuntu.com/community/Gufw (it is not installed here).