Feature Request: UFW config in hardened repository

[vNabi]

Hi,
When using hardened linux repository, veeam services add some temporary rules to UFW, allowing traffic between backup components:

[ 4] 6162/tcp ALLOW IN Anywhere # Veeam transport rule
[ 5] 2500/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[ 6] 2501/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[ 7] 2507/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

Is there any way to limit source IPs ?

I solved this by writing some ALLOW for my IPs and a Full Deny before veeam rules to restrict access only to my source IPs:
May help others:

[ 4] 2500:3300/tcp ALLOW IN A.B.C.D
[ 5] 6162/tcp ALLOW IN A.B.C.D
[ 6] 6162/tcp ALLOW IN D.E.F.G/30
[ 7] 2500:3300/tcp DENY IN Anywhere
[ 8] 6162/tcp DENY IN Anywhere
[ 9] 2500/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[10] 2501/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[11] 2507/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

Dynamic rules created by veeam services (in linux hardened repository) are open for any source IP.
I have to restrict source IPs manually outside of veeam configurations as I described in my answer.
I think it’s better to do this inside of veeam, for example in Network Traffic Rules, but now it only manages encryption and throttling.

Now, it's a feature request

Adding some IP lists in “Network Traffic Rules” for use in UFW dynamic rules instead of “anywhere” for source IPs.

[HannesK]

Hello,
the dynamic rules configured by the software are only based on ports and not limiting IP addresses (same behavior as for Windows firewall rules that we create automatically). If you wish to do such a thing, then it needs to be done manually.

The final goal is to reduce the ports (remove the dynamic ports) and stop creating dynamic firewall rules.

Best regards
Hannes