[Question] UFW firewall rules.

[Xavantex]

The following code is used in the ufw script:

sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A ufw6-before-output -p icmpv6 -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before6.rules

Would the first rule for ipv4 and 6 not cover both cases, with established and related already included?
Am I missing something?

Another thing why explicitly deny 127.0.0.0/8 if default is deny?

ufw allow in on lo
ufw allow out on lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1

ufw default deny incoming

I feel like there is something I am missing here.

[konstruktoid]

Hi @Xavantex, you are corrrect. Setting default deny does deny it as well, but it's to make sure (you might not want to deny by default) we configure the loopback interface to accept traffic and configure all other interfaces to deny traffic to the loopback networks.

This is also an requirement for the CIS Ubuntu benchmark (3.4.1.4).