I do the same thing - AWS for blanket rules and host firewall for anything else. It's just easier to manage. (unless you start getting into awscli automation)
I don’t really use UFW, I’ve used shorewall and iptables directly, but not ufw. So I can’t offer much specific advice. ------ Joe CONFIDENTIALITY STATEMENT The documents and communication included in this email transmission may contain confidential information. All information is intended only for the use of the above named recipient(s). If you are not the named recipient, you are NOT authorized to read, disclose, copy, distribute, or take any action on the information and any action other than immediate delivery to the named recipient is strictly prohibited. If you have received this email in error, do NOT read the information and please immediately notify sender by telephone and email and immediately delete this email. If you are the named recipient, you are NOT authorized to reveal any of this information to any unauthorized person and are hereby instructed to delete this email when no longer needed. From: pound <pound-boun...@apsis.ch> on behalf of John Hayward <john.hayw...@wheaton.edu> Reply-To: Pound mailing list <pound@apsis.ch> Date: Wednesday, March 25, 2020 at 12:07 PM To: Pound mailing list <pound@apsis.ch> Subject: Re: [pound] configuring ufw with pound Thanks for the feedback - With AWS I was focused on security groups which only allow one to indicate what is allowed. It turns out the are ACL on the Virtual Private Cloud which allows one to deny network activity. That seemed to work as expected. On configuring ufw if default for incoming and outing and routed is accept it seems that that should allow all traffic which is not denied - I was able to continue to use ssh without special rules - but I may not understand how default and particular rules interact. johnh... From: pound <pound-boun...@apsis.ch> on behalf of Joe Gooch <joseph.go...@sapphirek12.com> Sent: Wednesday, March 25, 2020 10:38 AM To: Pound mailing list <pound@apsis.ch> Subject: Re: [pound] configuring ufw with pound Looks like you’re on AWS – you could do it through the security policies on AWS instead as well. ------ Joe From: pound <pound-boun...@apsis.ch> on behalf of John Hayward <john.hayw...@wheaton.edu> Reply-To: Pound mailing list <pound@apsis.ch> Date: Wednesday, March 25, 2020 at 3:03 AM To: "pound@apsis.ch" <pound@apsis.ch> Subject: [pound] configuring ufw with pound Hi Pound people, First thanks for this useful facility. I'm trying to set up ufw to block a few bad actors from accessing the service provided by pound. When I run ufw adding rules to deny access to these bad actors and enable ufw it appears that it blocks all traffic - I thought the issue might be routed being disabled so I enabled that and still no dice. Here is what the verbose status of ufw is: ==== root@ip-172-31-45-181:~# ufw status verbose Status: active Logging: on (low) Default: allow (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- Anywhere DENY IN 5.62.43.182 Anywhere DENY IN 77.234.43.131 Anywhere DENY IN 5.62.43.158 Anywhere DENY IN 5.62.43.146 Anywhere DENY IN 5.62.43.170 Anywhere DENY IN 5.62.43.134 Anywhere DENY IN 94.25.171.231 Anywhere DENY IN 24.60.253.150 ==== Anybody have hints as to what issues there might be with using pound and ufw together? johnh... -- pound mailing list pound@apsis.ch https://urldefense.com/v3/__https:/admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch__;!!LEf3jpjHhfEyFKU!PXEXd97UjueHqfL_g6_KTMRE4dNwtQYAh-y31DWFqkXjIz1xKLegUpMQa-4FIHk1HcjpBSA$ -- pound mailing list pound@apsis.ch https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch