How to Add or Modify Comments to Existing UFW Firewall Rules


1 views

UFW (Uncomplicated Firewall) allows adding descriptive comments to rules for better management. While adding comments during rule creation is straightforward, modifying existing rule comments requires a different approach.

UFW doesn't provide a direct command to modify comments on existing rules. The only way is to delete and recreate the rule with the new comment. Here's why this limitation exists:

  • UFW stores rules in a sequential list without unique identifiers
  • Rules are matched by their exact parameters, not by comments
  • The underlying iptables system doesn't support comment modification

To add/modify a comment on an existing UFW rule:

# First, identify the rule number
sudo ufw status numbered

# Then delete the existing rule (example for rule #3)
sudo ufw delete 3

# Finally, recreate the rule with your comment
sudo ufw allow in on eth0 to any port 80 comment 'Web server access'

For more complex setups, you can manage rules through files:

# Add rules with comments to /etc/ufw/user.rules
-A ufw-user-input -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP access"

# Then reload UFW
sudo ufw reload
  • Keep comments concise but descriptive (40 chars max recommended)
  • Use consistent formatting (e.g., all caps or camelCase)
  • Include purpose and date when appropriate: 'API_ACCESS_2023'
  • Avoid special characters that might break rule parsing

Always check that your changes took effect:

# Show rules with comments
sudo ufw status verbose

# Or check raw iptables output
sudo iptables -L -n -v --line-numbers | grep -i comment

For repetitive tasks, consider scripting:

#!/bin/bash
RULE="allow in on eth0 to any port 80"
COMMENT="web_server_${DATE}"
sudo ufw delete $(sudo ufw status numbered | grep "$RULE" | awk -F'[][]' '{print $2}')
sudo ufw $RULE comment "$COMMENT"

Working with UFW (Uncomplicated Firewall) rules often requires adding documentation directly in the ruleset. While adding comments during rule creation is straightforward, modifying existing rules presents unique challenges.

Unlike some firewall systems, UFW doesn't provide a direct command to modify existing rule comments. The current implementation requires a delete-and-recreate approach:

# Current rule (example):
sudo ufw allow 22/tcp

# To add/modify comment:
sudo ufw delete allow 22/tcp
sudo ufw allow 22/tcp comment 'SSH access for admin team'

Here's a safer procedure that prevents accidental service interruption:

# 1. First list all rules with numbers
sudo ufw status numbered

# 2. Note the rule number you want to modify
# Example output:
#[3] 22/tcp                   ALLOW       Anywhere

# 3. Add the new rule with comment first
sudo ufw allow 22/tcp comment 'Updated: Restricted SSH access'

# 4. Verify new rule works
sudo ufw status

# 5. Then delete the old rule
sudo ufw delete 3

For advanced users who need to modify multiple rules:

# 1. Backup current rules
sudo cp /etc/ufw/user.rules /etc/ufw/user.rules.bak

# 2. Edit the rules file
sudo nano /etc/ufw/user.rules

# 3. Find the rule and append comment:
# Example before:
# -A ufw-user-input -p tcp --dport 22 -j ACCEPT

# After modification:
# -A ufw-user-input -p tcp --dport 22 -j ACCEPT /* SSH for admins */

# 4. Reload rules
sudo ufw reload
  • Keep comments concise but descriptive (50 characters max)
  • Include ticket numbers or reference codes when applicable
  • Use ISO date format for time-sensitive rules
  • Avoid special characters that might break parsing

For large-scale deployments, consider this bash function:

update_ufw_comment() {
    local port=$1
    local proto=$2
    local comment=$3
    
    # Find and delete old rule
    rule_num=$(sudo ufw status numbered | \
               grep "$port/$proto" | \
               awk -F'[][]' '{print $2}')
               
    [ -n "$rule_num" ] && echo "y" | sudo ufw delete $rule_num
    
    # Add new rule with comment
    sudo ufw allow "$port/$proto" comment "$comment"
}

# Usage:
update_ufw_comment 22 tcp "SSH for jumpbox"