4

I would usually run UFW on servers I deploy, however I've just started using AWS and I see they already provide a firewall, allowing to set inbound/outbound rules, etc.

So I'm wondering if it's ever useful to have both the AWS firewall and UFW running at the same time? Or can I drop UFW altogether?

laurent
  • 189
  • 1
    What are you trying to achieve? Is your workload particularly sensitive, does it have any compliance requirements like PCI? Defense in depth says you should apply security at multiple layers - eg NACLs, SGs, iptables, etc. In practice I only run security groups for my standard personal workloads, but for sensitive workloads I run everything possible - firewalls, IDS / IPS, Guard Duty, Security Hub, etc. – Tim Jun 24 '21 at 19:53
  • Beware if you do enable uwf on an aws instance that you are accessing over SSH. See this. If you are relying on SSH, before enabling uwf then run sudo ufw allow OpenSSH. Otherwise you could get locked out. – Colm Bhandal May 04 '22 at 13:38

2 Answers2

7

As AWS provides firewall/Security groups which are very efficient, I would say and advocate that it is not required to have a additional firewall program such as UFW.

Also, having the UFW would also tend to cause confusion wrt priority of the rules when we have the set up of firewall/iptables/UFW all together which could be understood by referring the following posts.

  1. How to deny IP ranges with ufw?

  2. https://stackoverflow.com/questions/57436758/does-ubuntu-ufw-overrides-amazon-ec2s-security-groups-and-rules

Please update if you have any further queries.

Anbu Thirugnana Sekar
  • 135
1

Check out this thread.

Difference between security groups (on AWS) and iptables

I hope it will give you an answer to your question.

John Malloc
  • 51