4

I would usually run UFW on servers I deploy, however I've just started using AWS and I see they already provide a firewall, allowing to set inbound/outbound rules, etc.

So I'm wondering if it's ever useful to have both the AWS firewall and UFW running at the same time? Or can I drop UFW altogether?

laurent
  • 175
  • 2
  • 11
  • 1
    What are you trying to achieve? Is your workload particularly sensitive, does it have any compliance requirements like PCI? Defense in depth says you should apply security at multiple layers - eg NACLs, SGs, iptables, etc. In practice I only run security groups for my standard personal workloads, but for sensitive workloads I run everything possible - firewalls, IDS / IPS, Guard Duty, Security Hub, etc. – Tim Jun 24 '21 at 19:53
  • Beware if you do enable uwf on an aws instance that you are accessing over SSH. See [this](https://stackoverflow.com/questions/41929267/locked-myself-out-of-ssh-with-ufw-in-ec2-aws). If you are relying on SSH, before enabling uwf then run ``sudo ufw allow OpenSSH``. Otherwise you could get locked out. – Colm Bhandal May 04 '22 at 13:38

2 Answers2

5

As AWS provides firewall/Security groups which are very efficient, I would say and advocate that it is not required to have a additional firewall program such as UFW.

Also, having the UFW would also tend to cause confusion wrt priority of the rules when we have the set up of firewall/iptables/UFW all together which could be understood by referring the following posts.

  1. How to deny IP ranges with ufw?

  2. https://stackoverflow.com/questions/57436758/does-ubuntu-ufw-overrides-amazon-ec2s-security-groups-and-rules

Please update if you have any further queries.

Anbu Thirugnana Sekar
  • 115
  • 3
0

Check out this thread.

Difference between security groups (on AWS) and iptables

I hope it will give you an answer to your question.

John Malloc
  • 41
  • 1