Improvement: Add comment to rule

i vote for this, too. it would be wonderful. it's the one major thing firestarter had that ufw does not have, and it would be quite helpful to add it in. After a few rules get added, i forget what is what, and it sure would be nice to have another column for the reason. I.e.,

$ sudo ufw status
[sudo] password for jeff:
Status: active

To Action From Comment
-- ------ ---- -----------------
Anywhere ALLOW 77.49.196.38 thomas at home
Anywhere ALLOW 123.240.238.117 my 2nd box
22 ALLOW 123.240.238.118 john's workstation

where last rule might have been added by something like:

$ sudo ufw allow from 123.240.238.118 to any port 22 comment "john's workstation"

or some such..?

thanks!

The comment field is current used for application integration. It would be possible to add a comment, but it is non-trivial. This might be added in a future release.

One sollution might be to add an option like "-n" when one wants numerical values on ports and ip-adresses.
I no '-n' option, it could look up that feild in hosts, networks, protocols and services and use the result from there. Then I guess the need for comments might be less urgent.

So instead of
Anywhere ALLOW 77.49.196.34
Anywhere ALLOW 123.240.238.117
22 ALLOW 192.168.0.120

we get

Anywhere ALLOW thomas.example.org
Anywhere ALLOW my2ndbox.example.com
ssh ALLOW johnsws.local

Which is more important when we get more IPv6 addresses.

@3: The above would help only for std ports, while e.g. rpc.bind (NFS) listens on random ports, so in order to use firewall port blocking, admin has to define some specific port (and this varies by installation or admin's will).

Comments would be really welcome.

comments would be very useful when trying to remember why you created a rule in the first place

I'd like to make an additional comment on how useful this feature would be. There are certain servers I work with that must use a lot of non-common ports, a for some applications, and also restrict connections based on IP/etc. It would be very convenient if rules could be labeled or even tagged so that it is quicker to know whether the firewall is a problem with a service or not.
Additionaly, IPv6 support has greatly increased the number of rules that must be managed, and it can sometimes be easy to forget exactly what each one is for.

+1

FWIW Iptables uses C style /* comment here */ at the end of the rule when listing.

Let's put in the other way round: unfortunately I cannot use ufw because I cannot add comment and I have a very complex configuration

This would be a nice feature to have, espec when looking through historical rules.

I implemented it in Gufw 13.10 :) Best regards!

Hope this helps.

Thanks for the patch! A couple of questions:
- What version is this against?
- What testing was performed? See README 'Testing' and 'Unit tests' for details
- Can you prepare a merge request against lp:ufw instead? This isn't strictly required, but is easier
- No tests were included as part of the patch. Can you resubmit with added unit tests (at least) for this functionality?

Also, ufw is covered by Canonical's Contributor Agreement. For your patch to be accepted, you'll need to review and sign the contributor agreement. Please see http://www.canonical.com/contributors for details.

Thanks again! :)

It is made from the trunk (revision 836).

The patch is breaking get_status() unit test, tough it was expected since it slightly modify its behaviour. I didn't investigate further since I wasn't planning to make merge request until now. Syntax check is passing.

I'll do the new unit tests with the merge request. I just signed the contributor agreement mentioning you as my contact, I'm waiting for the answer.

Work is in progress on lp:~rmns/ufw/message repository.

Updated patch with latest changes enclosed.

I'm sorry, I don't have the time right now to write unit tests for those modifications. Since the latest commit passes every test, do you want me to do the merge request even without the new unit tests ?

Please perform the merge request. When I have time to write unit tests for it, I can take a look.

https://code.launchpad.net/~rmns/ufw/message/+merge/199027

This is REALLY needed

Hi!

Any news on this one?
I'd like to keep ufw, but my collegue is forcing me to switch to FireHOL on our servers, because of the comments and our list of IP rules.

Or maybe there's possibility to have IP lists in external files with comments?

About #4, I was thinking about instead of printing IP-numbers translate it through /etc/hosts and /etc/networks (or same API as 'getent hosts' and 'getent networks')

I vouch for this - comments would be very nice, especially in large environments where you want to tell the other sysadmins 'this rule is to my home computer' or something like that. Often you can't add a reverse dns entry, so name lookups will not always wrork

Thanks to Guillaume for the patch, but I implemented it in a different way due to changes to the codebase, lack of tests, lack of UTF-8 support and how it should work for updating/removing comments.

No worries, I hope my patch helped other people during those two years! Thank you for finally addressing that issue.

Great, now the real question is: how do I do "ufw status" so that I can see the comments next to each rule! This is why I wanted to make the comment in the first place.
Thanks!

I feel 'ufw status verbose' should show comments next to each rule, but it does not. Ideas?

'ufw status' does show the output. Eg:

$ sudo ufw reject 23 comment "disallow telnet"
Rule added
Rule added (v6)

$ sudo ufw status|grep telnet
23 REJECT Anywhere # disallow telnet
23 (v6) REJECT Anywhere (v6) # disallow telnet

Can you file a new bug, giving the output of 'ufw version' and steps to reproduce?