5

I issue the following :

# ufw allow from <ip address>

And get the response:

WARN: Rule changed after normalization
Rule added (v6)

I am familiar with the term 'normalization' in relational database structuring but I am curious how this is applied to the UFW rules. The rule I requested is subsequently listed just as I entered it 

Anywhere (v6)              ALLOW IN    <ip address>

What has happened in this process of normalization?

Stephen Boston
  • 3,944

1 Answers1

6

I don't have a definitive answer, but I do have an example. Note that man ufw explains:

Because rules are normalized by ufw, rules may look different than the originally added rule.

In my case, ufw had to normalize the rule I gave it because it was an IP + subnet (xxx.xxx.xxx.xxx/xx) where the IP was more specific than the subnet required; e.g.,

# ufw allow from 192.168.123.8/24

The /24 subnet says "include all IP addresses that match 192.168.123.xxx, so the .8 at the end is unnecessary: 192.168.123.0/24 means the same thing without the extra "significant digits". Thus, ufw normalizes my rule by converting the .8 to .0.

Not sure what other kinds of normalization ufw performs, but you can probably observe what happened simply by comparing the rule you gave to ufw and the rules it reports in ufw status.

Ryan Lue
  • 261
  • 1
    Ah yes. Just tested: you're right. I must have inadvertently entered a rule like that. I don't have the original entry but that is a likely error. – Stephen Boston Aug 21 '20 at 12:20