I've installed a new Ubuntu 16.04 and enabled ufw:
ufw enable
I tried these ways to unfilter multiple ports at once:
ufw allow 22/tcp 25/tcp 80/tcp 443/tcp 9000/tcp
ufw allow 22/tcp, 25/tcp, 80/tcp, 443/tcp, 9000/tcp
ufw allow {22/tcp,25/tcp,80/tcp,443/tcp,9000/tcp}
All three ways bring the same error:
ERROR: Wrong number of arguments
Is it even possible to unfilter multiple ports with UFW?
You can allow multiple (TCP or UDP) ports in this way:
ufw allow 22,25,80,443,9000/tcp
Or you can add a range of ports in this way (source and more explanations):
ufw allow 11200:11299/tcp
For more complicated configurations you can create a custom configuration files that could contain one or more custom profiles. For example (man ufw; complete example):
$ cat /etc/ufw/applications.d/my-custom-profiles
[MyCustomProfile]
title=Some title
description=Some description
ports=22,25,80,443/tcp|9005:9007/tcp|9000
This opens ports 22, 25, 80, 443, 9005-9007 through TCP and port 9000 through TCP and UDP. Note the separate mention of the port range 9005:9007, which is contrary to what the man page recommends. But this is how it works in Debian Bullseye.
You can allow any profile in this way:
ufw allow MyCustomProfile
For anyone dealing with the message
WARN: "Invalid ports in profile 'cassandra'"
or just trying to set up Cassandra on UFW in Ubuntu I found the above pa4080 ports= example the only thing I could get to work. Having found that I carefully worked back through it and it seems that for more than one port UFW wants /tcp (or I assume something else equally as valid) on the last port.
[cassandra]
title=cassandra ufw rules
description=cassandra needs these ports to run
ports=22,7000,7001,7199,9042,9142,9160/tcp
I found this to be the complete, acceptable entry for UFW.
Having spent a fair amount of time on reading the documentation I will follow with my notes that may be of interest.
Public port
Port number. Description
22 SSH port
Cassandra inter-node ports
Port number. Description
7000 Cassandra inter-node cluster communication.
7001 Cassandra SSL inter-node cluster communication.
7199 Cassandra JMX monitoring port.
Cassandra client ports
Port number. Description
9042 Cassandra client port.
9160 Cassandra client port (Thrift).
9142 Default for native_transport_port_ssl, useful when both encrypted and unencrypted connections are required
To do this manually:
sudo ufw allow 22
sudo ufw allow 7001
sudo ufw allow 7199
sudo ufw allow 7000
sudo ufw allow 9042
sudo ufw allow 9160
sudo ufw allow 9142
Ports 7000 and 9042 must be available for external nodes to connect to. As a security measure, limit connections to these ports to only the IP addresses of any other nodes in the cluster.
ufw allow proto tcp from [external_node_ip_address] to any port 7000,9042 comment "Cassandra TCP"
Next step is ufw allow from 192.168.0.0/16 to any app cassandra and test that.
I experimentally found that the message: "Invalid ports in profile *****"
occurs only if you do not specify the protocol. For example:
ports=5900:5910 - is incorrect!
ports=5900:5910/tcp - is correct!
This only applies to the situation of specifying a port range.
