[SOLVED] Ufw insert 1 deny from IPv6


I am trying to ban IPv6 address/block to accessing any part of my server with UFW,
but the usual that works for IPv4 does not work for IPv6

root@box:~# ufw insert 1 deny from 2001:41d0::/32
ERROR: Invalid position ‘1’

but IPv4 works great
root@box:~# ufw insert 1 deny from
Rule inserted


You cannot insert an IPv6 rule in position 1.

Instead simply do

ufw deny from IPv6addr

To add to this … in light of @murgero’s comment (thanks!)


ufw status numbered

which will give you a numbered list of the rules. From that list you can then insert your deny rule in the correct place by using the command you were initially but substituting the 1 with the correct position.


This is supposed to be incorrect. However a bug is preventing it (and has been for years it looks like)

a patch was just recently proposed to ubuntu for this:

IPv6 rules cannot be inserted before ay IPv4 rules for now. but this will change in the future.

(However this might be irrelevant as IPv6 IPs are not processed against IPv4 rules so a deny rule for IPv6 just needs to be insert before all other IPv6 rules)


Thank you @alento and @murgero.
It is working:

[105] Anywhere (v6) DENY IN 2001:41d0::/32
[106] 22 (v6) ALLOW IN Anywhere (v6)
[107] 53 (v6) ALLOW IN Anywhere (v6)
[108] 25/tcp (v6) ALLOW IN Anywhere (v6)
[109] 587 (v6) ALLOW IN Anywhere (v6)
[110] 993 (v6) ALLOW IN Anywhere (v6)
[111] 995 (v6) ALLOW IN Anywhere (v6)
[112] 4190/tcp (v6) ALLOW IN Anywhere (v6)
[113] 80 (v6) ALLOW IN Anywhere (v6)
[114] 443 (v6) ALLOW IN Anywhere (v6)