Welcome to Richard's Blog

Understanding the UFW Rule: Allowing TCP Access to Port 8123 from a Specific IP

Written by

applegater

in

, ,

Firewalls are a foundational component of any secure Linux system. On Ubuntu and other Debian-based distributions, UFW (Uncomplicated Firewall) provides a simple yet powerful interface for managing firewall rules.

In this post, we’ll break down the following UFW rule, explain what it does, and discuss when and why you might use it:

sudo ufw allow from 10.8.0.2 to any port 8123 proto tcp

What Is UFW?

UFW is a frontend for iptables designed to make firewall configuration easier and less error-prone. Instead of dealing with complex rule chains, UFW lets administrators define intent-based rules that are readable and maintainable.

Breaking Down the Rule

Let’s look at each part of the command in detail.

sudo

Firewall rules require administrative privileges. sudo ensures the command is executed with root permissions.

ufw allow

This tells UFW to permit traffic that matches the rule. UFW rules typically fall into three categories:

  • allow
  • deny
  • reject

In this case, we are explicitly allowing traffic.

from 10.8.0.2

This restricts the rule to traffic originating only from the IP address 10.8.0.2.

This is an important security control:
instead of opening a port to the entire internet, access is limited to a trusted host.
IP addresses in the 10.0.0.0/8 range are private addresses, commonly used for:

  • VPNs (OpenVPN, WireGuard)
  • Internal networks
  • Secure tunnels between services

to any port 8123

This specifies the destination:

  • Any local interface on the machine
  • Port 8123

Port 8123 is often used by applications such as:

  • Home Assistant
  • Custom web dashboards
  • Internal APIs
  • Development or monitoring tools

proto tcp

This limits the rule to TCP traffic only.

That matters because:

  • TCP is connection-oriented and reliable
  • UDP traffic to the same port would still be blocked unless explicitly allowed

What This Rule Accomplishes

In plain language, this rule means:

“Allow TCP connections to port 8123 on this server, but only if they come from 10.8.0.2.”

Everything else—other IPs, other ports, or other protocols—remains blocked by default.

Why This Is a Best Practice

This rule demonstrates several strong security principles:

✅ Principle of Least Privilege

Only a single IP address is allowed access, rather than opening the port globally.

✅ Reduced Attack Surface

Even if port scans are performed, the service is unreachable from unauthorized sources.

✅ Clear Intent

The rule is readable and self-documenting, which makes long-term maintenance easier.

Verifying the Rule

After adding the rule, you can confirm it with:

sudo ufw status verbose

You should see an entry similar to:

8123/tcp ALLOW IN From 10.8.0.2

Common Use Cases

This type of rule is commonly used for:

  • Allowing VPN clients to access internal services
  • Restricting admin dashboards to a jump host
  • Securing IoT or automation services
  • Protecting internal APIs from public exposure

Final Thoughts

The command:

sudo ufw allow from 10.8.0.2 to any port 8123 proto tcp

is a great example of how UFW can be both simple and secure. By combining IP-based restrictions, port targeting, and protocol control, you can expose only what’s necessary—nothing more.

If you’re managing services that don’t need public access, rules like this should be your default approach.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

Secret Link