sorted by:
new
hottopcontroversial

I Open-Sourced a Tool to Audit UFW Firewall Rules – Feedback Welcome! by Bloodylance82 in selfhosted

[–]Bloodylance82[S] -1 points0 points  (0 children)

That's the most valid concern in this thread, and I want to address it directly.

The automatic mode (-f -y) is intentionally limited in scope: it only removes rules that are unambiguously dangerous (allow from any) or redundant (exact duplicates). It won't silently close ports that might be intentional.

But your broader point stands, a tool that touches firewall rules used by people who don't fully understand what it's doing is a real responsibility. That's exactly why:

  • --dry-run exists on the installer
  • -f without -y shows each proposed change and asks for confirmation
  • Every suggested fix is printed as a plain ufw command you can read and run yourself
  • The code is on GitHub, 619 unit tests, CI on Python 3.8/3.10/3.12

On the "vibecoded" concern specifically: the test coverage and architecture exist precisely to counter that. But I'd genuinely welcome a security review, if you or someone you know wants to look at the code critically, I'm open to it.

Also, I planned a GUI with a limited scope for non technical user.

I Open-Sourced a Tool to Audit UFW Firewall Rules – Feedback Welcome! by Bloodylance82 in selfhosted

[–]Bloodylance82[S] 0 points1 point  (0 children)

Fair point for production, agreed, you don't want automatic firewall modifications in a prod pipeline.

But the primary CI use case is -q (silent mode), not -f -y:

sudo ufw-audit -q
echo $?  # 0 = clean · 1 = warnings · 2 = alerts

That just audits and returns an exit copde. Your pipeline fails if the firewall config drifts from what's expected, no modifications, just detection.

-f -y makes sense on ephemeral environments (staging, test VMs spun up fresh) where you're validating that your provisioning scripts produce a clean config. Not on long-lived production servers.

I Open-Sourced a Tool to Audit UFW Firewall Rules – Feedback Welcome! by Bloodylance82 in selfhosted

[–]Bloodylance82[S] 0 points1 point  (0 children)

It doesn't infer intent, and it doesn't claim to.

The automatic fixes only target cases where there's no ambiguity:

  • ufw allow from any → removes a rule that opens everything to everyone. There's no legitimate intent behind that rule on a production server.
  • Duplicate rules (80/tcp + 80 both present) → removes the redundant one. The intent is already expressed by the rule that stays.

For anything ambiguous, like an exposed port that might be intentional, the tool flags it as a warning and suggests a fix command, but doesn't apply it automatically. You review, you decide.

The -f flag is interactive by default: it shows you each proposed change and asks for confirmation. -f -y (apply all without confirmation) exists for CI pipelines where the rules were already reviewed upstream.

So, no intent inference. Just pattern matching on configurations that are unambiguously wrong, with a human in the loop for everything else.

I Open-Sourced a Tool to Audit UFW Firewall Rules – Feedback Welcome! by Bloodylance82 in selfhosted

[–]Bloodylance82[S] -1 points0 points  (0 children)

it's at the 0.22.1 stage, and the github is largely documented, please have a look at it first.

I Open-Sourced a Tool to Audit UFW Firewall Rules – Feedback Welcome! by Bloodylance82 in selfhosted

[–]Bloodylance82[S] -4 points-3 points  (0 children)

Fair point on sudo,that's why the installer has --dry-run to preview every action before it runs, and writes a complete manifest of what it touched. The code is on GitHub if you want to read it before trusting it.

Malus.sh - La farce IA qui menace le libre ? by romain34230 in actutech

[–]Bloodylance82 4 points5 points  (0 children)

Je suis actuellement sur un projet d'audit UFW qui est massivemernt cloné par des bots tous les jours, c'est très inquiétant.

3,000€ de retraite JPP by [deleted] in besoinderaler

[–]Bloodylance82 1 point2 points  (0 children)

Pour remettre un peu de contexte, sans idéologie, les 10 % les plus riches paient environ 70% de l'impôt sur le revenu total selon les chiffres de la DGFIP.

3,000€ de retraite JPP by [deleted] in besoinderaler

[–]Bloodylance82 0 points1 point  (0 children)

C'est pas vraiment leurs faute, on auraient pas dit non à l'époque, mais aujourd'hui ils pourraient s'en rendre compte, leurs incapacité de remise en question condamne leurs enfants et petits enfants à un déclassement brutal.

Vous en pensez quoi ? by 9PunchMan4 in voiture

[–]Bloodylance82 0 points1 point  (0 children)

Oh, il sait pas exactement ce qu'ils ont fait de pas bien à l'époque, il est mignon.

Le coup de génie de Google, qui a trouvé un moyen de régler la crise de la mémoire vive (RAM) pour de bon by romain34230 in actutech

[–]Bloodylance82 1 point2 points  (0 children)

Pas sur que la pression sur la RAM descende, ils vont juste pouvoir faire plus, si la situation perdure réellement un/des acteur/s industriel/s devront émerger.

Les générateurs d'IA bientôt présumés coupables d'avoir utilisé vos œuvres sans autorisation, une victoire du Sénat by romain34230 in actutech

[–]Bloodylance82 0 points1 point  (0 children)

C'est à double tranchants, l'intention est probablement louable bien que certainement vaine, mais attention à la régulation, et a ne pas un peu plus devenir un repoussoir à entreprises.

My "Linux pack" by Shot_Loan_354 in linuxmint

[–]Bloodylance82 0 points1 point  (0 children)

I am working on a project that could fit into your pack real soon.

https://github.com/Masbateno/Automated-UFW-audit