#!/usr/bin/env bash{unseta_ufwout;unseta_openports
whileread-rl_ufwport;do[-n"$l_ufwport"]&&a_ufwout+=("$l_ufwport")done<<(ufwstatusverbose|grep-Po'^\h*\d+\b'|sort-u)whileread-rl_openport;do[-n"$l_openport"]&&a_openports+=("$l_openport")done<<(ss-tuln|awk'($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/\[?::1\]?:/) {split($5, a, ":"); print a[2]}'|sort-u)a_diff=("$(printf'%s\n'"${a_openports[@]}""${a_ufwout[@]}""${a_ufwout[@]}"|sort|uniq-u)")if[[-n"${a_diff[*]}"]];thenecho-e"\n- Audit Result:\n ** FAIL **\n- The following port(s) don't have a rule in UFW: $(printf'%s\n'\\n"${a_diff[*]}")\n- End List"elseecho-e"\n - Audit Passed -\n- All open ports have a rule in UFW\n"fi}
For each port identified in the audit which does not have a firewall rule, evaluate the service listening on the port and add a rule for accepting or denying inbound connections in accordance with local site policy:
Examples:
# ufw allow in <port>/<tcp or udp protocol># ufw deny in <port>/<tcp or udp protocol>
Note: Examples create rules for from any, to any. More specific rules should be concentered when allowing inbound traffic e.g only traffic from this network.
Example to allow traffic on port 443 using the tcp protocol from the 192.168.1.0 network: