Skip to main content
Answer

UFW in hardened repository

  • August 21, 2025
  • 7 comments
  • 65 views
V
  • vNabi
  • Not a newbie anymore

Hi,

When using hardened linux repository, veeam services add some temporary rules to UFW, allowing traffic between backup components:

[ 4] 6162/tcp ALLOW IN Anywhere # Veeam transport rule

[ 5] 2500/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

[ 6] 2501/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

[ 7] 2507/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

 

Is there any way to limit source IPs ?

Is there any config file to insert source IPs, so that veeam service can use those IP for creating UFW rules?

Best answer by vNabi

Yes, exactly.

I do this and write some ALLOW for my IPs and a Full Deny before veeam rules to restrict access only to my source IPs:

May help others:


[ 4] 2500:3300/tcp              ALLOW IN    A.B.C.D
[ 5] 6162/tcp                   ALLOW IN    A.B.C.D
[ 6] 6162/tcp                   ALLOW IN    D.E.F.G/30
[ 7] 2500:3300/tcp              DENY IN     Anywhere
[ 8] 6162/tcp                   DENY IN     Anywhere
[ 9] 2500/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[10] 2501/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[11] 2507/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

 

I think it can be a feature request for next veeam releases…. :)

Chris.Childerhose
Iams3le
waqasali

7 comments

waqasali
Forum|alt.badge.img+4
  • waqasali
  • On the path to Greatness
  • August 21, 2025

You can manually restrict UFW rules by editing them after they are created or using custom firewall scripts outside the veeam to enforce source IP restrictions.

Waqas Ali
V
V
  • vNabi
  • Author
  • Not a newbie anymore
  • Answer
  • August 21, 2025

Yes, exactly.

I do this and write some ALLOW for my IPs and a Full Deny before veeam rules to restrict access only to my source IPs:

May help others:


[ 4] 2500:3300/tcp              ALLOW IN    A.B.C.D
[ 5] 6162/tcp                   ALLOW IN    A.B.C.D
[ 6] 6162/tcp                   ALLOW IN    D.E.F.G/30
[ 7] 2500:3300/tcp              DENY IN     Anywhere
[ 8] 6162/tcp                   DENY IN     Anywhere
[ 9] 2500/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[10] 2501/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[11] 2507/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

 

I think it can be a feature request for next veeam releases…. :)

coolsport00
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • August 21, 2025

What type of feature request are you looking for as Veeam needs the ports it uses and IP addresses for access.  If you get too restrictive then it will break.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
waqasali
coolsport00
Forum|alt.badge.img+21
  • coolsport00
  • Veeam Legend
  • August 21, 2025

Yep...as long as you are using manually config’d hardened repo, you can manually add any rule your org requires to the f/w. Not sure if you’re able to modify anything in the Veeam-provided VHR ISO. I think this would be a decent feature request ​@vNabi . I recommend doing so over on the Forums.

Best.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
waqasali
V
  • vNabi
  • Author
  • Not a newbie anymore
  • August 21, 2025

Dynamic rules created by veeam services (in linux hardened repository) are open for any source IP. 

I have to restrict source IPs manually outside of veeam configurations as I described in my answer.

I think it’s better to do this inside of veeam, for example in Network Traffic Rules, but now it only manages encryption and throttling. 

Feature request can be something like this:

Adding some IP lists in “Network Traffic Rules” for use in UFW dynamic rules instead of “anywhere” for source IPs.

Chris.Childerhose
waqasali
coolsport00
Forum|alt.badge.img+21
  • coolsport00
  • Veeam Legend
  • August 21, 2025

@vNabi - understood, but don’t think rules within Veeam work that way. Again, you can ping the Product Mgmt team over on the Forums to 1. get clarification on network rule functionality, and 2. submit a feature request for your query. They’re pretty good about responding.

Best.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
V
waqasali
Tommy O'Shea
Forum|alt.badge.img+5
  • Tommy O'Shea
  • Veeam Legend
  • August 21, 2025

@vNabi - understood, but don’t think rules within Veeam work that way. Again, you can ping the Product Mgmt team over on the Forums to 1. get clarification on network rule functionality, and 2. submit a feature request for your query. They’re pretty good about responding.

Best.

I think ​@vNabi is saying that they understand that Veeam network rules don’t function that way currently, but that it would be nice if there was additional functionality within the Veeam console to be able to configure those rule instead of having to do it on each hardened repository server.

So yes, that definitely sounds like a feature request. I think such a feature would have to be implemented carefully, as misconfiguring it could cause Veeam to lose connection with the hardened repository.

Tommy O’Shea, VMCE, VMCE-SP, VMCA
Chris.Childerhose
coolsport00
G
Terms & ConditionsAccessibility statement