You can manually restrict UFW rules by editing them after they are created or using custom firewall scripts outside the veeam to enforce source IP restrictions.

Yes, exactly.

I do this and write some ALLOW for my IPs and a Full Deny before veeam rules to restrict access only to my source IPs:

May help others:

> 4] 2500:3300/tcp              ALLOW IN    A.B.C.D
. 5] 6162/tcp                   ALLOW IN    A.B.C.D
I 6] 6162/tcp                   ALLOW IN    D.E.F.G/30
� 7] 2500:3300/tcp              DENY IN     Anywhere
� 8] 6162/tcp                   DENY IN     Anywhere
� 9] 2500/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
�10] 2501/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
�11] 2507/tcp                   ALLOW IN    Anywhere                   # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

I think it can be a feature request for next veeam releases…. :)

What type of feature request are you looking for as Veeam needs the ports it uses and IP addresses for access.  If you get too restrictive then it will break.

Yep...as long as you are using manually config’d hardened repo, you can manually add any rule your org requires to the f/w. Not sure if you’re able to modify anything in the Veeam-provided VHR ISO. I think this would be a decent feature request ​@vNabi . I recommend doing so over on the Forums.

Best.

Dynamic rules created by veeam services (in linux hardened repository) are open for any source IP. 

I have to restrict source IPs manually outside of veeam configurations as I described in my answer.

I think it’s better to do this inside of veeam, for example in Network Traffic Rules, but now it only manages encryption and throttling. 

Feature request can be something like this:

Adding some IP lists in “Network Traffic Rules” for use in UFW dynamic rules instead of “anywhere” for source IPs.

​@vNabi - understood, but don’t think rules within Veeam work that way. Again, you can ping the Product Mgmt team over on the Forums to 1. get clarification on network rule functionality, and 2. submit a feature request for your query. They’re pretty good about responding.

Best.

I think ​@vNabi is saying that they understand that Veeam network rules don’t function that way currently, but that it would be nice if there was additional functionality within the Veeam console to be able to configure those rule instead of having to do it on each hardened repository server.

So yes, that definitely sounds like a feature request. I think such a feature would have to be implemented carefully, as misconfiguring it could cause Veeam to lose connection with the hardened repository.