Objective:
To restrict access to the UniFi Controller port by creating firewall rules that allow traffic only from a specified IP address.
Background:
When you add a port forward in the UniFi Controller, the system automatically generates a firewall rule allowing all traffic to access the specified port. Unfortunately, this rule is not editable. However, you can create additional rules to control access and restrict it to a specific IP address.
Steps:
- (Optional) Create a Firewall Address Group:
- This step is optional but recommended if you might want to allow access from more addresses in the future.
- Navigate to the UniFi Controller interface and create a firewall address group with just the IP address you want to allow access from.
- Create a Firewall Port Group:
- Create a firewall port group with the specific port that you want to allow access to.
- Create a High Priority Firewall Allow Rule:
- Create a high-priority firewall rule that allows traffic (Action = Accept) using the required protocol (TCP / UDP) only from the address group you created or directly from the specified IP address.
- Ensure that you accept connections from any port. Set the destination to any address with the port group you set up in the previous step.
- Create Another High Priority Firewall Deny Rule:
- Create another high-priority rule that denies traffic (Action = Deny) with the same protocol settings.
- Set the source to any address at any port and the destination to any address with the port group you created in step 2.
- This rule takes higher priority than the automatically created rule, preventing traffic from anywhere apart from the specified IP address.
Important Notes:
- The order of the rules matters. Ensure that the allow rule is created before the deny rule.
- These rules should be applied before the automatically generated rule.
