Veeam Backup & Replication • UFW in hardened repository

Hi,
When using hardened linux repository, veeam services add some temporary rules to UFW, allowing traffic between backup components:

[ 4] 6162/tcp ALLOW IN Anywhere # Veeam transport rule
[ 5] 2500/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[ 6] 2501/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[ 7] 2507/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

Is there any way to limit source IPs ?

I solved this by writing some ALLOW for my IPs and a Full Deny before veeam rules to restrict access only to my source IPs:
May help others:

[ 4] 2500:3300/tcp ALLOW IN A.B.C.D
[ 5] 6162/tcp ALLOW IN A.B.C.D
[ 6] 6162/tcp ALLOW IN D.E.F.G/30
[ 7] 2500:3300/tcp DENY IN Anywhere
[ 8] 6162/tcp DENY IN Anywhere
[ 9] 2500/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[10] 2501/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece
[11] 2507/tcp ALLOW IN Anywhere # Veeam rule eeba7ea1-3cd4-4251-8800-9fa455f03ece

Dynamic rules created by veeam services (in linux hardened repository) are open for any source IP.
I have to restrict source IPs manually outside of veeam configurations as I described in my answer.
I think it’s better to do this inside of veeam, for example in Network Traffic Rules, but now it only manages encryption and throttling.

Now, it's a feature request

Adding some IP lists in “Network Traffic Rules” for use in UFW dynamic rules instead of “anywhere” for source IPs.

Statistics: Posted by vNabi — Aug 21, 2025 11:51 am

---