Delete existing ufw rules before adding new ones

jvstme · jvstme · commit ff26a27a0242 · 2025-09-04T08:26:43.000+02:00
diff --git a/src/dstack/_internal/core/backends/base/compute.py b/src/dstack/_internal/core/backends/base/compute.py
@@ -668,12 +668,15 @@ def get_setup_cloud_instance_commands(
         ),
     ]
     if not skip_firewall_setup:
-        for subnet in firewall_allow_from_subnets:
-            commands.append(f"ufw allow from {subnet}")
         commands += [
-            "ufw allow ssh",
+            "ufw --force reset",  # Some OS images have default rules like `allow 80`. Delete them
             "ufw default deny incoming",
             "ufw default allow outgoing",
+            "ufw allow ssh",
+        ]
+        for subnet in firewall_allow_from_subnets:
+            commands.append(f"ufw allow from {subnet}")
+        commands += [
             "ufw --force enable",
         ]
     return commands
diff --git a/src/dstack/_internal/core/backends/digitalocean_base/compute.py b/src/dstack/_internal/core/backends/digitalocean_base/compute.py
@@ -26,12 +26,6 @@
 logger = get_logger(__name__)
 
 MAX_INSTANCE_NAME_LEN = 60
-
-# Setup commands for DigitalOcean instances
-SETUP_COMMANDS = [
-    "sudo ufw delete limit ssh",
-]
-
 DOCKER_INSTALL_COMMANDS = [
     "export DEBIAN_FRONTEND=noninteractive",
     "mkdir -p /etc/apt/keyrings",
@@ -91,9 +85,9 @@ def create_instance(
         size_slug = instance_offer.instance.name
 
         if not instance_offer.instance.resources.gpus:
-            backend_specific_commands = SETUP_COMMANDS + DOCKER_INSTALL_COMMANDS
+            backend_specific_commands = DOCKER_INSTALL_COMMANDS
         else:
-            backend_specific_commands = SETUP_COMMANDS
+            backend_specific_commands = None
 
         project_id = None
         if self.config.project_name:
diff --git a/src/dstack/_internal/core/backends/gcp/compute.py b/src/dstack/_internal/core/backends/gcp/compute.py
@@ -951,7 +951,7 @@ def _get_user_data(
         bin_path=bin_path,
         backend_shim_env=backend_shim_env,
         # Instance-level firewall is optional on GCP. The main protection comes from GCP firewalls.
-        # So only set up instance-level firewall if ufw is available.
+        # So only set up instance-level firewall as an additional measure if ufw is available.
         skip_firewall_setup=not is_ufw_installed,
     )
 

Original file line number	Diff line number	Diff line change
`@@ -951,7 +951,7 @@ def _get_user_data(`
`951`	`951`	`bin_path=bin_path,`
`952`	`952`	`backend_shim_env=backend_shim_env,`
`953`	`953`	`# Instance-level firewall is optional on GCP. The main protection comes from GCP firewalls.`
`954`		`- # So only set up instance-level firewall if ufw is available.`
	`954`	`+ # So only set up instance-level firewall as an additional measure if ufw is available.`
`955`	`955`	`skip_firewall_setup=not is_ufw_installed,`
`956`	`956`	`)`
`957`	`957`