diff --git a/backend/app/service/firewall.go b/backend/app/service/firewall.go
index f937a2323..b2bc52ed3 100644
--- a/backend/app/service/firewall.go
+++ b/backend/app/service/firewall.go
@@ -233,13 +233,13 @@ func (u *FirewallService) OperatePortRule(req dto.PortRuleOperate, reload bool)
 			}
 			return nil
 		}
-		if req.Protocol == "tcp/udp" {
-			req.Protocol = ""
-		}
 		for _, addr := range itemAddress {
 			if len(addr) == 0 {
 				addr = "Anywhere"
 			}
+			if req.Protocol == "tcp/udp" {
+				req.Protocol = ""
+			}
 			req.Address = addr
 			if err := u.operatePort(client, req); err != nil {
 				global.LOG.Errorf("%s port %s/%s failed (strategy: %s, address: %s), err: %v", req.Operation, req.Port, req.Protocol, req.Strategy, req.Address, err)
diff --git a/backend/utils/firewall/client/ufw.go b/backend/utils/firewall/client/ufw.go
index acf070e71..56b9f8edc 100644
--- a/backend/utils/firewall/client/ufw.go
+++ b/backend/utils/firewall/client/ufw.go
@@ -165,7 +165,7 @@ func (f *Ufw) RichRules(rule FireInfo, operation string) error {
 		return buserr.New(constant.ErrCmdIllegal)
 	}
 
-	ruleStr := fmt.Sprintf("%s %s ", f.CmdStr, rule.Strategy)
+	ruleStr := fmt.Sprintf("%s insert 1 %s ", f.CmdStr, rule.Strategy)
 	if operation == "remove" {
 		ruleStr = fmt.Sprintf("%s delete %s ", f.CmdStr, rule.Strategy)
 	}