UFW not allowing specified ports

AL-Kateb

1/16/24, 10:26 AM

I have this

Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp (Apache)            ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (Apache (v6))       ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

If I do ufw insert 1 deny from IP it does not work, the IP is still allowed, I assumed it is because default incoming is allow! But should it though? Should not this rue override the default rule?

And whenever I run ufw default deny incoming, which is the default configuration, I cannot access my server anymore, regardless of all the custom rules I added.

I ran ufw reset and also iptables -F, and did the following:

ufw allow apache ufw allow ssh

And I could not connect unless I changed ufw default incoming to allow

Note: I think, maybe this is because I ran iptables -F, I had to because I added some custom rules to iptables directly, not through ufw, and I wanted to start over

Please advise.

628

1 + 1

linux

ubuntu

firewall

iptables

ufw

bviktor

1/16/24, 6:34 PM

ufw is garbage, I spent days debugging it, but the conclusion is just the same: sometimes it works, sometimes it doesn't. Remove it and use firewalld, always.

Score:0

Server

Zareh Kasparian

1/16/24, 4:46 PM

As you mentioned, default incoming rule is "allow incoming". Thus the "ufw insert 1 deny from IP" command is adding a new rule at the first position of the firewall rules list, but it is being overridden by the default rule of "allow incoming" traffic.

When you run the command "ufw default deny incoming", it sets the default policy for incoming traffic to "deny", but this rule is applied after all the other rules you have set up.

To have your scenario working, you need to make the default ufw policy to deny, using the following command format.

 ufw default deny incoming

In your case

ufw default deny incoming
ufw allow from x.x.x.x   --> Your Trusted IP Address(Optional)
ufw allow from x.x.x.x   --> Your Trusted IP Address(Optional)
ufw allow ssh
ufw allow http
ufw allow https

Note: maybe you also need to change the default ufw rule on the outgoing chain.

ufw default allow outgoing

+ 1

AL-Kateb

1/18/24, 2:48 PM

As it turned out, counterintuitively the order mattered. So basically I had to do `ufw default deny incoming` BEFORE I added my custom rules, which is strange since it literally says "default" and should be overridden by the custom rules regardless of the order of execution of these rules.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: UFW not allowing specified ports

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.