ufw firewall not working as expected (block specific incoming IPs)

ThomasAtFault

4/19/24, 11:46 PM

So, I see these Apache access.log entries coming in every minute:

mydomain.com:80 95.211.199.153 - - [19/Apr/2023:23:34:28 +0000] "GET /index.html HTTP/1.1" 200 1425 "-" "Leaf/52 CFNetwork/1402.0.8 Darwin/22.2.0"

So I like to deny that IP address.

My Debian ("… 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux") uses ufw, and uwf status shows:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
WWW Full                   ALLOW       Anywhere                  
WWW                        ALLOW       Anywhere                  
WWW Secure                 ALLOW       Anywhere                  
2235                       ALLOW       Anywhere                  
1194/udp                   ALLOW       Anywhere                  
5432/tcp                   ALLOW       Anywhere                  
Anywhere                   DENY        31.204.152.226            
OpenSSH (v6)               ALLOW       Anywhere (v6)             
WWW Full (v6)              ALLOW       Anywhere (v6)             
WWW (v6)                   ALLOW       Anywhere (v6)             
WWW Secure (v6)            ALLOW       Anywhere (v6)             
2235 (v6)                  ALLOW       Anywhere (v6)             
1194/udp (v6)              ALLOW       Anywhere (v6)             
5432/tcp (v6)              ALLOW       Anywhere (v6)             
5432/udp (v6)              ALLOW       Anywhere (v6)             
5433/tcp (v6)              ALLOW       Anywhere (v6)             
5434/tcp (v6)              ALLOW       Anywhere (v6)

The problem is that I still keep getting the http queries every minute despite this.

What do I do wrong?

When I check iptables -L, I get a long list, about 180 lines, but none of them mention that IP address.

I did set up ufw years ago because I had installed something that said I should use it, but I find it hard to use, partially because help is hardly available (no man page, and no cmdline help for specific cmds as far as I can figure out).

I'm a rather inexperienced linux admin - I only set up a linux system to run some basic services (Apache, gitlab, postgresql). I'm a bit over my head here.

I also looked for related answers:

https://serverfault.com/a/1104903/32461 does not apply, because nftables isn't responding in the console.
I am also not using docker.

The server is a virtual one on digitalocean, in case that matters.

123

1 + 2

debian

firewall

ufw

Jaromanda X

4/20/24, 1:13 AM

but ... your HTTP is `ALLOW Anywhere` so of course HTTP queries will be allowed from anywhere - also, the request is coming from `95.211.199.153` but your only deny is from `31.204.152.226`

ThomasAtFault

4/20/24, 2:08 PM

Ah, thanks. The IP address confusion is just a copy/paste error in the description. But the order of the rules is probably the actual issues. Thank for helping!

Score:0

Server

ThomasAtFault

4/20/24, 3:35 PM

@jaromanda-x made it clear where my mistake was:

I had added the DENY rule with ufw add, but I should have used ufw insert 1 … so that it comes before the ALLOW rules.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ufw firewall not working as expected (block specific incoming IPs)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.