ufw will not block access to ssh from any

DrZaphod

11/13/22, 9:21 AM

I have created a rule that should block traffic from all IP addresses except from my IP address. At leased so I thought but it does not block the traffic. I can still access both SSH and 16000 from any IP address. What am I doing wrong here?

This is how it looks in the ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    *My IP*
22/tcp (OpenSSH)           DENY IN     Anywhere
16000/tcp (Filemaker Administration) ALLOW IN    *My IP*
16000/tcp (Filemaker Administration) DENY IN     Anywhere
80,443,5003/tcp (Filemaker Server) ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      DENY IN     Anywhere (v6)
16000/tcp (Filemaker Administration (v6)) DENY IN     Anywhere (v6)
80,443,5003/tcp (Filemaker Server (v6)) ALLOW IN    Anywhere (v6)

202

0 + 5

firewall

ufw

SEWTGIYWTKHNTDS

11/13/22, 11:58 AM

Is *MY IP* a public IP address and is it a single host or a network address? Can you describe your network setup in more detail, are you using NAT and port forwarding? Are you using a vpn? These rules should work so I think the issue is with either the *My IP* field or the origin of the packets always appears to be your IP (NAT/VPN connections might cause this.

DrZaphod

11/13/22, 1:12 PM

My IP is my public IP address in front of my NAT router. The computer with the firewall rules is on the public network with a public IP. There is no VPN involved in this scenario. If I presented my NAT IP, I should be blocked, but I am not. When I log into the server, it shows my public IP, and it allows me into the computer from whatever IP address I have.

Doug Smythies

11/13/22, 2:31 PM

ufw is just a front end for iptables. Post the resulting iptables rule set: `sudo iptables -xvnL` and `sudo iptables -t nat -xvnL`, although ufw generated rule sets are difficult to read and follow.

SEWTGIYWTKHNTDS

11/13/22, 2:38 PM

From what you describe, you are connecting to the server (which is somewhere on the internet) from your local network which sits behind your NAT router. In this scenario the server will always see your routers external IP address and you will be able to connect no matter which local IP you have on your local network (NAT translates private addresses eg 192.168.0.x to the internet facing public address, the remote system only sees the external address never the 192.168.0.x address). I hope I understood your config and that this helps.

SEWTGIYWTKHNTDS

11/13/22, 2:43 PM

Try scanning your server with a tool such as https://www.ipfingerprints.com/portscan.php I expect that ufw it is working as you want

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ufw will not block access to ssh from any

TH: ufw จะไม่ปิดกั้นการเข้าถึง ssh จากใครก็ตาม

RO: ufw nu va bloca accesul la ssh de la niciunul

RU: ufw не будет блокировать доступ к ssh от любого

VI: ufw sẽ không chặn quyền truy cập vào ssh từ bất kỳ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.