Join Log in
Score:0
avatar Ubuntu

Does ufw allow all incoming traffic in response to outbound requests?

zm flag
digitalml

I'm confused how ufw works. I've searched the site but most problems stop traffic from coming in, my problem allows traffic in.

I've setup ufw to only allow my custom ssh port; however, I am running a java program on the server that connects to another server via port 4246 and yet all data from the other server is allowed into my server even though I haven't set port 4246/tcp open. I also haven't allowed any http or https but all apt commands work without issue as well.

As I understand it, the default function of ufw is "deny (incoming), allow (outgoing)". Does this mean that as long as the connection is created from inside the server that any data in response is allowed in? Is there an actual way to prevent this and only allow data in if it's configured in ufw regardless of a connection was made from inside the server?

Thanks in advance!

57
0 + 0
ufw
ar flag
user68186
"*Does this mean that as long as the connection is created from inside the server that any data in response is allowed in?*" **Yes!**
1
Reply
Doug Smythies avatar
gn flag
Doug Smythies
You can do what you want, but it might be easier using iptables directly rather than UFW. If you want a default policy of DROP for the OUTPUT chain then you will need to manage things like DNS and DHCP with individual iptables rules, in addition to your custom ssh port traffic.
0
Reply
ar flag
user68186
"*I also haven't allowed any http or https but all apt commands work without issue as well.*" This is how the Internet works. The web browser such as crome or in this case, the `apt` program sends a message to the port 80 (or 443) of the web server and tells it to send the data (the web page) back using XXXXXX port, where XXXXXX is a random number. When you "deny (incoming)" it does not deny incoming packets that are specifically asked for by the outgoing packet.
0
Reply
ar flag
user68186
See [this question and answers](https://stackoverflow.com/questions/2301075/client-use-high-port-number) for more specific answers on how ephemeral/unregistered ports work.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
@user68186 : "it does not deny incoming packets that are specifically asked for by the outgoing packet." well, ufw (which is just a front end for iptables) does that by default, but one doesn't have to ACCEPT such replies if they don't want to.
0
Reply
ar flag
user68186
@DougSmythies fair enough. Maybe you could write an answer.
0
Reply
zm flag
digitalml
thank you for the info @user68186 and answering a portion of the question.
1
Reply
Score:0
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

The question was about UFW, but this answer uses iptables directly and might not be what is desired.

You can block outgoing and incoming network packets, except for your SSH ones with this iptables script:

#!/bin/sh
FWVER=0.01
#
# ask1393247 Smythies 2022.02.16 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1393247/does-ufw-allow-all-incoming-traffic-in-response-to-outbound-requests?noredirect=1#comment2409932_1393247
#       run as sudo on s19.
#       Started from the below:
#
# ask1368071 Smythies 2021.10.08 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1368071/iptables-that-only-allow-incoming-traffic-to-openssh-and-block-all-other-traffic
#       run as sudo on s19.
#       log entries are only for each NEW ssh packet. It seems unreasonable to log every ssh packet, but it could be done.
#

echo "Loading ask1393247 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies s19 computer (for testing). Edit for ask1393247's computer.
EXTIF="br0"
EXTIP="192.168.111.136"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about other users computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
# For unknown reason's, ask1393247 does not want the generic version. So commented out.)
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ask1393247 seems to want this:
echo "flag 1"
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
echo "flag 2"

# Allow and log new SSH connections. Not needed if you don't want to log sessions, but then you need to add NEW above.
# Note: I use port 22, because nobody else can get here anyhow. Change to your port.
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j LOG --log-prefix "ssh traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

# Now, also only let out ssh:
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Note: if your computer uses DCHP, then you will need to allow it, both in and out.

# Done.
#
echo ask1393247 rule set version $FWVER done.

And this is the result:

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy DROP 133 packets, 11819 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
     202    13689 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state RELATED,ESTABLISHED tcp dpt:22
       4      280 LOG        tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22 LOG flags 0 level 6 prefix "ssh traffic:"
       4      280 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 14 packets, 3240 bytes)
    pkts      bytes target     prot opt in     out     source               destination
     164    25505 ACCEPT     tcp  --  *      br0     0.0.0.0/0            0.0.0.0/0            tcp spt:22 state RELATED,ESTABLISHED
0 + 0
zm flag
digitalml
thanks for the info on the "Is there an actual way to prevent this" part of the question. It's unlikely I'll implement this but it is useful information. I'll mark it as the answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.