UFW blocking existing outbound connections when enabled

I'm having a problem where ufw seems to be blocking existing outbound connections on port 443 when it is enabled. Example:

Feb 24 17:53:00 server5 kernel: [18571501.131985] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=35.196.37.91 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x60 TTL=51 ID=24902 DF PROTO=TCP SPT=443 DPT=44496 WINDOW=0 RES=0x00 RST URGP=0 
Feb 24 17:33:40 server5 kernel: [18570340.976130] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=52.10.136.43 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=228 ID=23746 DF PROTO=TCP SPT=443 DPT=59404 WINDOW=118 RES=0x00 ACK PSH URGP=0
Feb 27 00:47:07 server5 kernel: [18769144.299731] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=35.196.37.91 DST=1.2.3.4 LEN=1460 TOS=0x00 PREC=0x60 TTL=51 ID=60877 DF PROTO=TCP SPT=443 DPT=42030 WINDOW=229 RES=0x00 ACK URGP=0

Also getting some UDP packets blocked even though I've specifically allowed UDP from 1025-65535:

Feb 24 17:52:19 server5 kernel: [18571459.414576] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=5.6.7.8 DST=1.2.3.4 LEN=69 TOS=0x00 PREC=0x00 TTL=44 ID=59557 PROTO=UDP SPT=58678 DPT=49900 LEN=49 

(I've replaced our server ip with 1.2.3.4). The blocked traffic are outgoing curl connections to google drive and Vimeo.

Here is how I set it up:

ufw reset
ufw default allow outgoing
ufw default deny incoming
ufw allow from 96.54.177.7 proto tcp to any port 22
ufw allow from 50.70.255.166 proto tcp to any port 22
ufw allow 443/tcp
ufw allow 80/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 1025:65535/udp

ufw status shows:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    99.99.99.99               
22/tcp                     ALLOW IN    99.99.99.99             
443/tcp                    ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
25/tcp                     ALLOW IN    Anywhere                  
587/tcp                    ALLOW IN    Anywhere                  
  

In testing:

• starting a new upload to Vimeo after enabling ufw works fine. Nothing seems to be blocked.
• enabling ufw in the middle of a Vimeo upload seems to break it.
• telnetting to port 587 (mail) from the server to somewhere else and enabling ufw doesn't seem to cause any problems. The connection remains open and I can type help, etc.
• conntrack doesn't ever show outbound connections, but does show inbound connections ok.
• when I test on a new ubuntu 20.04 cloud server instance, there are no problems...I see no packets blocked for port 443, and the uploads work fine. But on the test cloud server conntrack is not installed, and even after I install conntrack and conntrackd I don't see any connections at all listed in "conntrack -L".

So, I'm a little confused about what exactly is going on here and whether I should be worried about it. I don't really want to enable ufw until I fully understand what it is going to do to my traffic. How exactly does it keep track of outbound connections if conntrack doesn't track them?

I think there may be a few things going on here, but I'd like to understand why I'm seeing these. The UDP and ACK blocks are the most worrying, but they only seem to happen for a fraction of a second after enabling ufw, so I'm wondering if there is a slight delay while ufw is enabling the rules. The other (RST) may just be due to the connection being closed. The ACK blocks seem to be causing problems with any existing open outbound connections that are actively sending data when the firewall is enabled.

For this one:

Feb 24 17:53:00 server5 kernel: [18571501.131985] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=35.196.37.91 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x60 TTL=51 ID=24902 DF PROTO=TCP SPT=443 DPT=44496 WINDOW=0 RES=0x00 RST URGP=0 

That is not unusual. See more detail in one of my previous answers here.

The next one:

Feb 24 17:33:40 server5 kernel: [18570340.976130] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=52.10.136.43 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=228 ID=23746 DF PROTO=TCP SPT=443 DPT=59404 WINDOW=118 RES=0x00 ACK PSH URGP=0

Is not so clear, but also there have been issues with connection dropping upon transition from UFW disabled to enabled in the past. Some investigation methods are provided in another previous answer of mine here

For this one:

conntrack doesn't ever show outbound connections, but does show inbound connections ok.

That is not true. Here is an example:

doug@s15:~$ sudo conntrack -L | grep 192.168.111.134
tcp      6 35972 ESTABLISHED src=192.168.111.1 dst=192.168.111.134 sport=36866 dport=22 src=192.168.111.134 dst=192.168.111.1 sport=22 dport=36866 [ASSURED] mark=0 use=1
conntrack v1.4.6 (conntrack-tools): 68 flow entries have been shown.

That is an outgoing connection made from my main gateway server at 192.168.111.1 to a raspberry pi at 192.168.111.134.

If you look closely you can see that your dropped traffic is incoming traffic DST=1.2.3.4 DST stands for destination and as you stated 1.2.3.4 is your IP.

According to the output of ufw status The traffic has the source-port 443 (SPT) not DPT (which would have been allowed) and thus it is being dropped by ufw.

My guess is that you made a mistake somewhere (probably related to network address translation) that has the effect that the firewall is not stateful.