Saturday, May 11, 2024
Homepage · ufw
 Popular · Latest · Hot · Upcoming
0
rated 0 times [  0] [ 0]  / answers: 1 / hits: 2151  / 2 Years ago, fri, july 1, 2022, 5:16:09

I'm having a problem where ufw seems to be blocking existing outbound connections on port 443 when it is enabled. Example:


Feb 24 17:53:00 server5 kernel: [18571501.131985] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=35.196.37.91 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x60 TTL=51 ID=24902 DF PROTO=TCP SPT=443 DPT=44496 WINDOW=0 RES=0x00 RST URGP=0 

Feb 24 17:33:40 server5 kernel: [18570340.976130] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=52.10.136.43 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=228 ID=23746 DF PROTO=TCP SPT=443 DPT=59404 WINDOW=118 RES=0x00 ACK PSH URGP=0

Feb 27 00:47:07 server5 kernel: [18769144.299731] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=35.196.37.91 DST=1.2.3.4 LEN=1460 TOS=0x00 PREC=0x60 TTL=51 ID=60877 DF PROTO=TCP SPT=443 DPT=42030 WINDOW=229 RES=0x00 ACK URGP=0

Also getting some UDP packets blocked even though I've specifically allowed UDP from 1025-65535:


Feb 24 17:52:19 server5 kernel: [18571459.414576] [UFW BLOCK] IN=eno1 OUT= MAC=d0:50:99:db:0a:be:00:6b:f1:17:4a:81:08:00 SRC=5.6.7.8 DST=1.2.3.4 LEN=69 TOS=0x00 PREC=0x00 TTL=44 ID=59557 PROTO=UDP SPT=58678 DPT=49900 LEN=49

(I've replaced our server ip with 1.2.3.4). The blocked traffic are outgoing curl connections to google drive and Vimeo.


Here is how I set it up:


ufw reset

ufw default allow outgoing

ufw default deny incoming

ufw allow from 96.54.177.7 proto tcp to any port 22

ufw allow from 50.70.255.166 proto tcp to any port 22

ufw allow 443/tcp

ufw allow 80/tcp

ufw allow 25/tcp

ufw allow 587/tcp

ufw allow 1025:65535/udp

ufw status shows:


Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW IN    99.99.99.99               

22/tcp                     ALLOW IN    99.99.99.99             

443/tcp                    ALLOW IN    Anywhere                  

80/tcp                     ALLOW IN    Anywhere                  

25/tcp                     ALLOW IN    Anywhere                  

587/tcp                    ALLOW IN    Anywhere

In testing:



  • starting a new upload to Vimeo after enabling ufw works fine. Nothing seems to be blocked.

  • enabling ufw in the middle of a Vimeo upload seems to break it.

  • telnetting to port 587 (mail) from the server to somewhere else and enabling ufw doesn't seem to cause any problems. The connection remains open and I can type help, etc.

  • conntrack doesn't ever show outbound connections, but does show inbound connections ok.

  • when I test on a new ubuntu 20.04 cloud server instance, there are no problems...I see no packets blocked for port 443, and the uploads work fine. But on the test cloud server conntrack is not installed, and even after I install conntrack and conntrackd I don't see any connections at all listed in "conntrack -L".


So, I'm a little confused about what exactly is going on here and whether I should be worried about it. I don't really want to enable ufw until I fully understand what it is going to do to my traffic. How exactly does it keep track of outbound connections if conntrack doesn't track them?


I think there may be a few things going on here, but I'd like to understand why I'm seeing these. The UDP and ACK blocks are the most worrying, but they only seem to happen for a fraction of a second after enabling ufw, so I'm wondering if there is a slight delay while ufw is enabling the rules. The other (RST) may just be due to the connection being closed. The ACK blocks seem to be causing problems with any existing open outbound connections that are actively sending data when the firewall is enabled.


More From » ufw
 Answers
3

Upon further investigation it turned out that the blocked packets only happened over a period of under 1 second while ufw was being enabled. The "ufw enable" command is nowhere near atomic...it is a python script that interacts with iptables. You might assume that it just does one or two iptables commands, but that is incorrect. Running an strace on "ufw enable" shows that it actually execs the iptables or ip6tables command a total of 358 times in my case:


strace -f -tt ufw --force enable > /tmp/a 2>&1

root@testing:/home/ubuntu# grep exec /tmp/a|wc -l

358

root@testing:/home/ubuntu# grep exec /tmp/a|grep iptables|wc -l

135

root@testing:/home/ubuntu# grep exec /tmp/a|grep ip6tables|wc -l

134

Example:


[pid  1959] 17:13:34.241806 execve("/usr/sbin/ip6tables", ["/usr/sbin/ip6tables", "-I", "ufw6-user-limit", "-m", "limit", "--limit", "3/minute", "-j", "LOG", "--log-prefix", "[UFW LIMIT BLOCK] "], 0x7ffd5e6d3d10 /* 18 vars */ <unfinished ...>

So, the upshot of this is that enabling ufw can temporarily screw up any existing connections that are transmitting or receiving data during the period of time it takes to enable ufw, so be careful enabling ufw on a live server.


[#771] Saturday, July 2, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
aslity
Add To Favorites
Follow
Total Points: 336
Total Questions: 133
Total Answers: 98
Location: Zimbabwe
Member since Thu, Jul 21, 2022
2 Years ago
aslity questions
Sat, Apr 22, 23, 23:22, 1 Year ago
Wed, Oct 27, 21, 06:19, 3 Years ago
Sun, Oct 3, 21, 05:33, 3 Years ago
Thu, Apr 27, 23, 23:08, 1 Year ago
Mon, Dec 13, 21, 00:15, 2 Years ago
View All
;