UFW is blocking all even when I set rules to allow











up vote
12
down vote

favorite
3












I am using an ubuntu server, Now I am trying to enable the firewall using these commands:



ufw default deny incoming
ufw default allow outgoing

ufw allow ssh
ufw allow www
ufw allow https

ufw enable


I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?



EDIT



This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming



Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination

Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination









share|improve this question




















  • 1




    Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
    – Thomas Ward
    Oct 26 '14 at 1:49










  • The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
    – mchid
    Oct 26 '14 at 2:15










  • Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
    – Thomas Ward
    Oct 26 '14 at 2:16










  • I added the output of my iptables file
    – engma
    Oct 26 '14 at 9:22















up vote
12
down vote

favorite
3












I am using an ubuntu server, Now I am trying to enable the firewall using these commands:



ufw default deny incoming
ufw default allow outgoing

ufw allow ssh
ufw allow www
ufw allow https

ufw enable


I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?



EDIT



This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming



Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination

Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination









share|improve this question




















  • 1




    Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
    – Thomas Ward
    Oct 26 '14 at 1:49










  • The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
    – mchid
    Oct 26 '14 at 2:15










  • Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
    – Thomas Ward
    Oct 26 '14 at 2:16










  • I added the output of my iptables file
    – engma
    Oct 26 '14 at 9:22













up vote
12
down vote

favorite
3









up vote
12
down vote

favorite
3






3





I am using an ubuntu server, Now I am trying to enable the firewall using these commands:



ufw default deny incoming
ufw default allow outgoing

ufw allow ssh
ufw allow www
ufw allow https

ufw enable


I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?



EDIT



This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming



Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination

Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination









share|improve this question















I am using an ubuntu server, Now I am trying to enable the firewall using these commands:



ufw default deny incoming
ufw default allow outgoing

ufw allow ssh
ufw allow www
ufw allow https

ufw enable


I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?



EDIT



This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming



Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination

Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination






firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 19 '17 at 14:01









muru

135k20291493




135k20291493










asked Oct 26 '14 at 1:39









engma

163117




163117








  • 1




    Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
    – Thomas Ward
    Oct 26 '14 at 1:49










  • The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
    – mchid
    Oct 26 '14 at 2:15










  • Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
    – Thomas Ward
    Oct 26 '14 at 2:16










  • I added the output of my iptables file
    – engma
    Oct 26 '14 at 9:22














  • 1




    Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
    – Thomas Ward
    Oct 26 '14 at 1:49










  • The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
    – mchid
    Oct 26 '14 at 2:15










  • Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
    – Thomas Ward
    Oct 26 '14 at 2:16










  • I added the output of my iptables file
    – engma
    Oct 26 '14 at 9:22








1




1




Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
– Thomas Ward
Oct 26 '14 at 1:49




Can you do me a favor? Do ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)
– Thomas Ward
Oct 26 '14 at 1:49












The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15




The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15












Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
– Thomas Ward
Oct 26 '14 at 2:16




Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the iptables data if, with those first two lines excluded, you are still having this issue.
– Thomas Ward
Oct 26 '14 at 2:16












I added the output of my iptables file
– engma
Oct 26 '14 at 9:22




I added the output of my iptables file
– engma
Oct 26 '14 at 9:22










3 Answers
3






active

oldest

votes

















up vote
12
down vote



accepted










Open a terminal and type the following commands:



Start off by doing a reset, which will remove all the existing rules:



sudo ufw reset


Next,



sudo ufw app list


This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:



sudo ufw app info OpenSSH


Here's the output:



Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
22/tcp


To allow OpenSSH access, you can use the following rule:



sudo ufw allow 22/tcp


Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:



sudo ufw allow 80/tcp
sudo ufw allow 443/tcp


If you want to add UDP just do this as well.



sudo ufw allow 80/udp
sudo ufw allow 443/udp


Disable and enable ufw to apply the changes:



sudo ufw disable
sudo ufw enable


To show your rules:



sudo ufw status


Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.





You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.



To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.



sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp





share|improve this answer























  • Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
    – engma
    Oct 26 '14 at 9:08










  • @Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
    – mchid
    Oct 26 '14 at 12:45










  • @Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
    – mchid
    Oct 26 '14 at 13:03










  • ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
    – engma
    Oct 26 '14 at 13:22










  • @Developer106 what doesn't work, is it not blocking or not allowing?
    – mchid
    Oct 30 '14 at 22:48


















up vote
2
down vote













FYI: in case others have this problem.



In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.



I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.



Here's what the top level chains should look like (on Debian 9.4).



Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0





share|improve this answer





















  • This fixed the problem for me also.
    – Technophobe01
    Aug 1 at 16:33


















up vote
0
down vote













I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.



sudo apt-get purge ufw
sudo apt-get install ufw





share|improve this answer










New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Hi Maso. Did you have to do any additional configuration after reinstalling?
    – Hee Jin
    Dec 12 at 18:43











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f541675%2fufw-is-blocking-all-even-when-i-set-rules-to-allow%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
12
down vote



accepted










Open a terminal and type the following commands:



Start off by doing a reset, which will remove all the existing rules:



sudo ufw reset


Next,



sudo ufw app list


This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:



sudo ufw app info OpenSSH


Here's the output:



Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
22/tcp


To allow OpenSSH access, you can use the following rule:



sudo ufw allow 22/tcp


Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:



sudo ufw allow 80/tcp
sudo ufw allow 443/tcp


If you want to add UDP just do this as well.



sudo ufw allow 80/udp
sudo ufw allow 443/udp


Disable and enable ufw to apply the changes:



sudo ufw disable
sudo ufw enable


To show your rules:



sudo ufw status


Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.





You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.



To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.



sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp





share|improve this answer























  • Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
    – engma
    Oct 26 '14 at 9:08










  • @Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
    – mchid
    Oct 26 '14 at 12:45










  • @Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
    – mchid
    Oct 26 '14 at 13:03










  • ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
    – engma
    Oct 26 '14 at 13:22










  • @Developer106 what doesn't work, is it not blocking or not allowing?
    – mchid
    Oct 30 '14 at 22:48















up vote
12
down vote



accepted










Open a terminal and type the following commands:



Start off by doing a reset, which will remove all the existing rules:



sudo ufw reset


Next,



sudo ufw app list


This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:



sudo ufw app info OpenSSH


Here's the output:



Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
22/tcp


To allow OpenSSH access, you can use the following rule:



sudo ufw allow 22/tcp


Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:



sudo ufw allow 80/tcp
sudo ufw allow 443/tcp


If you want to add UDP just do this as well.



sudo ufw allow 80/udp
sudo ufw allow 443/udp


Disable and enable ufw to apply the changes:



sudo ufw disable
sudo ufw enable


To show your rules:



sudo ufw status


Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.





You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.



To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.



sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp





share|improve this answer























  • Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
    – engma
    Oct 26 '14 at 9:08










  • @Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
    – mchid
    Oct 26 '14 at 12:45










  • @Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
    – mchid
    Oct 26 '14 at 13:03










  • ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
    – engma
    Oct 26 '14 at 13:22










  • @Developer106 what doesn't work, is it not blocking or not allowing?
    – mchid
    Oct 30 '14 at 22:48













up vote
12
down vote



accepted







up vote
12
down vote



accepted






Open a terminal and type the following commands:



Start off by doing a reset, which will remove all the existing rules:



sudo ufw reset


Next,



sudo ufw app list


This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:



sudo ufw app info OpenSSH


Here's the output:



Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
22/tcp


To allow OpenSSH access, you can use the following rule:



sudo ufw allow 22/tcp


Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:



sudo ufw allow 80/tcp
sudo ufw allow 443/tcp


If you want to add UDP just do this as well.



sudo ufw allow 80/udp
sudo ufw allow 443/udp


Disable and enable ufw to apply the changes:



sudo ufw disable
sudo ufw enable


To show your rules:



sudo ufw status


Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.





You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.



To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.



sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp





share|improve this answer














Open a terminal and type the following commands:



Start off by doing a reset, which will remove all the existing rules:



sudo ufw reset


Next,



sudo ufw app list


This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:



sudo ufw app info OpenSSH


Here's the output:



Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
22/tcp


To allow OpenSSH access, you can use the following rule:



sudo ufw allow 22/tcp


Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:



sudo ufw allow 80/tcp
sudo ufw allow 443/tcp


If you want to add UDP just do this as well.



sudo ufw allow 80/udp
sudo ufw allow 443/udp


Disable and enable ufw to apply the changes:



sudo ufw disable
sudo ufw enable


To show your rules:



sudo ufw status


Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.





You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.



To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.



sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp






share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 19 '17 at 14:01









Community

1




1










answered Oct 26 '14 at 2:36









mchid

22.5k25082




22.5k25082












  • Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
    – engma
    Oct 26 '14 at 9:08










  • @Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
    – mchid
    Oct 26 '14 at 12:45










  • @Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
    – mchid
    Oct 26 '14 at 13:03










  • ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
    – engma
    Oct 26 '14 at 13:22










  • @Developer106 what doesn't work, is it not blocking or not allowing?
    – mchid
    Oct 30 '14 at 22:48


















  • Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
    – engma
    Oct 26 '14 at 9:08










  • @Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
    – mchid
    Oct 26 '14 at 12:45










  • @Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
    – mchid
    Oct 26 '14 at 13:03










  • ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
    – engma
    Oct 26 '14 at 13:22










  • @Developer106 what doesn't work, is it not blocking or not allowing?
    – mchid
    Oct 30 '14 at 22:48
















Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
– engma
Oct 26 '14 at 9:08




Thanks alot for your answer, but I want to block all the ports except for those ones, should I use ufw default block incoming after setting those rules ?
– engma
Oct 26 '14 at 9:08












@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45




@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45












@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03




@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03












ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22




ok it only works when specify to deny out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22












@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48




@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48












up vote
2
down vote













FYI: in case others have this problem.



In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.



I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.



Here's what the top level chains should look like (on Debian 9.4).



Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0





share|improve this answer





















  • This fixed the problem for me also.
    – Technophobe01
    Aug 1 at 16:33















up vote
2
down vote













FYI: in case others have this problem.



In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.



I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.



Here's what the top level chains should look like (on Debian 9.4).



Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0





share|improve this answer





















  • This fixed the problem for me also.
    – Technophobe01
    Aug 1 at 16:33













up vote
2
down vote










up vote
2
down vote









FYI: in case others have this problem.



In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.



I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.



Here's what the top level chains should look like (on Debian 9.4).



Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0





share|improve this answer












FYI: in case others have this problem.



In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.



I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.



Here's what the top level chains should look like (on Debian 9.4).



Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0






share|improve this answer












share|improve this answer



share|improve this answer










answered Jul 15 at 0:46









FixItDad

212




212












  • This fixed the problem for me also.
    – Technophobe01
    Aug 1 at 16:33


















  • This fixed the problem for me also.
    – Technophobe01
    Aug 1 at 16:33
















This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33




This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33










up vote
0
down vote













I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.



sudo apt-get purge ufw
sudo apt-get install ufw





share|improve this answer










New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Hi Maso. Did you have to do any additional configuration after reinstalling?
    – Hee Jin
    Dec 12 at 18:43















up vote
0
down vote













I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.



sudo apt-get purge ufw
sudo apt-get install ufw





share|improve this answer










New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Hi Maso. Did you have to do any additional configuration after reinstalling?
    – Hee Jin
    Dec 12 at 18:43













up vote
0
down vote










up vote
0
down vote









I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.



sudo apt-get purge ufw
sudo apt-get install ufw





share|improve this answer










New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.



sudo apt-get purge ufw
sudo apt-get install ufw






share|improve this answer










New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer








edited Dec 12 at 19:02









mature

1,447422




1,447422






New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered Dec 12 at 16:55









Maso Mato

1




1




New contributor




Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Hi Maso. Did you have to do any additional configuration after reinstalling?
    – Hee Jin
    Dec 12 at 18:43


















  • Hi Maso. Did you have to do any additional configuration after reinstalling?
    – Hee Jin
    Dec 12 at 18:43
















Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43




Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f541675%2fufw-is-blocking-all-even-when-i-set-rules-to-allow%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

數位音樂下載

When can things happen in Etherscan, such as the picture below?

格利澤436b