UFW is blocking all even when I set rules to allow
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0