ufw default deny incoming

Kernels & Hardware, configuring network, installing services

ufw default deny incoming

Postby bjorntj » 2021-01-25 12:41

Hi.

Not sure what I am missing here but I have a Debian 10 server where I am trying to use ufw for my firewall settings.
But the default rule of deny incoming is removed after I reboot my server. If I run "ufw default deny incoming" after I have rebooted, then all ports are denied except for those I have opened. But after a reboot, it seems that the default is set to accept all incoming.

What am I missing here?


Regards,

BTJ
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby Hallvor » 2021-01-25 18:27

Did you enable it?

Code: Select all
    # ufw enable
    # ufw default deny incoming
    # ufw default allow outgoing
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1097
Joined: 2009-04-16 18:35
Location: Norway

Re: ufw default deny incoming

Postby bjorntj » 2021-01-25 18:55

Yes, after boot the status says:

Code: Select all
# ufw status verbose

Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
more rules


But the deny incoming is not working...
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby dilberts_left_nut » 2021-01-26 08:55

bjorntj wrote:But the deny incoming is not working...

How do you know?
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5089
Joined: 2009-10-05 07:54
Location: enzed

Re: ufw default deny incoming

Postby bjorntj » 2021-01-26 08:58

Because a port I have specifically opened from just one ip, is open for all ip's...
Running "ufw default deny incoming" after boot, fixes the firewall...
I am not a newbie in this game.. 8)

But I have never used UFW before, maybe it's just better to use iptables....

BTJ
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby bjorntj » 2021-01-26 13:08

btw, if I compare the iptables rules after boot and after running "ufw default deny incoming", I see the following:

right after boot:
Code: Select all
hain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


after running the deny command:
Code: Select all
Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0


So it seems like the default rules are not applied on boot...
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby reinob » 2021-01-26 19:33

I don't have experience with ufw (why don't you use nftables?), but maybe doing a "systemctl status ufw" after boot will tell you if it is enabled and whether it started OK or not.

If not enabled, do "systemctl enable ufw" (assuming there's a ufw.service).
reinob
 
Posts: 900
Joined: 2014-06-30 11:42

Re: ufw default deny incoming

Postby bjorntj » 2021-01-27 07:35

Thx, but as I said, ufw is enabled and running after boot, it's just that the default rules are not applied....
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby reinob » 2021-01-27 10:51

OK, can you check if you have /etc/ufw/user.rules and/or /etc/ufw/user6.rules, and if they have the content you'd expect (that's where your rules are supposed to be saved).

I imagine there's no need to ask if you have *another* firewall starting/configuring at boot (nftables, iptables-persistent, etc.) which might be cleaning up what ufw has done while initializing?
reinob
 
Posts: 900
Joined: 2014-06-30 11:42

Re: ufw default deny incoming

Postby bjorntj » 2021-01-27 11:14

No, I don't... And yes, those files exists and looks fine..

But I have been looking at nftables now and I think I will be swithing to nftables instead... Thx.. :)


BTJ
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby Ardouos » 2021-01-27 18:12

+1 for nftables.

I switched to it after I installed Buster and I was surprised with how simple it was. You can manage it by using commands or directly editing the text file (just be careful with the correct formatting). The main disadvantage as of today is that there is less documentation on it. But that may change due to time.

The wiki if you need to refer to it. Otherwise there are guides online which people have made.
https://wiki.nftables.org/wiki-nftables ... /Main_Page


The link below will drop all incoming whilst allowing connections that your computer has made, as well as loopback.

Simple rules for a desktop:
https://wiki.nftables.org/wiki-nftables ... orkstation
User avatar
Ardouos
 
Posts: 1064
Joined: 2013-11-03 00:30
Location: Elicoor II

Re: ufw default deny incoming

Postby bjorntj » 2021-01-28 06:41

Yes, got my rules set up and seems to be working as it should now...
Thx.. :)
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31

Re: ufw default deny incoming

Postby reinob » 2021-01-28 07:17

bjorntj wrote:Yes, got my rules set up and seems to be working as it should now...
Thx.. :)


Good to hear!

The only problem I have with nftables, which I use everywhere (desktop and server) is with docker, as it still depends (in the debian sense) on iptables. You can avoid it by setting "iptables: false" in the daemon.json config, but then you have to set your forwarding rules, etc. by yourself..
reinob
 
Posts: 900
Joined: 2014-06-30 11:42

Re: ufw default deny incoming

Postby bjorntj » 2021-01-28 07:21

ok, good to know... :)
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
User avatar
bjorntj
 
Posts: 11
Joined: 2021-01-25 12:31


Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable