ufw default deny incoming

[bjorntj]

Hi.

Not sure what I am missing here but I have a Debian 10 server where I am trying to use ufw for my firewall settings.
But the default rule of deny incoming is removed after I reboot my server. If I run "ufw default deny incoming" after I have rebooted, then all ports are denied except for those I have opened. But after a reboot, it seems that the default is set to accept all incoming.

What am I missing here?


Regards,

BTJ

[Hallvor]

Did you enable it?

Code: Select all

    # ufw enable
    # ufw default deny incoming
    # ufw default allow outgoing

[bjorntj]

Yes, after boot the status says:

Code: Select all

# ufw status verbose

Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
more rules

But the deny incoming is not working...

[dilberts_left_nut]

But the deny incoming is not working...

How do you know?

[bjorntj]

Because a port I have specifically opened from just one ip, is open for all ip's...
Running "ufw default deny incoming" after boot, fixes the firewall...
I am not a newbie in this game..

But I have never used UFW before, maybe it's just better to use iptables....

BTJ

[bjorntj]

btw, if I compare the iptables rules after boot and after running "ufw default deny incoming", I see the following:

right after boot:

Code: Select all

hain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

after running the deny command:

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

So it seems like the default rules are not applied on boot...

[reinob]

I don't have experience with ufw (why don't you use nftables?), but maybe doing a "systemctl status ufw" after boot will tell you if it is enabled and whether it started OK or not.

If not enabled, do "systemctl enable ufw" (assuming there's a ufw.service).

[bjorntj]

Thx, but as I said, ufw is enabled and running after boot, it's just that the default rules are not applied....

[reinob]

OK, can you check if you have /etc/ufw/user.rules and/or /etc/ufw/user6.rules, and if they have the content you'd expect (that's where your rules are supposed to be saved).

I imagine there's no need to ask if you have *another* firewall starting/configuring at boot (nftables, iptables-persistent, etc.) which might be cleaning up what ufw has done while initializing?

[bjorntj]

No, I don't... And yes, those files exists and looks fine..

But I have been looking at nftables now and I think I will be swithing to nftables instead... Thx..


BTJ

[Ardouos]

+1 for nftables.

I switched to it after I installed Buster and I was surprised with how simple it was. You can manage it by using commands or directly editing the text file (just be careful with the correct formatting). The main disadvantage as of today is that there is less documentation on it. But that may change due to time.

The wiki if you need to refer to it. Otherwise there are guides online which people have made.
https://wiki.nftables.org/wiki-nftables ... /Main_Page


The link below will drop all incoming whilst allowing connections that your computer has made, as well as loopback.

Simple rules for a desktop:
https://wiki.nftables.org/wiki-nftables ... orkstation

[bjorntj]

Yes, got my rules set up and seems to be working as it should now...
Thx..

[reinob]

Yes, got my rules set up and seems to be working as it should now...
Thx.. :)

Good to hear!

The only problem I have with nftables, which I use everywhere (desktop and server) is with docker, as it still depends (in the debian sense) on iptables. You can avoid it by setting "iptables: false" in the daemon.json config, but then you have to set your forwarding rules, etc. by yourself..

[bjorntj]

ok, good to know...