Revisions to Why ufw blocks the access when rules specifically allowing it exist?

added 1119 characters in body

Source Link

edited Feb 18, 2022 at 9:54

773
1
12
31

UPDATE
Before the above ufw rules, iptables only have these rules that "deny/block" something (besides the general blocking in case of not explicitly granting access):

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

UPDATE
Before the above ufw rules, iptables only have these rules that "deny/block" something (besides the general blocking in case of not explicitly granting access):

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

added 534 characters in body

Source Link

edited Feb 18, 2022 at 9:39

Adrian

773
1
12
31

$ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/1624             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.148 0/24             # allow all from SamsungLAN
[ TV9] OpenSSH                    LIMIT IN    Anywhere                   # allow ssh (limited)
[10] xxxxx                      ALLOW IN    Anywhere on enp1s0                 # allow transmission access
[11] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[12] Anywhere                   ALLOW IN    192.168.1.252              # allow all from LANKEF (enp1s0)LSX speakers

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:84:17:15:02:86:9f:08:00 SRC=192.168.1.252 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=52973 PROTO=TCP SPT=8080 DPT=33658 WINDOW=65535 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

$ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/16             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[10] Anywhere on enp1s0         ALLOW IN    Anywhere                   # allow all from LAN (enp1s0)

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

$ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/24             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.0/24             # allow all from LAN
[ 9] OpenSSH                    LIMIT IN    Anywhere                   # allow ssh (limited)
[10] xxxxx                      ALLOW IN    Anywhere                   # allow transmission access
[11] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[12] Anywhere                   ALLOW IN    192.168.1.252              # allow all from KEF LSX speakers

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:84:17:15:02:86:9f:08:00 SRC=192.168.1.252 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=52973 PROTO=TCP SPT=8080 DPT=33658 WINDOW=65535 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

added 12 characters in body

Source Link

edited Feb 17, 2022 at 20:36

Adrian

773
1
12
31

$ufw status numbered Status: active

$ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/16             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[10] Anywhere on enp1s0         ALLOW IN    Anywhere                   # allow all from LAN (enp1s0)

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

$ufw status numbered Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/16             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[10] Anywhere on enp1s0         ALLOW IN    Anywhere                   # allow all from LAN (enp1s0)

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

$ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----
[ 7] Anywhere                   ALLOW IN    192.168.0.0/16             # allow all from LAN
[ 8] Anywhere                   ALLOW IN    192.168.1.148              # allow all from Samsung TV
[10] Anywhere on enp1s0         ALLOW IN    Anywhere                   # allow all from LAN (enp1s0)

Why ufw blocks 192.168.1.31 access from 192.168.1.148? all above ufw rules should facilitate that access but why they don't?

$ufwl | grep '192.168'
... [UFW BLOCK] IN=enp1s0 OUT= MAC=68:05:ca:24:83:6c:00:12:fb:74:36:26:08:00 SRC=192.168.1.148 DST=192.168.1.31 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=52235 DPT=25930 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 21.10
Release:        21.10
Codename:       impish

added 96 characters in body

Source Link

edited Feb 17, 2022 at 12:26

Adrian

773
1
12
31

Loading

Source Link

asked Feb 17, 2022 at 12:13

Adrian

773
1
12
31

Loading

Stack Exchange Network

Return to Question