You are not logged in.
- Topics: Active | Unanswered
#1 2016-03-04 20:19:52
- vgivanovic
- Member
- Registered: 2011-02-18
- Posts: 40
Why is `ufw' blocking these packets?
I don't understand why packets like this one are being blocked by `ufw'.
kernel: [UFW BLOCK] IN=enp2s0 OUT= MAC=00:e0:4c:68:10:3f:c4:e9:84:fc:d2:7a:08:00 SRC=216.17.8.76 DST=192.168.0.108 LEN=40 TOS=0x00 PREC=0x20 TTL=49 ID=16538 DF PROTO=TCP SPT=443 DPT=42041 WINDOW=29200 RES=0x00 ACK URGP=0Here is how I've configured 'ufw:
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.0.0/16
[ 2] Anywhere ALLOW IN 172.16.0.0/12
[ 3] Anywhere ALLOW IN 224.0.0.0/8
[ 4] Anywhere ALLOW IN 10.0.0.0/8
[ 5] Anywhere ALLOW IN 162.222.40.0/21
[ 6] 22/tcp LIMIT IN Anywhere
[ 7] 5353 ALLOW IN Anywhere
[ 8] Anywhere ALLOW IN 216.17.64.0/19/tcp
[ 9] Anywhere ALLOW IN 216.17.8.0/24/tcp
[10] Anywhere ALLOW IN 216.17.0.0/18/tcpI thought that rule #9 would allow that packet through. Note that no rule matches the packet until rule #9 is hit.
In case it's relevant, I got the addresses I entered into ufw' from:
# whois `dig -4 crashplan.com +short` | fgrep CIDR | cut -d':' -f2
216.17.64.0/19, 216.17.0.0/18
216.17.8.0/24Any ideas would be welcome. In this case, Google has not been my friend. Neither has a search of the forums yielded anything that I've noticed.
Thanks.
Offline
#2 2016-03-04 21:06:51
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Why is `ufw' blocking these packets?
Show the result of "iptables-save", to see the *real* rules.
Offline
#3 2016-03-04 21:21:17
- vgivanovic
- Member
- Registered: 2011-02-18
- Posts: 40
Re: Why is `ufw' blocking these packets?
Here's the output:
# iptables-save
# Generated by iptables-save v1.4.21 on Fri Mar 4 13:14:24 2016
*filter
:INPUT DROP [375:20236]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [561:26680]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -s 192.168.0.0/16 -j ACCEPT
-A ufw-user-input -s 172.16.0.0/12 -j ACCEPT
-A ufw-user-input -s 224.0.0.0/8 -j ACCEPT
-A ufw-user-input -s 10.0.0.0/8 -j ACCEPT
-A ufw-user-input -s 162.222.40.0/21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --mask 255.255.255.255 --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 22 -j ufw-user-limit-accept
-A ufw-user-input -p tcp -m tcp --dport 5353 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-user-input -s 216.17.64.0/19 -p tcp -j ACCEPT
-A ufw-user-input -s 216.17.8.0/24 -p tcp -j ACCEPT
-A ufw-user-input -s 216.17.0.0/18 -p tcp -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Fri Mar 4 13:14:24 2016Offline
#4 2016-03-05 09:22:19
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Why is `ufw' blocking these packets?
It's probably matching on:
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-denyIt's quite feasible for a website to send out the occasional garbage packet, or e.g. a router in one of the hops between you and the website may be slightly broken.
Personally I would write the iptables rules myself, rather than use UFW.
Offline
#5 2016-03-07 05:22:30
- vgivanovic
- Member
- Registered: 2011-02-18
- Posts: 40
Re: Why is `ufw' blocking these packets?
OK, thank you.
Offline