You are not logged in.

Pages: 1

#1 2016-07-19 01:21:19

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Trying to ban an entire subset with ufw but failing to do so

I'm running ufw and want to ban 184.105.*.* so I entered:

# ufw deny from 184.105.0.0/16

Yet, I still have incoming pings from these... what am I missing?

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2016-07-19 02:09:03

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,774

Re: Trying to ban an entire subset with ufw but failing to do so

Hey graysky, I know little of UFW, but, remember that "pings"(ICMP Level junk) are at a much lower level than are TCP and UDP (Transport Layer junk).
It might be that what you are doing drops the high level stuff, but the system still responds to the low level stuff.  Of course, I could be completely wrong wink

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2016-07-19 05:08:56

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Trying to ban an entire subset with ufw but failing to do so

From memory you need to put these type of rules - for stuff like icmp -  in a file called before.rules (it's a while since I used ufw to be honest).

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#4 2016-07-19 06:19:54

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: Trying to ban an entire subset with ufw but failing to do so

I should have clarified: "pings" in this context means someone in hitting my https server and I want to ban them permanently from connecting... so it's not a real ping (poor choice of words):

From /var/log/httpd/access_log

184.105.247.196 - - [16/Jul/2016:09:12:12 -0400] "GET / HTTP/1.1" 403 1006
...
74.82.47.4 - - [17/Jul/2016:11:23:23 -0400] "GET / HTTP/1.1" 403 1006

Last edited by graysky (2016-07-19 06:20:34)

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2016-07-19 10:33:19

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Trying to ban an entire subset with ufw but failing to do so

What order does ufw add new rules in?  Does it insert or append?  If you have a rule to allow connections before the above deny rule could it be taking precedence?

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#6 2016-07-19 12:35:59

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: Trying to ban an entire subset with ufw but failing to do so

Not sure... I did set it up via the wiki where the first line I entered was:

ufw default deny

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2016-07-20 04:51:48

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: Trying to ban an entire subset with ufw but failing to do so

If you list all of the rules doesn't that give an idea?  ufw must have a way of checking/listing what is being applied and how.  In fact "iptables-save" probably gives a better idea.

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#8 2016-07-20 06:18:30

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: Trying to ban an entire subset with ufw but failing to do so

loafer wrote:

What order does ufw add new rules in?  Does it insert or append?  If you have a rule to allow connections before the above deny rule could it be taking precedence?

loafer wrote:

If you list all of the rules doesn't that give an idea?  ufw must have a way of checking/listing what is being applied and how.  In fact "iptables-save" probably gives a better idea.


The odd thing is that `ufw status` does give a list but the order of the list does not correspond to the order in which entered the rules...

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.1.0/24            
22                         ALLOW       Anywhere 
WWW Secure                 ALLOW       Anywhere                  
sshd2                      ALLOW       Anywhere                  
Anywhere                   DENY        184.105.0.0/16
Anywhere                   DENY        74.82.0.0/16
WWW Secure (v6)            ALLOW       Anywhere (v6)             
sshd2 (v6)                 ALLOW       Anywhere (v6)    
# iptables-save


# Generated by iptables-save v1.6.0 on Wed Jul 20 02:15:11 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
...

<< all the standard ufw stuff >>

...
-A ufw-user-input -s 192.168.1.0/24 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -m comment --comment "\'dapp_WWW%20Secure\'" -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 20101 -m comment --comment "\'dapp_sshd2\'" -j ACCEPT
-A ufw-user-input -s 184.105.0.0/16 -j DROP
-A ufw-user-input -s 74.82.0.0/16 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Jul 20 02:15:11 2016

So the accept for 443 does come before the drop for the two IP masks to ban.  Is the order for that correct or should they be reversed?  I can reorder them in /etc/ufw/user.rules ... seems like a bug in ufw if so.

Last edited by graysky (2016-07-20 06:41:14)

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#9 2016-07-20 08:38:08

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Trying to ban an entire subset with ufw but failing to do so

Rules are evaluated in the order as they appear in iptables, so if you want to drop something you have to put it before the accept line.

As a side note, if you are planning on banning a large number of IPs you might want to check if what you are planning to use supports ipset.

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#10 2016-07-20 09:28:40

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,597
Website

Re: Trying to ban an entire subset with ufw but failing to do so

R00KIE wrote:

Rules are evaluated in the order as they appear in iptables, so if you want to drop something you have to put it before the accept line.

As a side note, if you are planning on banning a large number of IPs you might want to check if what you are planning to use supports ipset.

Thought so from what I found in google.  For now, I just manually reordered them in user.rules.  To your 2nd point, I have been just looking through the httpd access log and banning IP addresses that I do not recognize as they have no need to hit the server.  I'm not sure what you mean by the comment you made about ipset...?

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#11 2016-07-20 09:56:30

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Trying to ban an entire subset with ufw but failing to do so

That was just an idea, it doesn't mean you really have to use it, think of it as another option if later you want to try doing things differently for some reason.

I suppose ipset is more "natural" to use if you use iptables directly but if you are curious you can take a quick look here [1] and get an idea on how it works wink

[1] https://wiki.archlinux.org/index.php/Ipset

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Pages: 1

Board footer

Powered by FluxBB