Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Why is ufw denying outgoing connections?

  1. #11
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Why is ufw denying outgoing connections?

    No, OP has a default outbound policy to ACCEPT..

    This still doesn't make sense to me, I'm not saying you're wrong but I'm having a hard time figuring out how this is a firewall issue.

    Did you add any custom rules to /etc/ufw/before.rules or /etc/ufw/after.rules?

  2. #12
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is ufw denying outgoing connections?

    No custom rules. As a further bit of faultfinding I just tried pinging one of the servers for my Wordpress plugin:
    • ufw disabled = ping ok
    • ufw enabled = ping failed
    • ufw enabled and rule added to explictly allow out to that IP = ping failed


    So even though my default policy is allow out, ufw is blocking outgoing, even if I add a rule allowing it. Also, I though ufw's default was to allow pings regardless.

    If this isn't a ufw problem, how come everything is fine with ufw disabled?

  3. #13
    Join Date
    Jun 2010
    Location
    ~
    Beans
    Hidden!

    Re: Why is ufw denying outgoing connections?

    UFW is a handler for iptables, and it might be easier to see what is actually going on if you dump the iptables rules directly
    Code:
    sudo /sbin/iptables-save
    will list the available iptables rules currently loaded.

  4. #14
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is ufw denying outgoing connections?

    With ufw enabled I get this:
    Code:
    # Generated by iptables-save v1.4.4 on Sun Mar 11 20:28:26 2012
    *mangle
    :PREROUTING ACCEPT [161:13992]
    :INPUT ACCEPT [161:13992]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [128:42099]
    :POSTROUTING ACCEPT [128:42099]
    COMMIT
    # Completed on Sun Mar 11 20:28:26 2012
    # Generated by iptables-save v1.4.4 on Sun Mar 11 20:28:26 2012
    *filter
    :INPUT DROP [4:196]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [36:24139]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input 
    -A INPUT -j ufw-before-input 
    -A INPUT -j ufw-after-input 
    -A INPUT -j ufw-after-logging-input 
    -A INPUT -j ufw-reject-input 
    -A INPUT -j ufw-track-input 
    -A FORWARD -j ufw-before-logging-forward 
    -A FORWARD -j ufw-before-forward 
    -A FORWARD -j ufw-after-forward 
    -A FORWARD -j ufw-after-logging-forward 
    -A FORWARD -j ufw-reject-forward 
    -A OUTPUT -j ufw-before-logging-output 
    -A OUTPUT -j ufw-before-output 
    -A OUTPUT -j ufw-after-output 
    -A OUTPUT -j ufw-after-logging-output 
    -A OUTPUT -j ufw-reject-output 
    -A OUTPUT -j ufw-track-output 
    -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " 
    -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " 
    -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " 
    -A ufw-before-forward -j ufw-user-forward 
    -A ufw-before-input -j ufw-user-input 
    -A ufw-before-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 
    -A ufw-before-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 
    -A ufw-before-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " 
    -A ufw-before-output -j ufw-user-output 
    -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " 
    -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " 
    -A ufw-skip-to-policy-forward -j DROP 
    -A ufw-skip-to-policy-input -j DROP 
    -A ufw-skip-to-policy-output -j ACCEPT 
    -A ufw-track-output -p tcp -m state --state NEW -j ACCEPT 
    -A ufw-track-output -p udp -m state --state NEW -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 53 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 67 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 67 -j ACCEPT 
    -A ufw-user-input -p tcp -m tcp --dport 68 -j ACCEPT 
    -A ufw-user-input -p udp -m udp --dport 68 -j ACCEPT 
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " 
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable 
    -A ufw-user-limit-accept -j ACCEPT 
    COMMIT
    # Completed on Sun Mar 11 20:28:26 2012
    # Generated by iptables-save v1.4.4 on Sun Mar 11 20:28:26 2012
    *nat
    :PREROUTING ACCEPT [17:872]
    :POSTROUTING ACCEPT [14:896]
    :OUTPUT ACCEPT [14:896]
    COMMIT
    # Completed on Sun Mar 11 20:28:26 2012
    Last edited by Paqman; March 11th, 2012 at 09:29 PM.

  5. #15
    Join Date
    Jun 2010
    Location
    ~
    Beans
    Hidden!

    Re: Why is ufw denying outgoing connections?

    One thing that I'm not noticing is the loopback adapter rules. This might help, but it's not a UFW solution. Maybe someone else can figure it out how to fix this in UFW.

    Code:
    $ sudo iptables -I INPUT 1 -i lo -j ACCEPT
    $ sudo iptables -I OUTPUT 1 -o lo -j ACCEPT
    if this works then the lo may be the issue

  6. #16
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is ufw denying outgoing connections?

    Quote Originally Posted by emiller12345 View Post
    One thing that I'm not noticing is the loopback adapter rules. This might help, but it's not a UFW solution. Maybe someone else can figure it out how to fix this in UFW.

    Code:
    $ sudo iptables -I INPUT 1 -i lo -j ACCEPT
    $ sudo iptables -I OUTPUT 1 -o lo -j ACCEPT
    if this works then the lo may be the issue
    What would the absence (or presence) of this actually do?

  7. #17
    Join Date
    Nov 2007
    Location
    Newry, Northern Ireland
    Beans
    1,258

    Re: Why is ufw denying outgoing connections?

    Quote Originally Posted by Paqman View Post
    What would the absence (or presence) of this actually do?
    The presence of a "lo allow" rule allows the box to essentially talk to itself using TCP/IP and is normally very important.

    I also do not see any RELATED/ESTABLISHED rules, could it be that the outbound connection is allowed, but the reply is dropped?

    It might be better to just spend a little bit of time looking at iptables directly and writing your own firewall script, rather than using ufw, just don't try to use both at the same time.

    I'm sure one (or more) of us could help you write a little iptables script to do exactly what you need.
    Can't think of anything profound or witty.
    My Blog: http://gonzothegeek.blogspot.co.uk/

  8. #18
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,109
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: Why is ufw denying outgoing connections?

    In post number 14 above, the "ufw-before-output" rule jumps to a target of "ufw-user-output" but no rule appears in the listing to be added to that chain, which leaves that chain empty! I would expect this to cause the rule to return to the OUTPUT chain and then the default policy for the OUTPUT chain to send packets to the ACCEPT target, but I'm not certain that this would happen. The packets might be getting lost, instead.

    Perhaps adding a rule that creates a rule in "ufw-user-output" to jump to ACCEPT would solve things. Adding a ufw rule to accept "any" to "any" for output should take care of such an addition to iptables...

    Hope this helps!
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  9. #19
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Why is ufw denying outgoing connections?

    Quote Originally Posted by JKyleOKC View Post
    Perhaps adding a rule that creates a rule in "ufw-user-output" to jump to ACCEPT would solve things. Adding a ufw rule to accept "any" to "any" for output should take care of such an addition to iptables...
    I just did:
    Code:
    sudo ufw allow out from any to any
    ...no change unfortunately.

  10. #20
    Join Date
    Jun 2006
    Beans
    15

    Re: Why is ufw denying outgoing connections?

    I have the same problems with my UFW but at openvz server. This might be a problem with firewall initialization. Someone could check if this might be one of the problems mentioned there http://blog.bodhizazen.net/linux/how...nvz-templates/. I will be able only at the end of the week to play around this.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •