Results 1 to 10 of 10

Thread: UFW blocks port 25, with other instabilities

  1. #1
    Join Date
    Jan 2024
    Beans
    7

    UFW blocks port 25, with other instabilities

    I am using
    Code:
    Ubuntu 23.10
    I have 2 issues with my UFW firewall that may or not be related
    The only configuration I have done is
    Code:
    sudo ufw allow 25
    ...
    to the ports I needed, and then added a connection tracking line in my ufw before.rules
    Code:
    *filter
    -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    When I reboot and test it, my port test of 25 will fail / just hang.
    Upon clearing my firewall using
    Code:
        sudo iptables -P INPUT ACCEPT
        sudo iptables -P FORWARD ACCEPT
        sudo iptables -P OUTPUT ACCEPT
        sudo iptables -t nat -F
        sudo iptables -t mangle -F
        sudo iptables -F
        sudo iptables -X
    Then my port works

    ~$ telnet mail.domain.com 25
    Trying 149.28.24.41...
    Connected to mail.domain.com.
    Escape character is '^]'.
    220 mail.domain.com ESMTP Exim 4.96 Ubuntu Tue, 27 Feb 2024 00:13:33 +0000
    exit

    Why is my firewall blocking my port 25?

    Also, periodically my ssh port will lock up. The two issues seem to pop up at the same time. I have no clue if they are related.

    My iptables
    Code:
    yoda@mail:~$ sudo iptables -S
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N f2b-ufw
    -N ufw-after-forward
    -N ufw-after-input
    -N ufw-after-logging-forward
    -N ufw-after-logging-input
    -N ufw-after-logging-output
    -N ufw-after-output
    -N ufw-before-forward
    -N ufw-before-input
    -N ufw-before-logging-forward
    -N ufw-before-logging-input
    -N ufw-before-logging-output
    -N ufw-before-output
    -N ufw-logging-allow
    -N ufw-logging-deny
    -N ufw-not-local
    -N ufw-reject-forward
    -N ufw-reject-input
    -N ufw-reject-output
    -N ufw-skip-to-policy-forward
    -N ufw-skip-to-policy-input
    -N ufw-skip-to-policy-output
    -N ufw-track-forward
    -N ufw-track-input
    -N ufw-track-output
    -N ufw-user-forward
    -N ufw-user-input
    -N ufw-user-limit
    -N ufw-user-limit-accept
    -N ufw-user-logging-forward
    -N ufw-user-logging-input
    -N ufw-user-logging-output
    -N ufw-user-output
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -j f2b-ufw
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A INPUT -s 200.68.165.36/32 -p tcp -m tcp --dport 22 -j ACCEPT
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A f2b-ufw -s 80.66.83.153/32 -j REJECT --reject-with icmp-port-unreachable
    -A f2b-ufw -s 77.90.185.72/32 -j REJECT --reject-with icmp-port-unreachable
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
    -A ufw-user-input -s 218.92.0.52/32 -j DROP
    -A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    I do have fail2ban and knockd installed and configured to service port 22 but they appear to be error free. but I cannot see how they would be the cause of this.

    Code:
    /etc/fail2ban/jail.conf
    Code:
     yoda@mail:~$ sudo cat /etc/fail2ban/jail.conf
    [sudo] password for yoda: 
    #
    # WARNING: heavily refactored in 0.9.0 release.  Please review and
    #          customize settings for your setup.
    #
    # Changes:  in most of the cases you should not modify this
    #           file, but provide customizations in jail.local file,
    #           or separate .conf files under jail.d/ directory, e.g.:
    #
    # HOW TO ACTIVATE JAILS:
    #
    # YOU SHOULD NOT MODIFY THIS FILE.
    #
    # It will probably be overwritten or improved in a distribution update.
    #
    # Provide customizations in a jail.local file or a jail.d/customisation.local.
    # For example to change the default bantime for all jails and to enable the
    # ssh-iptables jail the following (uncommented) would appear in the .local file.
    # See man 5 jail.conf for details.
    #
    # [DEFAULT]
    # bantime = 1h
    #
    # [sshd]
    # enabled = true
    #
    # See jail.conf(5) man page for more information
    
    
    
    # Comments: use '#' for comment lines and ';' (following a space) for inline comments
    
    
    [INCLUDES]
    
    #before = paths-distro.conf
    before = paths-debian.conf
    
    # The DEFAULT allows a global definition of the options. They can be overridden
    # in each jail afterwards.
    
    [DEFAULT]
    
    #
    # MISCELLANEOUS OPTIONS
    #
    
    # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
    # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
    #bantime.increment = true
    
    # "bantime.rndtime" is the max number of seconds using for mixing with random time 
    # to prevent "clever" botnets calculate exact time IP can be unbanned again:
    #bantime.rndtime = 
    
    # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
    #bantime.maxtime = 
    
    # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
    # default value of factor is 1 and with default value of formula, the ban time 
    # grows by 1, 2, 4, 8, 16 ...
    #bantime.factor = 1
    
    # "bantime.formula" used by default to calculate next value of ban time, default value below,
    # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
    #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
    #
    # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
    #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
    
    # "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
    # previously ban count and given "bantime.factor" (for multipliers default is 1);
    # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
    # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
    #bantime.multipliers = 1 2 4 8 16 32 64
    # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
    # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
    #bantime.multipliers = 1 5 30 60 300 720 1440 2880
    
    # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
    # cross over all jails, if false (default), only current jail of the ban IP will be searched
    #bantime.overalljails = false
    
    # --------------------
    
    # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
    # (default is true). Fail2ban will not ban a host which matches such addresses.
    #ignoreself = true
    
    # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
    # will not ban a host which matches an address in this list. Several addresses
    # can be defined using space (and/or comma) separator.
    #ignoreip = 127.0.0.1/8 ::1
    
    # External command that will take an tagged arguments to ignore, e.g. <ip>,
    # and return true if the IP is to be ignored. False otherwise.
    #
    # ignorecommand = /path/to/command <ip>
    ignorecommand =
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 20000m
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 10m
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 5
    
    # "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
    maxmatches = %(maxretry)s
    
    # "backend" specifies the backend used to get files modification.
    # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
    # This option can be overridden in each jail as well.
    #
    # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
    #              If pyinotify is not installed, Fail2ban will use auto.
    # gamin:     requires Gamin (a file alteration monitor) to be installed.
    #              If Gamin is not installed, Fail2ban will use auto.
    # polling:   uses a polling algorithm which does not require external libraries.
    # systemd:   uses systemd python library to access the systemd journal.
    #              Specifying "logpath" is not valid for this backend.
    #              See "journalmatch" in the jails associated filter config
    # auto:      will try to use the following backends, in order:
    #              pyinotify, gamin, polling.
    #
    # Note: if systemd backend is chosen as the default but you enable a jail
    #       for which logs are present only in its own log files, specify some other
    #       backend for that jail (e.g. polling) and provide empty value for
    #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
    backend = auto
    
    # "usedns" specifies if jails should trust hostnames in logs,
    #   warn when DNS lookups are performed, or ignore all hostnames in logs
    #
    # yes:   if a hostname is encountered, a DNS lookup will be performed.
    # warn:  if a hostname is encountered, a DNS lookup will be performed,
    #        but it will be logged as a warning.
    # no:    if a hostname is encountered, will not be used for banning,
    #        but it will be logged as info.
    # raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
    usedns = warn
    
    # "logencoding" specifies the encoding of the log files handled by the jail
    #   This is used to decode the lines from the log file.
    #   Typical examples:  "ascii", "utf-8"
    #
    #   auto:   will use the system locale setting
    logencoding = auto
    
    # "enabled" enables the jails.
    #  By default all jails are disabled, and it should stay this way.
    #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
    #
    # true:  jail will be enabled and log files will get monitored for changes
    # false: jail is not enabled
    enabled = false
    
    
    # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
    mode = normal
    
    # "filter" defines the filter to use by the jail.
    #  By default jails have names matching their filter name
    #
    filter = %(__name__)s[mode=%(mode)s]
    
    
    #
    # ACTIONS
    #
    
    # Some options used for actions
    
    # Destination email address used solely for the interpolations in
    # jail.{conf,local,d/*} configuration files.
    destemail = root@localhost
    
    # Sender email address used solely for some actions
    sender = root@<fq-hostname>
    
    # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
    # mailing. Change mta configuration parameter to mail if you want to
    # revert to conventional 'mail'.
    mta = sendmail
    
    # Default protocol
    protocol = tcp
    
    # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
    chain = <known/chain>
    
    # Ports to be banned
    # Usually should be overridden in a particular jail
    port = 0:65535
    
    # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
    fail2ban_agent = Fail2Ban/%(fail2ban_version)s
    
    #
    # Action shortcuts. To be used to define action parameter
    
    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define
    # action_* variables. Can be overridden globally or per
    # section within jail.local file
    banaction = iptables-multiport
    banaction_allports = iptables-allports
    
    # The simplest action to take: ban only
    action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(action_)s
                %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(action_)s
                 %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
    
    # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
    #
    # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
    # to the destemail.
    action_xarf = %(action_)s
                 xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
    
    # ban & send a notification to one or more of the 50+ services supported by Apprise.
    # See https://github.com/caronc/apprise/wiki for details on what is supported.
    #
    # You may optionally over-ride the default configuration line (containing the Apprise URLs)
    # by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
    # /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
    # action = %(action_)s
    #          apprise
    
    # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                    %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
    
    # Report block via blocklist.de fail2ban reporting service API
    # 
    # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
    # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
    # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
    # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
    # corresponding jail.d/my-jail.local file).
    #
    action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
    
    # Report ban via abuseipdb.com.
    #
    # See action.d/abuseipdb.conf for usage example and details.
    #
    action_abuseipdb = abuseipdb
    
    # Choose default action.  To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section
    action = %(action_)s
    
    
    #
    # JAILS
    #
    
    #
    # SSH servers
    #
    
    #[sshd]
    
    # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
    # normal (default), ddos, extra or aggressive (combines all).
    # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
    #mode   = normal
    #port    = ssh
    #logpath = %(sshd_log)s
    #backend = %(sshd_backend)s
    
    
    [dropbear]
    
    port     = ssh
    logpath  = %(dropbear_log)s
    backend  = %(dropbear_backend)s
    
    
    [selinux-ssh]
    
    port     = ssh
    logpath  = %(auditd_log)s
    
    
    #
    # HTTP servers
    #
    
    [apache-auth]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    
    
    [apache-badbots]
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    port     = http,https
    logpath  = %(apache_access_log)s
    bantime  = 48h
    maxretry = 1
    
    
    [apache-noscript]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    
    
    [apache-overflows]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-nohome]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-botsearch]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-fakegooglebot]
    
    port     = http,https
    logpath  = %(apache_access_log)s
    maxretry = 1
    ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot <ip>
    
    
    [apache-modsecurity]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-shellshock]
    
    port    = http,https
    logpath = %(apache_error_log)s
    maxretry = 1
    
    
    [openhab-auth]
    
    filter = openhab
    banaction = %(banaction_allports)s
    logpath = /opt/openhab/logs/request.log
    
    
    # To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
    # normal (default), aggressive (combines all), auth or fallback
    # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
    [nginx-http-auth]
    # mode = normal
    port    = http,https
    logpath = %(nginx_error_log)s
    
    # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
    # and define `limit_req` and `limit_req_zone` as described in nginx documentation
    # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
    # or for example see in 'config/filter.d/nginx-limit-req.conf'
    [nginx-limit-req]
    port    = http,https
    logpath = %(nginx_error_log)s
    
    [nginx-botsearch]
    
    port     = http,https
    logpath  = %(nginx_error_log)s
    
    [nginx-bad-request]
    port    = http,https
    logpath = %(nginx_access_log)s
    
    # Ban attackers that try to use PHP's URL-fopen() functionality
    # through GET/POST variables. - Experimental, with more than a year
    # of usage in production environments.
    
    [php-url-fopen]
    
    port    = http,https
    logpath = %(nginx_access_log)s
              %(apache_access_log)s
    
    
    [suhosin]
    
    port    = http,https
    logpath = %(suhosin_log)s
    
    
    [lighttpd-auth]
    # Same as above for Apache's mod_auth
    # It catches wrong authentifications
    port    = http,https
    logpath = %(lighttpd_error_log)s
    
    
    #
    # Webmail and groupware servers
    #
    
    [roundcube-auth]
    
    port     = http,https
    logpath  = %(roundcube_errors_log)s
    # Use following line in your jail.local if roundcube logs to journal.
    #backend = %(syslog_backend)s
    
    
    [openwebmail]
    
    port     = http,https
    logpath  = /var/log/openwebmail.log
    
    
    [horde]
    
    port     = http,https
    logpath  = /var/log/horde/horde.log
    
    
    [groupoffice]
    
    port     = http,https
    logpath  = /home/groupoffice/log/info.log
    
    
    [sogo-auth]
    # Monitor SOGo groupware server
    # without proxy this would be:
    # port    = 20000
    port     = http,https
    logpath  = /var/log/sogo/sogo.log
    
    
    [tine20]
    
    logpath  = /var/log/tine20/tine20.log
    port     = http,https
    
    
    #
    # Web Applications
    #
    #
    
    [drupal-auth]
    
    port     = http,https
    logpath  = %(syslog_daemon)s
    backend  = %(syslog_backend)s
    
    [guacamole]
    
    port     = http,https
    logpath  = /var/log/tomcat*/catalina.out
    #logpath  = /var/log/guacamole.log
    
    [monit]
    #Ban clients brute-forcing the monit gui login
    port = 2812
    logpath  = /var/log/monit
               /var/log/monit.log
    
    
    [webmin-auth]
    
    port    = 10000
    logpath = %(syslog_authpriv)s
    backend = %(syslog_backend)s
    
    
    [froxlor-auth]
    
    port    = http,https
    logpath  = %(syslog_authpriv)s
    backend  = %(syslog_backend)s
    
    
    #
    # HTTP Proxy servers
    #
    #
    
    [squid]
    
    port     =  80,443,3128,8080
    logpath = /var/log/squid/access.log
    
    
    [3proxy]
    
    port    = 3128
    logpath = /var/log/3proxy.log
    
    
    #
    # FTP servers
    #
    
    
    [proftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(proftpd_log)s
    backend  = %(proftpd_backend)s
    
    
    [pure-ftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(pureftpd_log)s
    backend  = %(pureftpd_backend)s
    
    
    [gssftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(syslog_daemon)s
    backend  = %(syslog_backend)s
    
    
    [wuftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(wuftpd_log)s
    backend  = %(wuftpd_backend)s
    
    
    [vsftpd]
    # or overwrite it in jails.local to be
    # logpath = %(syslog_authpriv)s
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(vsftpd_log)s
    
    
    #
    # Mail servers
    #
    
    # ASSP SMTP Proxy Jail
    [assp]
    
    port     = smtp,465,submission
    logpath  = /root/path/to/assp/logs/maillog.txt
    
    
    [courier-smtp]
    
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [postfix]
    # To use another modes set filter parameter "mode" in jail.local:
    mode    = more
    port    = smtp,465,submission
    logpath = %(postfix_log)s
    backend = %(postfix_backend)s
    
    
    [postfix-rbl]
    
    filter   = postfix[mode=rbl]
    port     = smtp,465,submission
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    maxretry = 1
    
    
    [sendmail-auth]
    
    port    = submission,465,smtp
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [sendmail-reject]
    # To use more aggressive modes set filter parameter "mode" in jail.local:
    # normal (default), extra or aggressive
    # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
    #mode    = normal
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [qmail-rbl]
    
    filter  = qmail
    port    = smtp,465,submission
    logpath = /service/qmail/log/main/current
    
    
    # dovecot defaults to logging to the mail syslog facility
    # but can be set by syslog_facility in the dovecot configuration.
    [dovecot]
    
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = %(dovecot_log)s
    backend = %(dovecot_backend)s
    
    
    [sieve]
    
    port   = smtp,465,submission
    logpath = %(dovecot_log)s
    backend = %(dovecot_backend)s
    
    
    [solid-pop3d]
    
    port    = pop3,pop3s
    logpath = %(solidpop3d_log)s
    
    
    [exim]
    # see filter.d/exim.conf for further modes supported from filter:
    #mode = normal
    port   = smtp,465,submission
    logpath = %(exim_main_log)s
    
    
    [exim-spam]
    
    port   = smtp,465,submission
    logpath = %(exim_main_log)s
    
    
    [kerio]
    
    port    = imap,smtp,imaps,465
    logpath = /opt/kerio/mailserver/store/logs/security.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courier-auth]
    
    port     = smtp,465,submission,imap,imaps,pop3,pop3s
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [postfix-sasl]
    
    filter   = postfix[mode=auth]
    port     = smtp,465,submission,imap,imaps,pop3,pop3s
    # You might consider monitoring /var/log/mail.warn instead if you are
    # running postfix since it would provide the same log lines at the
    # "warn" level but overall at the smaller filesize.
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    
    
    [perdition]
    
    port   = imap,imaps,pop3,pop3s
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [squirrelmail]
    
    port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
    logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
    
    
    [cyrus-imap]
    
    port   = imap,imaps
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [uwimap-auth]
    
    port   = imap,imaps
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    #
    #
    # DNS servers
    #
    
    
    # !!! WARNING !!!
    #   Since UDP is connection-less protocol, spoofing of IP and imitation
    #   of illegal actions is way too simple.  Thus enabling of this filter
    #   might provide an easy way for implementing a DoS against a chosen
    #   victim. See
    #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
    #   Please DO NOT USE this jail unless you know what you are doing.
    #
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks UDP traffic for DNS requests.
    # [named-refused-udp]
    #
    # filter   = named-refused
    # port     = domain,953
    # protocol = udp
    # logpath  = /var/log/named/security.log
    
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks TCP traffic for DNS requests.
    
    [named-refused]
    
    port     = domain,953
    logpath  = /var/log/named/security.log
    
    
    [nsd]
    
    port     = 53
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath = /var/log/nsd.log
    
    
    #
    # Miscellaneous
    #
    
    [asterisk]
    
    port     = 5060,5061
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/asterisk/messages
    maxretry = 10
    
    
    [freeswitch]
    
    port     = 5060,5061
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/freeswitch.log
    maxretry = 10
    
    
    # enable adminlog; it will log to a file inside znc's directory by default.
    [znc-adminlog]
    
    port     = 6667
    logpath  = /var/lib/znc/moddata/adminlog/znc.log
    
    
    # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
    # equivalent section:
    # log-warnings = 2
    #
    # for syslog (daemon facility)
    # [mysqld_safe]
    # syslog
    #
    # for own logfile
    # [mysqld]
    # log-error=/var/log/mysqld.log
    [mysqld-auth]
    
    port     = 3306
    logpath  = %(mysql_log)s
    backend  = %(mysql_backend)s
    
    
    [mssql-auth]
    # Default configuration for Microsoft SQL Server for Linux
    # See the 'mssql-conf' manpage how to change logpath or port
    logpath = /var/opt/mssql/log/errorlog
    port = 1433
    filter = mssql-auth
    
    
    # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
    [mongodb-auth]
    # change port when running with "--shardsvr" or "--configsvr" runtime operation
    port     = 27017
    logpath  = /var/log/mongodb/mongodb.log
    
    
    # Jail for more extended banning of persistent abusers
    # !!! WARNINGS !!!
    # 1. Make sure that your loglevel specified in fail2ban.conf/.local
    #    is not at DEBUG level -- which might then cause fail2ban to fall into
    #    an infinite loop constantly feeding itself with non-informative lines
    # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
    #    to maintain entries for failed logins for sufficient amount of time
    [recidive]
    
    logpath  = /var/log/fail2ban.log
    banaction = %(banaction_allports)s
    bantime  = 1w
    findtime = 1d
    
    
    # Generic filter for PAM. Has to be used with action which bans all
    # ports such as iptables-allports, shorewall
    
    [pam-generic]
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    banaction = %(banaction_allports)s
    logpath  = %(syslog_authpriv)s
    backend  = %(syslog_backend)s
    
    
    [xinetd-fail]
    
    banaction = iptables-multiport-log
    logpath   = %(syslog_daemon)s
    backend   = %(syslog_backend)s
    maxretry  = 2
    
    
    # stunnel - need to set port for this
    [stunnel]
    
    logpath = /var/log/stunnel4/stunnel.log
    
    
    [ejabberd-auth]
    
    port    = 5222
    logpath = /var/log/ejabberd/ejabberd.log
    
    
    [counter-strike]
    
    logpath = /opt/cstrike/logs/L[0-9]*.log
    tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
    udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
    action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
    
    [softethervpn]
    port     = 500,4500
    protocol = udp
    logpath  = /usr/local/vpnserver/security_log/*/sec.log
    
    [gitlab]
    port    = http,https
    logpath = /var/log/gitlab/gitlab-rails/application.log
    
    [grafana]
    port    = http,https
    logpath = /var/log/grafana/grafana.log
    
    [bitwarden]
    port    = http,https
    logpath = /home/*/bwdata/logs/identity/Identity/log.txt
    
    [centreon]
    port    = http,https
    logpath = /var/log/centreon/login.log
    
    # consider low maxretry and a long bantime
    # nobody except your own Nagios server should ever probe nrpe
    [nagios]
    
    logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
    backend  = %(syslog_backend)s
    maxretry = 1
    
    
    [oracleims]
    # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
    logpath = /opt/sun/comms/messaging64/log/mail.log_current
    banaction = %(banaction_allports)s
    
    [directadmin]
    logpath = /var/log/directadmin/login.log
    port = 2222
    
    [portsentry]
    logpath  = /var/lib/portsentry/portsentry.history
    maxretry = 1
    
    [pass2allow-ftp]
    # this pass2allow example allows FTP traffic after successful HTTP authentication
    port         = ftp,ftp-data,ftps,ftps-data
    # knocking_url variable must be overridden to some secret value in jail.local
    knocking_url = /knocking/
    filter       = apache-pass[knocking_url="%(knocking_url)s"]
    # access log of the website with HTTP auth
    logpath      = %(apache_access_log)s
    blocktype    = RETURN
    returntype   = DROP
    action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
                            actionstart_on_demand=false, actionrepair_on_unban=true]
    bantime      = 1h
    maxretry     = 1
    findtime     = 1
    
    
    [murmur]
    # AKA mumble-server
    port     = 64738
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/mumble-server/mumble-server.log
    
    
    [screensharingd]
    # For Mac OS Screen Sharing Service (VNC)
    logpath  = /var/log/system.log
    logencoding = utf-8
    
    [haproxy-http-auth]
    # HAProxy by default doesn't log to file you'll need to set it up to forward
    # logs to a syslog server which would then write them to disk.
    # See "haproxy-http-auth" filter for a brief cautionary note when setting
    # maxretry and findtime.
    logpath  = /var/log/haproxy.log
    
    [slapd]
    port    = ldap,ldaps
    logpath = /var/log/slapd.log
    
    [domino-smtp]
    port    = smtp,ssmtp
    logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
    
    [phpmyadmin-syslog]
    port    = http,https
    logpath = %(syslog_authpriv)s
    backend = %(syslog_backend)s
    
    
    [zoneminder]
    # Zoneminder HTTP/HTTPS web interface auth
    # Logs auth failures to apache2 error log
    port    = http,https
    logpath = %(apache_error_log)s
    
    [traefik-auth]
    # to use 'traefik-auth' filter you have to configure your Traefik instance,
    # see `filter.d/traefik-auth.conf` for details and service example.
    port    = http,https
    logpath = /var/log/traefik/access.log
    
    [scanlogd]
    logpath = %(syslog_local0)s
    banaction = %(banaction_allports)s
    
    [monitorix]
    port    = 8080
    logpath = /var/log/monitorix-httpd
    
    [ufw]
    enabled=true
    filter=ufw.aggressive
    action=iptables-allports
    logpath=/var/log/ufw.log
    maxretry=1
    bantime=-1
    Code:
    yoda@mail:~$ sudo cat /etc/fail2ban/jail.d/sshd.conf
    Code:
    #[sshd]
    #enabled = true
    #port = ssh
    #filter = sshd
    #logpath = /var/log/auth.log
    #maxretry = 4
    #bantime = 1200m
    #ignoreip = whitelist-IP
    #mode = aggressive
    
    [recidive]
    
    #enabled = true
    #port = ssh
    #logpath  = /var/log/fail2ban.log
    #banaction = %(banaction_allports)s
    #bantime  = 1y
    #findtime = 1d
    #maxretry = 3
    Code:
    yoda@mail:~$ sudo cat /etc/fail2ban/filter.d/ufw.aggressive.conf
    Code:
     [Definition]
    failregex = [UFW BLOCK].+SRC=<HOST> DST
    ignoreregex =
    What keeps blocking my smtp port 25? Bonus question. What keeps blocking my port 22?
    Last edited by brads-u; February 27th, 2024 at 02:42 AM.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: UFW blocks port 25, with other instabilities

    Where is this server?
    It is a VPS?
    Is it on a commercial network connection?
    Is it on a residential ISP?

    In general, port 25 is blocked and only unblocked by the VPS or commercial account ISP on request. Residential ISPs always block port 25, so it will never work without a relay outside the residential networking that uses a non-blocked port or a VPN connection.

  3. #3
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,542
    Distro
    Ubuntu Development Release

    Re: UFW blocks port 25, with other instabilities

    I really do not like UFW or trying to follow the resulting iptables rule set. I think the order here is wrong:

    Code:
    ...
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    ...
    And your port 25 packets get DROPped by "ufw-not-local" before they ever get to "ufw-user-input" where they would be ACCEPTed.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  4. #4
    Join Date
    Jan 2024
    Beans
    7

    Re: UFW blocks port 25, with other instabilities

    1
    Last edited by brads-u; February 28th, 2024 at 11:16 PM.

  5. #5
    Join Date
    Jan 2024
    Beans
    7

    Re: UFW blocks port 25, with other instabilities

    1
    Last edited by brads-u; February 28th, 2024 at 11:15 PM.

  6. #6
    Join Date
    Jan 2024
    Beans
    7

    Re: UFW blocks port 25, with other instabilities

    Quote Originally Posted by TheFu View Post
    Where is this server?
    It is a VPS?
    Is it on a commercial network connection?
    Is it on a residential ISP?

    In general, port 25 is blocked and only unblocked by the VPS or commercial account ISP on request. Residential ISPs always block port 25, so it will never work without a relay outside the residential networking that uses a non-blocked port or a VPN connection.
    Its a VPS and port 25 is open. Thats why I could connect to port 25 after blowing out my firewall

  7. #7
    Join Date
    Jan 2024
    Beans
    7

    Re: UFW blocks port 25, with other instabilities

    Quote Originally Posted by Doug S View Post
    I really do not like UFW or trying to follow the resulting iptables rule set. I think the order here is wrong:

    Code:
    ...
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    ...
    And your port 25 packets get DROPped by "ufw-not-local" before they ever get to "ufw-user-input" where they would be ACCEPTed.
    I am very confused how to fix this. ufw-not-local is declared in before.rules. ufw-user-input gets declared in user.rules

    I don't see where they get parsed, so that I can swap them.

    Code:
    yoda@mail:~$ sudo cat /etc/ufw/user.rules 
    *filter
    :ufw-user-input - [0:0]
    :ufw-user-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    ### RULES ###
    
    ### tuple ### allow tcp 465 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 465 -j ACCEPT
    
    ### tuple ### allow tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 25 -j ACCEPT
    
    ### tuple ### allow tcp 143 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 143 -j ACCEPT
    
    ### tuple ### allow tcp 993 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 993 -j ACCEPT
    
    ### tuple ### allow tcp 110 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 110 -j ACCEPT
    
    ### tuple ### allow tcp 995 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 995 -j ACCEPT
    
    ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 80 -j ACCEPT
    
    ### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 443 -j ACCEPT
    
    ### tuple ### allow tcp 53 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp --dport 53 -j ACCEPT
    
    ### END RULES ###
    
    ### LOGGING ###
    -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
    -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
    -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
    ### END LOGGING ###
    
    ### RATE LIMITING ###
    -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT
    -A ufw-user-limit-accept -j ACCEPT
    ### END RATE LIMITING ###
    COMMIT
    and

    Code:
    yoda@mail:~$ sudo cat /etc/ufw/before.rules 
    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    #   ufw-before-input
    #   ufw-before-output
    #   ufw-before-forward
    #
    
    # Don't delete these required lines, otherwise there will be errors
    *filter
    -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines
    
    
    # allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -o lo -j ACCEPT
    
    # quickly process packets for which we already have a connection
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    
    # ok icmp codes for INPUT
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    
    # ok icmp code for FORWARD
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
    
    # allow dhcp client to work
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
    
    #
    # ufw-not-local
    #
    -A ufw-before-input -j ufw-not-local
    
    # if LOCAL, RETURN
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    
    # if MULTICAST, RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    
    # if BROADCAST, RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    
    # all other non-local packets are dropped
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    
    # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
    
    # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
    
    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT

  8. #8
    Join Date
    Feb 2024
    Beans
    2

    Re: UFW blocks port 25, with other instabilities

    Any update?

  9. #9
    Join Date
    Jan 2024
    Beans
    7

    Re: UFW blocks port 25, with other instabilities

    Quote Originally Posted by tennysonn View Post
    Any update?
    Nope. I am getting ready to delete ufw and just relearn iptables again.
    ufw is garbage.

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: UFW blocks port 25, with other instabilities

    Quote Originally Posted by brads-u View Post
    Nope. I am getting ready to delete ufw and just relearn iptables again.
    ufw is garbage.
    UFW isn't garbage, it just doesn't have the capabilities you need. Picking the right tool for the right job is important. BTW, I'd suggest you learn nftables instead. It is part of 22.04 and will be in all distros soon, if it isn't already. I've played with it for about 20 minutes when I looked at 22.04 last year. I don't have any servers on 22.04 yet.
    Perhaps next spring I'll move to it.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •