Question

UFW (firewall) question: rules set don't seem to apply/work correctly ?!

This question is based on settings learned from this tutorial, thanks to the author ! https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#

I’m trying to secure my Raspberry Pi using UFW on Raspbian, a distro of Debian. However I’m not sure it’s working properly, here is what I’ve done so far.

I configured my firewall in this order.

  1. set the default for outgoing to allow and default incoming to deny
  2. Added rules to DENY IN and DENY OUT of several ports (SSH, Telnet, IMAP, POP, PostGREL, SQL, FTP)
  3. Added rules to DENY IN and DENY OUT from the Raspberry to other devices on the network, none is the network’s internet router. At this stage I also created rules using subnets by adding /24.
  4. Decided I should DENY OUT by default so changed default for outgoing to deny

Then I couldn’t browse the net anymore, nor do apt-get update or apt-get upgrade for example.

What I did to try to fix/troubleshoot:

  1. delete all the rules (allow and deny) with a subnet (/24) manually using terminal and status numbered > delete numberofline
  2. delete all the allow out
  3. retested the browsing and apt-get with default for outgoing set back to allow > Worked.
  4. switched default for outgoing to deny again
  5. created rules to allow out on port 80; 80/tcp; 80/udp for HTTP as well as on port 443; 443/tcp; 443/udp for HTTPS
  6. Browsing and apt-get still not working.

I hope anyone can help me figure this out. Because I’m thinking now, even if I switch default for outgoing to allow again, a part from allowing a lot of ports to communicate to the outside, I’ll also be left wondering about how the rules work and if they do really work in UFW.

Also this makes me wonder about something: if I default for outgoing to allow but create a rule to block from the Raspberry to my other device (for example my main computer), then how can I know the rule will be respected since it seems that allowing outbound connections for ports 80 and 443 with default set to deny all outbound doesn’t work?

Is there a higher priority given to the default settings ? That wouldn’t make sense in my opinion. I also installer GUFW (the UFW gui) but it doesn’t let me add rules. Could this have a link ? In the end I configured everything using the terminal and your commands or variants of it found on the Debian forums etc. Checked every time if the firewall was running or not as well as detailed status using “sudo ufw status numbered” and the verbose variant.

I hope someone can help me figure this out. Thanks !

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

diveyezDecember 25, 2017

Here ya go. Dont run it on a weak machine. 1024+Ram 2+ cores. This will take a very long time due to the recent addition of botnet addresses. https://github.com/diveyez/ufw-dnsbl-rules-set/blob/master/dofw.sh

MethodMarch 30, 2017

@hansen

Alrighty then ! Thanks again for your help ! I guess I’ll go with your recommendation of allowing all-outgoing after this mini firewall-nightmare.

MethodMarch 26, 2017

This comment has been deleted