Question

UFW (firewall) question: rules set don't seem to apply/work correctly ?!

This question is based on settings learned from this tutorial, thanks to the author ! https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#

I’m trying to secure my Raspberry Pi using UFW on Raspbian, a distro of Debian. However I’m not sure it’s working properly, here is what I’ve done so far.

I configured my firewall in this order.

  1. set the default for outgoing to allow and default incoming to deny
  2. Added rules to DENY IN and DENY OUT of several ports (SSH, Telnet, IMAP, POP, PostGREL, SQL, FTP)
  3. Added rules to DENY IN and DENY OUT from the Raspberry to other devices on the network, none is the network’s internet router. At this stage I also created rules using subnets by adding /24.
  4. Decided I should DENY OUT by default so changed default for outgoing to deny

Then I couldn’t browse the net anymore, nor do apt-get update or apt-get upgrade for example.

What I did to try to fix/troubleshoot:

  1. delete all the rules (allow and deny) with a subnet (/24) manually using terminal and status numbered > delete numberofline
  2. delete all the allow out
  3. retested the browsing and apt-get with default for outgoing set back to allow > Worked.
  4. switched default for outgoing to deny again
  5. created rules to allow out on port 80; 80/tcp; 80/udp for HTTP as well as on port 443; 443/tcp; 443/udp for HTTPS
  6. Browsing and apt-get still not working.

I hope anyone can help me figure this out. Because I’m thinking now, even if I switch default for outgoing to allow again, a part from allowing a lot of ports to communicate to the outside, I’ll also be left wondering about how the rules work and if they do really work in UFW.

Also this makes me wonder about something: if I default for outgoing to allow but create a rule to block from the Raspberry to my other device (for example my main computer), then how can I know the rule will be respected since it seems that allowing outbound connections for ports 80 and 443 with default set to deny all outbound doesn’t work?

Is there a higher priority given to the default settings ? That wouldn’t make sense in my opinion. I also installer GUFW (the UFW gui) but it doesn’t let me add rules. Could this have a link ? In the end I configured everything using the terminal and your commands or variants of it found on the Debian forums etc. Checked every time if the firewall was running or not as well as detailed status using “sudo ufw status numbered” and the verbose variant.

I hope someone can help me figure this out. Thanks !

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Here ya go. Dont run it on a weak machine. 1024+Ram 2+ cores. This will take a very long time due to the recent addition of botnet addresses. https://github.com/diveyez/ufw-dnsbl-rules-set/blob/master/dofw.sh

@hansen

Alrighty then ! Thanks again for your help ! I guess I’ll go with your recommendation of allowing all-outgoing after this mini firewall-nightmare.

This comment has been deleted

Thanks but I already tried those commands. Moreover, I don’t want to use SSH or Telnet so I would like to lock them incoming and outgoing as I connect directly to my system with a keyboard and monitor. If I have for defaults allow outgoing but deny incoming, do I have to still allow ports 80 and 443 as you suggested to be able to browse the net for example ?

At the moment I have defaults for outgoing and incoming both to deny but I created allow rules for outgoing of ports 80 and 443, though browsing doesn’t work, which makes me question why the rules I set aren’t respected.

@Method

When it comes to ufw, if you want to start fresh, you’ll want to use ufw reset. That gives you a clean slate to work with, though first I would run ufw disable.

With ufw disabled and reset, I would recommend setting up defaults that deny incoming, but allow outgoing as your server needs to communicate out to run apt-get and similar commands. If you do not allow outgoing connections, your server can’t communicate outside.

So I would start with (while ufw is disabled):

ufw default deny incoming
ufw default allow outgoing

Now, at this stage, we need to allow ports in, otherwise nothing can connect to the Droplet, so the first thing to allow is SSH.

ufw allow 22/tcp

From there, you need to allow whichever ports through that you wish to allow connections on. For example, if we wanted to open web ports, commonly 80 and 443 (for HTTP and HTTPS), we’d use:

ufw allow 80/tcp
ufw allow 443/tcp