Method
By:
Method

UFW (firewall) question: rules set don't seem to apply/work correctly ?!

March 24, 2017 3.4k views
Firewall Networking Security Debian

This question is based on settings learned from this tutorial, thanks to the author !
https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#

I'm trying to secure my Raspberry Pi using UFW on Raspbian, a distro of Debian. However I'm not sure it's working properly, here is what I've done so far.

I configured my firewall in this order.

1) set the default for outgoing to allow and default incoming to deny
2) Added rules to DENY IN and DENY OUT of several ports (SSH, Telnet, IMAP, POP, PostGREL, SQL, FTP)
3) Added rules to DENY IN and DENY OUT from the Raspberry to other devices on the network, none is the network's internet router. At this stage I also created rules using subnets by adding /24.
4) Decided I should DENY OUT by default so changed default for outgoing to deny

Then I couldn't browse the net anymore, nor do apt-get update or apt-get upgrade for example.

What I did to try to fix/troubleshoot:
1) delete all the rules (allow and deny) with a subnet (/24) manually using terminal and status numbered > delete numberofline
2) delete all the allow out
3) retested the browsing and apt-get with default for outgoing set back to allow > Worked.
4) switched default for outgoing to deny again
5) created rules to allow out on port 80; 80/tcp; 80/udp for HTTP as well as on port 443; 443/tcp; 443/udp for HTTPS
6) Browsing and apt-get still not working.

I hope anyone can help me figure this out. Because I'm thinking now, even if I switch default for outgoing to allow again, a part from allowing a lot of ports to communicate to the outside, I'll also be left wondering about how the rules work and if they do really work in UFW.

Also this makes me wonder about something: if I default for outgoing to allow but create a rule to block from the Raspberry to my other device (for example my main computer), then how can I know the rule will be respected since it seems that allowing outbound connections for ports 80 and 443 with default set to deny all outbound doesn't work?

Is there a higher priority given to the default settings ? That wouldn't make sense in my opinion.
I also installer GUFW (the UFW gui) but it doesn't let me add rules. Could this have a link ? In the end I configured everything using the terminal and your commands or variants of it found on the Debian forums etc. Checked every time if the firewall was running or not as well as detailed status using "sudo ufw status numbered" and the verbose variant.

I hope someone can help me figure this out. Thanks !

4 Answers

@Method

When it comes to ufw, if you want to start fresh, you'll want to use ufw reset. That gives you a clean slate to work with, though first I would run ufw disable.

With ufw disabled and reset, I would recommend setting up defaults that deny incoming, but allow outgoing as your server needs to communicate out to run apt-get and similar commands. If you do not allow outgoing connections, your server can't communicate outside.

So I would start with (while ufw is disabled):

ufw default deny incoming
ufw default allow outgoing

Now, at this stage, we need to allow ports in, otherwise nothing can connect to the Droplet, so the first thing to allow is SSH.

ufw allow 22/tcp

From there, you need to allow whichever ports through that you wish to allow connections on. For example, if we wanted to open web ports, commonly 80 and 443 (for HTTP and HTTPS), we'd use:

ufw allow 80/tcp
ufw allow 443/tcp
  • Thanks but I already tried those commands. Moreover, I don't want to use SSH or Telnet so I would like to lock them incoming and outgoing as I connect directly to my system with a keyboard and monitor.
    If I have for defaults allow outgoing but deny incoming, do I have to still allow ports 80 and 443 as you suggested to be able to browse the net for example ?

    At the moment I have defaults for outgoing and incoming both to deny but I created allow rules for outgoing of ports 80 and 443, though browsing doesn't work, which makes me question why the rules I set aren't respected.

Thanks but I already tried those commands. Moreover, I don't want to use SSH or Telnet so I would like to lock them incoming and outgoing as I connect directly to my system with a keyboard and monitor.
If I have for defaults allow outgoing but deny incoming, do I have to still allow ports 80 and 443 as you suggested to be able to browse the net for example ?

At the moment I have defaults for outgoing and incoming both to deny but I created allow rules for outgoing of ports 80 and 443, though browsing doesn't work, which makes me question why the rules I set aren't respected.

  • @Method

    If you allow all outgoing traffic, then you can browse normally. You only have to allow ports if you want to host something on Pi.
    EDIT: Given that you setup the default UFW rules, which is allow outgoing, block incoming.

    Click the reply link just below here or use the @ to notify users - otherwise we don't get a notification, when you create a new answer instead of reply.

    • @hansen Thanks for your help however I still don't get: "If you allow all outgoing traffic, then you can browse normally. You only have to allow ports if you want to host something on Pi."

      Ideally I thought I could deny all incoming and outgoing and then just allow outgoing for ports 80 and 443 for web browsing but it doesn't work, I can't browse any website. It works if I turn all out going default to allow but then why wouldn't it respect the allow rule for 80 and 443 while all outgoing was on deny by default ?

      How can I trust the rules then ? Is there a priority given to default over individual rules? That wouldn't make sense ...

      • @Method
        Remember that a lot of things actually runs on other ports, but your problem might be that you're blocking the DNS, so it cannot even lookup the domain, which might be why you're stuck. DNS runs on port 53. (sorry cannot remember from the top of my head if it's UDP only or if it's also TCP)
        If you block everything outgoing and only allow a couple of ports, then a lot of programs might not work correctly, because they expect to be able to use other ports to exit your network.

        • @hansen
          I tried opening outgoing for port 53 (neither TCP or UDP at first) and it worked ! Your DNS trick solved it ! Thanks man !
          So you are saying that it's better to leave "all default outgoing to allow" for performance issues ? Does it still provide security as if or close to "all default outgoing to deny" ?

          • @Method
            Great!
            I'm saying, you'll run into problems with various sites/programs/games not working, since they're running on different ports.
            Blocking everything outgoing does enhance your security, but it will require more management from you.
            Every home router/firewall in the world is setup with block-incoming and allow-outgoing. Which is considered sufficiently safe without annoying the user too much.

@hansen

Alrighty then ! Thanks again for your help ! I guess I'll go with your recommendation of allowing all-outgoing after this mini firewall-nightmare.

Have another answer? Share your knowledge.