Question

ufw weirdness on Ubuntu 20:04 droplet--I don't understand why allowing/denying tcp/22 affects all other ports

Newbie here so I apologize in advance for any ignorance.

I’m setting up my first droplet. As I configuring my firewall with ufw, I’m getting some weird behavior. I start with default deny incoming and default allow outgoing. Then when 22/tcp is allowed, ssh works on any other open port, including mosh. Whenever 22/tcp is denied, ssh no longer works on any other port (times out when I attempt to connect). Mosh also times out when I attempt to connect if 22/tcp is denied. After denying 22/tcp, if I allow, say, 4000/tcp, I still can’t ssh into any port, and even when ufw status shows that 60000:61000 is allowed, mosh won’t work. If I just allow 22, ssh and mosh still don’t work. Once I allow 22/tcp, everything works again: 4000, 60000:61000, etc.

It’s frustrating me because on the little ssh server I put together at home (also Ubuntu 20.04 using ufw), I like to close 22 and open a different port to work on. I can’t figure out how to do that on this droplet.

Can anyone explain to me what’s going on?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi there,

As UFW is basically just a frontend wrapper for IPtables, if you have another application like Fail2ban it is possible that the IPtables chain could get messed up.

What I could suggest is starting from scratch by resetting all of the UFW rules:

sudo ufw reset

And then just allow the ports that you want to be able to access. By default all other ports will be closed so there would be no need to explicitly deny them.

If UFW is still causing problems, I could suggest removing it completely and trying out CSF, which has a nice configuration file where you could open and close ports.

Here is a quick tutorial on how to start with CSF:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Let me know how it goes! Regards, Bobby