# UFW does not work

## nubiocicarini

I'm trying to configure the ufw firewall, but I can't seem to, because all the network services are working normally without needing rules (Cups, Bittorrent, Web).

I think I followed the guidelines of the Gentoo Wiki correctly, configured the kernel for IPTABLES, IPSET AND UFW v4 and v6, started the services and enabled UFW. The UFW configuration test was OK. Below some information:

```
# emerge -pv ipset

[ebuild   R    ] net-firewall/ipset-6.38::gentoo  USE="-modules" 0 KiB

# emerge -pv iptables

[ebuild   R    ] net-firewall/iptables-1.6.1-r3:0/12::gentoo  USE="ipv6 (split-usr) -conntrack -netlink -nftables -pcap -static-libs" 607 KiB

# emerge -pv ufw

[ebuild   R    ] net-firewall/ufw-0.36::gentoo  USE="ipv6 -examples" PYTHON_TARGETS="python2_7 python3_6" 0 KiB
```

```
# rc-service ipset status

 * status: started

# rc-service iptables status

 * status: started

# rc-service ip6tables status

 * status: started

# rc-service ufw status

 * status: started

# rc-service sysklogd status

 * status: started
```

```
# /usr/share/ufw/check-requirements

Has python: pass (binary: python2.7, version: 2.7.17, py2)

Has iptables: pass

Has ip6tables: pass

Has /proc/net/dev: pass

Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables

and ip6tables commands. This may result in module autoloading (eg, for

IPv6).

Proceed with checks (Y/n)? y

== IPv4 ==

Creating 'ufw-check-requirements'... done

Inserting RETURN at top of 'ufw-check-requirements'... done

TCP: pass

UDP: pass

destination port: pass

source port: pass

ACCEPT: pass

DROP: pass

REJECT: pass

LOG: pass

hashlimit: pass

limit: pass

ctstate (NEW): pass

ctstate (RELATED): pass

ctstate (ESTABLISHED): pass

ctstate (INVALID): pass

ctstate (new, recent set): pass

ctstate (new, recent update): pass

ctstate (new, limit): pass

interface (input): pass

interface (output): pass

multiport: pass

comment: pass

addrtype (LOCAL): pass

addrtype (MULTICAST): pass

addrtype (BROADCAST): pass

icmp (destination-unreachable): pass

icmp (source-quench): pass

icmp (time-exceeded): pass

icmp (parameter-problem): pass

icmp (echo-request): pass

== IPv6 ==

Creating 'ufw-check-requirements6'... done

Inserting RETURN at top of 'ufw-check-requirements6'... done

TCP: pass

UDP: pass

destination port: pass

source port: pass

ACCEPT: pass

DROP: pass

REJECT: pass

LOG: pass

hashlimit: pass

limit: pass

ctstate (NEW): pass

ctstate (RELATED): pass

ctstate (ESTABLISHED): pass

ctstate (INVALID): pass

ctstate (new, recent set): pass

ctstate (new, recent update): pass

ctstate (new, limit): pass

interface (input): pass

interface (output): pass

multiport: pass

comment: pass

icmpv6 (destination-unreachable): pass

icmpv6 (packet-too-big): pass

icmpv6 (time-exceeded): pass

icmpv6 (parameter-problem): pass

icmpv6 (echo-request): pass

icmpv6 with hl (neighbor-solicitation): pass

icmpv6 with hl (neighbor-advertisement): pass

icmpv6 with hl (router-solicitation): pass

icmpv6 with hl (router-advertisement): pass

ipv6 rt: pass

All tests passed
```

```
# ufw status

Estado: ativo
```

```
# cat /usr/src/linux/.config | grep "NETFILTER"

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_NETFILTER_INGRESS=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_FAMILY_ARP=y

CONFIG_NETFILTER_NETLINK_ACCT=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_NETLINK_LOG=y

CONFIG_NETFILTER_NETLINK_OSF=m

CONFIG_NETFILTER_CONNCOUNT=m

CONFIG_NETFILTER_NETLINK_GLUE_CT=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MARK=m

CONFIG_NETFILTER_XT_CONNMARK=m

CONFIG_NETFILTER_XT_SET=m

CONFIG_NETFILTER_XT_TARGET_AUDIT=m

CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m

CONFIG_NETFILTER_XT_TARGET_CT=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_HL=m

CONFIG_NETFILTER_XT_TARGET_HMARK=m

CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m

CONFIG_NETFILTER_XT_TARGET_LED=m

CONFIG_NETFILTER_XT_TARGET_LOG=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_NAT=m

CONFIG_NETFILTER_XT_TARGET_NETMAP=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set

CONFIG_NETFILTER_XT_TARGET_RATEEST=m

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m

CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m

CONFIG_NETFILTER_XT_TARGET_TEE=m

CONFIG_NETFILTER_XT_TARGET_TPROXY=m

CONFIG_NETFILTER_XT_TARGET_TRACE=m

CONFIG_NETFILTER_XT_TARGET_SECMARK=y

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y

CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m

CONFIG_NETFILTER_XT_MATCH_BPF=m

CONFIG_NETFILTER_XT_MATCH_CGROUP=m

CONFIG_NETFILTER_XT_MATCH_CLUSTER=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m

CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m

CONFIG_NETFILTER_XT_MATCH_CONNMARK=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_CPU=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ECN=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

CONFIG_NETFILTER_XT_MATCH_HL=m

CONFIG_NETFILTER_XT_MATCH_IPCOMP=m

# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set

# CONFIG_NETFILTER_XT_MATCH_L2TP is not set

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_NFACCT=m

CONFIG_NETFILTER_XT_MATCH_OSF=m

CONFIG_NETFILTER_XT_MATCH_OWNER=m

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

CONFIG_NETFILTER_XT_MATCH_RECENT=m

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

CONFIG_NETFILTER_XT_MATCH_SOCKET=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_TIME=m

# CONFIG_NETFILTER_XT_MATCH_U32 is not set
```

Anyone with suggestion to solve the problem?

----------

## jburns

Example commands to set up firewall

```
ufw allow ntp

ufw allow llmnr

ufw allow Bonjour

ufw allow ssh

ufw allow rsync

```

followed by one of

```
ufw reload

ufw enable
```

reload reloads firewall

enable reloads firewall and enables firewall on boot

To disable firewall

```
ufw disable
```

disable unloads firewall and disables firewall on boot

see man page for more commands and options.

----------

## nubiocicarini

Hello.

I made these settings, first I left the lock as default.

```
# Ufw default deny
```

Then I enabled UFW without adding rules to test it.

```
# Ufw enable
```

And yet I have all network operations released without restrictions. I suppose that this configuration would cause UFW to block everything from the network until the creation of a release rule.

----------

## jburns

Did you reboot the computer?

----------

## nubiocicarini

Yes.

----------

## Hu

Please show the output of iptables-save -c when ufw is activated and not blocking connections you expected to be blocked.

----------

## nubiocicarini

I tested with the cups server enabled/running and http navigation. Here is the result:

```
# iptables-save -c

# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020

*nat

:PREROUTING ACCEPT [49:2046]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [1683:111717]

:POSTROUTING ACCEPT [1683:111717]

COMMIT

# Completed on Wed Apr 15 00:32:40 2020

# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020

*raw

:PREROUTING ACCEPT [13581:6354259]

:OUTPUT ACCEPT [14814:2170340]

COMMIT

# Completed on Wed Apr 15 00:32:40 2020

# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020

*mangle

:PREROUTING ACCEPT [14189:6540313]

:INPUT ACCEPT [14187:6539677]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [15509:2239327]

:POSTROUTING ACCEPT [15512:2239540]

COMMIT

# Completed on Wed Apr 15 00:32:40 2020

# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020

*filter

:INPUT DROP [2:72]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

:ufw-after-forward - [0:0]

:ufw-after-input - [0:0]

:ufw-after-logging-forward - [0:0]

:ufw-after-logging-input - [0:0]

:ufw-after-logging-output - [0:0]

:ufw-after-output - [0:0]

:ufw-before-forward - [0:0]

:ufw-before-input - [0:0]

:ufw-before-logging-forward - [0:0]

:ufw-before-logging-input - [0:0]

:ufw-before-logging-output - [0:0]

:ufw-before-output - [0:0]

:ufw-logging-allow - [0:0]

:ufw-logging-deny - [0:0]

:ufw-not-local - [0:0]

:ufw-reject-forward - [0:0]

:ufw-reject-input - [0:0]

:ufw-reject-output - [0:0]

:ufw-skip-to-policy-forward - [0:0]

:ufw-skip-to-policy-input - [0:0]

:ufw-skip-to-policy-output - [0:0]

:ufw-track-forward - [0:0]

:ufw-track-input - [0:0]

:ufw-track-output - [0:0]

:ufw-user-forward - [0:0]

:ufw-user-input - [0:0]

:ufw-user-limit - [0:0]

:ufw-user-limit-accept - [0:0]

:ufw-user-logging-forward - [0:0]

:ufw-user-logging-input - [0:0]

:ufw-user-logging-output - [0:0]

:ufw-user-output - [0:0]

[14187:6539677] -A INPUT -j ufw-before-logging-input

[14187:6539677] -A INPUT -j ufw-before-input

[2886:1694616] -A INPUT -j ufw-after-input

[2883:1694403] -A INPUT -j ufw-after-logging-input

[2883:1694403] -A INPUT -j ufw-reject-input

[2883:1694403] -A INPUT -j ufw-track-input

[0:0] -A FORWARD -j ufw-before-logging-forward

[0:0] -A FORWARD -j ufw-before-forward

[0:0] -A FORWARD -j ufw-after-forward

[0:0] -A FORWARD -j ufw-after-logging-forward

[0:0] -A FORWARD -j ufw-reject-forward

[0:0] -A FORWARD -j ufw-track-forward

[15509:2239327] -A OUTPUT -j ufw-before-logging-output

[15509:2239327] -A OUTPUT -j ufw-before-output

[5461:583805] -A OUTPUT -j ufw-after-output

[5461:583805] -A OUTPUT -j ufw-after-logging-output

[5461:583805] -A OUTPUT -j ufw-reject-output

[5461:583805] -A OUTPUT -j ufw-track-output

[0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

[0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

[0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

[0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

[2:142] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

[0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

[2:72] -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A ufw-before-forward -j ufw-user-forward

[1498:146277] -A ufw-before-input -i lo -j ACCEPT

[156:46341] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

[0:0] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

[4:214] -A ufw-before-input -j ufw-not-local

[0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

[4:214] -A ufw-before-input -j ufw-user-input

[1498:146277] -A ufw-before-output -o lo -j ACCEPT

[99:12224] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[78:4946] -A ufw-before-output -j ufw-user-output

[0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

[0:0] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

[0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

[0:0] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

[2:72] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

[2:142] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

[0:0] -A ufw-not-local -j DROP

[0:0] -A ufw-skip-to-policy-forward -j DROP

[2:142] -A ufw-skip-to-policy-input -j DROP

[0:0] -A ufw-skip-to-policy-output -j ACCEPT

[6:360] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

[72:4586] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

[0:0] -A ufw-user-limit-accept -j ACCEPT

COMMIT

# Completed on Wed Apr 15 00:32:40 2020
```

----------

## Hu

How did you test the CUPS server?

----------

## nubiocicarini

through the browser (http://127.0.0.1:631).

----------

## Hu

That would be allowed by your rule, specifically:

```
[14187:6539677] -A INPUT -j ufw-before-input 

[1498:146277] -A ufw-before-input -i lo -j ACCEPT 
```

Try your test from a separate system, since that is how an attacker would operate.

----------

