Uncomplicated Firewall (UFW) - How to block a single port on the local host [closed]

StackOverflow https://stackoverflow.com/questions/21159856

  •  28-09-2022
  •  | 
  •  

Pergunta

I'm trying to test what happens to an application when it's connection to a particular service is severed. I'm running Ubuntu 13.10 and it sounded like ufw (Uncomplicated FireWall) was the right option for this, but I can't get it working as expected. I'm sure it's something simple I'm doing wrong, but the man page for ufw gives an example for blocking all access to a port which I'm following and it's not working... Below are the steps I've been through.

Fire up the application and run netstat to find out which port it is connecting to the external service on:

$ netstat
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
...
tcp6       0      0 mymachine.blah:39163    remoteservice.blah:2181 ESTABLISHED
...

So now I try to block the local port 39163 from doing any communication:

$ sudo ufw deny 39163
Rule added
Rule added (v6)

I can check, and the rule is there:

$ sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
39163                      DENY        Anywhere
39163                      DENY        Anywhere (v6)

But I can see in my application logs that it is still communicating to the remote service, and it also looks like this is the case from netstat:

$ netstat
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
...
tcp6       0      0 mymachine.blah:39163    remoteservice.blah:2181 ESTABLISHED
...

For good measure I also tried using the same ufw deny command for the remote port 2181 (just in case I was misunderstanding and the port you specify is supposed to be the remote port not the local port), but this made no difference either.

[EDIT] The output from iptables is pretty big. I've culled the chains that I don't think are relevant (all ufw chains that either had no rules, no references, or both). The remainder is below. Note I've never manually done anything with iptables, I've always either used ufw or gufw (GUI frontend to ufw).

You can see my rules at the bottom (Chain ufw-user-input which is referencing port 39163). I suspect the issue may be that Chain ufw-user-input (with my rules) is referenced by Chain ufw-before-input, but this is in turn not referenced. But I don't really know enough about iptables to confirm this is the problem or how to fix it - I had hoped to just use the simpler ufw utility.

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain ufw-before-input (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             state INVALID
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-user-input (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:39163
DROP       udp  --  anywhere             anywhere             udp dpt:39163
Foi útil?

Solução

This isn't the true answer since I know next to nothing about UFW. It seems.. complicated. If you want to simply block your service it's quite easy without ufw:

iptables -A OUTPUT -p tcp --dport 39163 -j DROP

Outras dicas

In /etc/ufw/before.rules it seems that ufw accepts connections that are already established, see line 24:

# quickly process packets for which we already have a connection

So I guess that was in the way of the (re)configuration. Don't know if ufw reload would ignore this but I guess not since that would be "too" invasive on the connections that have been made.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top