This isn't the true answer since I know next to nothing about UFW. It seems.. complicated. If you want to simply block your service it's quite easy without ufw:
iptables -A OUTPUT -p tcp --dport 39163 -j DROP
Pergunta
I'm trying to test what happens to an application when it's connection to a particular service is severed. I'm running Ubuntu 13.10 and it sounded like ufw (Uncomplicated FireWall) was the right option for this, but I can't get it working as expected. I'm sure it's something simple I'm doing wrong, but the man page for ufw gives an example for blocking all access to a port which I'm following and it's not working... Below are the steps I've been through.
Fire up the application and run netstat to find out which port it is connecting to the external service on:
$ netstat
Proto Recv-Q Send-Q Local Address Foreign Address State
...
tcp6 0 0 mymachine.blah:39163 remoteservice.blah:2181 ESTABLISHED
...
So now I try to block the local port 39163 from doing any communication:
$ sudo ufw deny 39163
Rule added
Rule added (v6)
I can check, and the rule is there:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
39163 DENY Anywhere
39163 DENY Anywhere (v6)
But I can see in my application logs that it is still communicating to the remote service, and it also looks like this is the case from netstat:
$ netstat
Proto Recv-Q Send-Q Local Address Foreign Address State
...
tcp6 0 0 mymachine.blah:39163 remoteservice.blah:2181 ESTABLISHED
...
For good measure I also tried using the same ufw deny command for the remote port 2181 (just in case I was misunderstanding and the port you specify is supposed to be the remote port not the local port), but this made no difference either.
[EDIT] The output from iptables is pretty big. I've culled the chains that I don't think are relevant (all ufw chains that either had no rules, no references, or both). The remainder is below. Note I've never manually done anything with iptables, I've always either used ufw or gufw (GUI frontend to ufw).
You can see my rules at the bottom (Chain ufw-user-input which is referencing port 39163). I suspect the issue may be that Chain ufw-user-input (with my rules) is referenced by Chain ufw-before-input, but this is in turn not referenced. But I don't really know enough about iptables to confirm this is the problem or how to fix it - I had hoped to just use the simpler ufw utility.
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ufw-before-input (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-user-input (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:39163
DROP udp -- anywhere anywhere udp dpt:39163
Solução
This isn't the true answer since I know next to nothing about UFW. It seems.. complicated. If you want to simply block your service it's quite easy without ufw:
iptables -A OUTPUT -p tcp --dport 39163 -j DROP
Outras dicas
In /etc/ufw/before.rules
it seems that ufw accepts connections that are already established, see line 24:
# quickly process packets for which we already have a connection
So I guess that was in the way of the (re)configuration. Don't know if ufw reload
would ignore this but I guess not since that would be "too" invasive on the connections that have been made.