For user's of earlier versions of ufw, you can work around this by adjusting these lines in /etc/ufw/before.rules:
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
to be:
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
-A ufw-before-input -m state --state INVALID -j DROP
Of course, your kernel must be configured for stateful filtering for this to work.
For user's of earlier versions of ufw, you can work around this by adjusting these lines in /etc/ufw/ before. rules:
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
to be:
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
-A ufw-before-input -m state --state INVALID -j DROP
Of course, your kernel must be configured for stateful filtering for this to work.