ufw logs allowed ruls as blocked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I have a ufw rule which does work (blocks everything except to myself on port 3306 from 192.168.0.0/24 hosts)
ufw default deny incoming
ufw default deny outgoing
ufw allow from 192.168.0.0/24 to $PRIVIP port 3306
but sometimes (quite a lot) I see in my ufw.log lines which did block my connections.
Sep 6 16:10:31 hostname kernel: [110893.165409] [UFW BLOCK] IN=eth1 OUT= MAC=-:-:-:... SRC=192.168.1.2 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=40750 DPT=3306 WINDOW=0 RES=0x00 RST URGP=0
imho its something like connection is working, but maybe when a connection is finished ufw blocks the "old" connection?
Is there a option to not show these wrong log entries? otherwise there are to much wrong log entries which makes it hard to seperate them.
ufw 0.34~rc-0ubuntu2
Copyright 2008-2012 Canonical Ltd.
ubuntu 14.04
This could be part of connection tracking, as you said, where these packets aren't part of an existing connection, perhaps due to timeouts or low memory. There are tunables related to connection tracking you might be interested in if the latter (see https:/ /www.netfilter. org/documentati on/FAQ/ netfilter- faq-3.html# ss3.7).
Alternatively, it could be the application is mistakenly sending the RST such that it ends up as INVALID. As such, you might want to add to /etc/ufw/ before. rules (before the COMMIT line of the *filter table):
-A ufw-before-input -m state --state INVALID -i eth1 -p tcp -d 192.168.1.1 --dport 3306 --tcp-flags RST RST -j DROP