[prev in list] [next in list] [prev in thread] [next in thread]
List: ubuntu-users
Subject: Re: Should ufw block access to localhost?
From: Colin Law <clanlaw () gmail ! com>
Date: 2019-03-15 14:10:58
Message-ID: CAL=0gLs=kscuJVTAWqKUwnFWZqtHX9rytj6VmMP7_5rtyYgz3w () mail ! gmail ! com
[Download RAW message or body]
For anyone finding this, having looked at it further it seems the
fundamental problem is that the VPS supplier (time4vps) uses openVZ on
their cheap servers (and they are cheap) and that there are some
problems with ufw due to the old kernel used and some missing kernel
modules. It seems that I have to get to grips with iptables and do it
myself.
Colin
On Thu, 14 Mar 2019 at 17:13, Colin Law <clanlaw@gmail.com> wrote:
>
> On Thu, 14 Mar 2019 at 16:03, Colin Law <clanlaw@gmail.com> wrote:
> >
> > Sorry, I have just realised that I mis-interpreted what was going on.
> > The port is not, in fact, blocked to localhost but when I try to
> > connect to mosquitto from localhost then it takes about 60 seconds to
> > connect if ufw is enabled. If ufw is disabled then it connects
> > immediately. Using tcpdump I can see that during that minute there
> > are a dozen or so messages backwards and forwards before it connects.
> > But I am none the wiser as to what is going on.
> >
> > If instead of trying to connect on localhost I tell it to connect
> > using its own IP address then it works perfectly.
>
> I presume that some of the messages must be getting blocked by
> IPtables, but the process recovers somehow after a timeout. Here are
> the results of the commands suggested.
>
> --------------------
> sudo iptables --line-numbers -nvxL
> Chain INPUT (policy DROP 2 packets, 80 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 45002 4130182 f2b-sshd tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 multiport dports 22
> 2 965409 104683856 ufw-before-logging-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 3 965409 104683856 ufw-before-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 4 409855 26588193 ufw-after-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 5 408089 26500007 ufw-after-logging-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 6 408089 26500007 ufw-reject-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 7 408089 26500007 ufw-track-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ufw-before-logging-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 2 0 0 ufw-before-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 3 0 0 ufw-after-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 4 0 0 ufw-after-logging-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 5 0 0 ufw-reject-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 6 0 0 ufw-track-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 670688 283408496 ufw-before-logging-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 2 670688 283408496 ufw-before-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 3 45647 25682386 ufw-after-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 4 45647 25682386 ufw-after-logging-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 5 45647 25682386 ufw-reject-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 6 45647 25682386 ufw-track-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain f2b-sshd (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 REJECT all -- * *
> 194.190.78.195 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 2 0 0 REJECT all -- * *
> 51.75.120.244 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 3 0 0 REJECT all -- * *
> 128.199.50.209 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 4 0 0 REJECT all -- * *
> 58.68.255.251 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 5 0 0 REJECT all -- * *
> 211.24.250.143 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 6 0 0 REJECT all -- * *
> 111.230.38.241 0.0.0.0/0 reject-with
> icmp-port-unreachable
> 7 38517 3625254 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-after-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-after-input (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ufw-skip-to-policy-input udp -- * *
> 0.0.0.0/0 0.0.0.0/0 udp dpt:137
> 2 0 0 ufw-skip-to-policy-input udp -- * *
> 0.0.0.0/0 0.0.0.0/0 udp dpt:138
> 3 2 120 ufw-skip-to-policy-input tcp -- * *
> 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
> 4 61 3020 ufw-skip-to-policy-input tcp -- * *
> 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
> 5 0 0 ufw-skip-to-policy-input udp -- * *
> 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> 6 0 0 ufw-skip-to-policy-input udp -- * *
> 0.0.0.0/0 0.0.0.0/0 udp dpt:68
> 7 0 0 ufw-skip-to-policy-input all -- * *
> 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type
> BROADCAST
>
> Chain ufw-after-logging-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw-after-logging-input (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 197 15795 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw-after-logging-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-after-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-before-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 3
> 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 4
> 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 11
> 5 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 12
> 6 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 8
> 7 0 0 ufw-user-forward all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain ufw-before-input (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 2099 675322 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 2 23578 3365159 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 3 78 3595 ufw-logging-deny all -- * *
> 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
> 4 78 3595 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate INVALID
> 5 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 3
> 6 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 4
> 7 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 11
> 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 12
> 9 45 3574 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 8
> 10 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:67 dpt:68
> 11 123038 7385982 ufw-not-local all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 12 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 224.0.0.251 udp dpt:5353
> 13 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 239.255.255.250 udp dpt:1900
> 14 123038 7385982 ufw-user-input all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain ufw-before-logging-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-before-logging-input (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-before-logging-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-before-output (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 2099 675322 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> 2 27574 8720485 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 3 191 13551 ufw-user-output all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Chain ufw-logging-allow (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW ALLOW] "
>
> Chain ufw-logging-deny (2 references)
> num pkts bytes target prot opt in out source
> destination
> 1 73 3395 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
> 2 5 200 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw-not-local (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 123038 7385982 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
> 2 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
> 3 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
> 4 0 0 ufw-logging-deny all -- * *
> 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
> 5 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-reject-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-reject-input (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-reject-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-skip-to-policy-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-skip-to-policy-input (7 references)
> num pkts bytes target prot opt in out source
> destination
> 1 63 3140 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-skip-to-policy-output (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-track-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-track-input (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-track-output (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 24 2256 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate NEW
> 2 145 9703 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate NEW
>
> Chain ufw-user-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-user-input (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 82 4900 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 2 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:22
> 3 10 500 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 4 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:80
> 5 2279 137247 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:443
> 6 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:443
> 7 3 180 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:8883
> 8 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:8883
>
> Chain ufw-user-limit (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0
> level 4 prefix "[UFW LIMIT BLOCK] "
> 2 0 0 REJECT all -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> Chain ufw-user-limit-accept (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ufw-user-logging-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-user-logging-input (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-user-logging-output (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw-user-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> -------------
> and
> sudo ip6tables --line-numbers -nvxL
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-after-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-after-input (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ufw6-skip-to-policy-input udp * *
> > > /0 ::/0 udp dpt:137
> 2 0 0 ufw6-skip-to-policy-input udp * *
> > > /0 ::/0 udp dpt:138
> 3 0 0 ufw6-skip-to-policy-input tcp * *
> > > /0 ::/0 tcp dpt:139
> 4 0 0 ufw6-skip-to-policy-input tcp * *
> > > /0 ::/0 tcp dpt:445
> 5 0 0 ufw6-skip-to-policy-input udp * *
> > > /0 ::/0 udp dpt:546
> 6 0 0 ufw6-skip-to-policy-input udp * *
> > > /0 ::/0 udp dpt:547
>
> Chain ufw6-after-logging-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all * * ::/0
> > > /0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw6-after-logging-input (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all * * ::/0
> > > /0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw6-after-logging-output (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-after-output (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-before-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all * * ::/0
> > > /0 rt type:0
> 2 0 0 ACCEPT all * * ::/0
> > > /0 ctstate RELATED,ESTABLISHED
> 3 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 1
> 4 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 2
> 5 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 3
> 6 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 4
> 7 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 128
> 8 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 129
> 9 0 0 ufw6-user-forward all * * ::/0
> > > /0
>
> Chain ufw6-before-input (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all lo * ::/0
> > > /0
> 2 0 0 DROP all * * ::/0
> > > /0 rt type:0
> 3 0 0 ACCEPT all * * ::/0
> > > /0 ctstate RELATED,ESTABLISHED
> 4 0 0 ufw6-logging-deny all * * ::/0
> > > /0 ctstate INVALID
> 5 0 0 DROP all * * ::/0
> > > /0 ctstate INVALID
> 6 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 1
> 7 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 2
> 8 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 3
> 9 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 4
> 10 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 128
> 11 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 129
> 12 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 133 HL match HL == 255
> 13 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 134 HL match HL == 255
> 14 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 135 HL match HL == 255
> 15 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 136 HL match HL == 255
> 16 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 141 HL match HL == 255
> 17 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 142 HL match HL == 255
> 18 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 130
> 19 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 131
> 20 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 132
> 21 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 143
> 22 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 148 HL match HL == 255
> 23 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 149 HL match HL == 255
> 24 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 151 HL match HL == 1
> 25 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 152 HL match HL == 1
> 26 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 153 HL match HL == 1
> 27 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 128
> 28 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 129
> 29 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 144
> 30 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 145
> 31 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 146
> 32 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 147
> 33 0 0 ACCEPT udp * * fe80::/10
> fe80::/10 udp spt:547 dpt:546
> 34 0 0 ACCEPT udp * * ::/0
> ff02::fb udp dpt:5353
> 35 0 0 ACCEPT udp * * ::/0
> ff02::f udp dpt:1900
> 36 0 0 ufw6-user-input all * * ::/0
> > > /0
>
> Chain ufw6-before-logging-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-before-logging-input (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-before-logging-output (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-before-output (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all * lo ::/0
> > > /0
> 2 0 0 DROP all * * ::/0
> > > /0 rt type:0
> 3 0 0 ACCEPT all * * ::/0
> > > /0 ctstate RELATED,ESTABLISHED
> 4 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 1
> 5 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 2
> 6 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 3
> 7 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 4
> 8 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 133 HL match HL == 255
> 9 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 136 HL match HL == 255
> 10 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 135 HL match HL == 255
> 11 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 134 HL match HL == 255
> 12 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 141 HL match HL == 255
> 13 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 142 HL match HL == 255
> 14 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 130
> 15 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 131
> 16 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 132
> 17 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 143
> 18 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 148 HL match HL == 255
> 19 0 0 ACCEPT icmpv6 * * ::/0
> > > /0 ipv6-icmptype 149 HL match HL == 255
> 20 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 151 HL match HL == 1
> 21 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 152 HL match HL == 1
> 22 0 0 ACCEPT icmpv6 * * fe80::/10
> > > /0 ipv6-icmptype 153 HL match HL == 1
> 23 0 0 ufw6-user-output all * * ::/0
> > > /0
>
> Chain ufw6-logging-allow (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all * * ::/0
> > > /0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW ALLOW] "
>
> Chain ufw6-logging-deny (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 RETURN all * * ::/0
> > > /0 ctstate INVALID limit: avg 3/min burst 10
> 2 0 0 LOG all * * ::/0
> > > /0 limit: avg 3/min burst 10 LOG flags 0
> level 4 prefix "[UFW BLOCK] "
>
> Chain ufw6-skip-to-policy-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all * * ::/0
> > > /0
>
> Chain ufw6-skip-to-policy-input (6 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all * * ::/0
> > > /0
>
> Chain ufw6-skip-to-policy-output (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all * * ::/0
> > > /0
>
> Chain ufw6-user-forward (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-user-input (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT tcp * * ::/0
> > > /0 tcp dpt:22
> 2 0 0 ACCEPT udp * * ::/0
> > > /0 udp dpt:22
> 3 0 0 ACCEPT tcp * * ::/0
> > > /0 tcp dpt:80
> 4 0 0 ACCEPT udp * * ::/0
> > > /0 udp dpt:80
> 5 0 0 ACCEPT tcp * * ::/0
> > > /0 tcp dpt:443
> 6 0 0 ACCEPT udp * * ::/0
> > > /0 udp dpt:443
> 7 0 0 ACCEPT tcp * * ::/0
> > > /0 tcp dpt:8883
> 8 0 0 ACCEPT udp * * ::/0
> > > /0 udp dpt:8883
>
> Chain ufw6-user-limit (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 LOG all * * ::/0
> > > /0 limit: avg 3/min burst 5 LOG flags 0
> level 4 prefix "[UFW LIMIT BLOCK] "
> 2 0 0 REJECT all * * ::/0
> > > /0 reject-with icmp6-port-unreachable
>
> Chain ufw6-user-limit-accept (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all * * ::/0
> > > /0
>
> Chain ufw6-user-logging-forward (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-user-logging-input (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-user-logging-output (0 references)
> num pkts bytes target prot opt in out source
> destination
>
> Chain ufw6-user-output (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> -----------------------------------
>
>
> >
> > Colin
> >
> > On Thu, 14 Mar 2019 at 09:49, <J.Witvliet@mindef.nl> wrote:
> > >
> > > Try: iptables --line-numbers -nvxL
> > > And ip6tables --line-numbers -nvxL
> > >
> > > People tend to forget the second one :-)
> > >
> > >
> > > Met vriendelijke groet,
> > > Hans Witvliet, J, Ing., DMO/OPS/I&S/APH, Kennis Team Opensource
> > > Coldenhovelaan 1 Maasland 3531RC Coldehovelaan 1, kamer B213
> > >
> > > -----Original Message-----
> > > From: ubuntu-users [mailto:ubuntu-users-bounces@lists.ubuntu.com] On Behalf Of \
> > > Colin Law
> > > Sent: donderdag 14 maart 2019 10:10
> > > To: Ubuntu user technical support, not for general discussions
> > > Subject: Re: Should ufw block access to localhost?
> > >
> > > On Thu, 14 Mar 2019 at 08:36, Tony Arnold <tony.arnold@manchester.ac.uk> wrote:
> > > >
> > > > Hi Colin,
> > > >
> > > > I guess a detailed examination of the IPtables that UFW has set up might \
> > > > yield some clues. But you've no doubt done that already!
> > >
> > > No, because my knowledge of IPtables is only skin deep. I think the
> > > principle reason for using ufw is to isolate one from the much more
> > > complex details of IPtables.
> > >
> > > What I was hoping for was at least confirmation that what I am seeing
> > > is, is not, expected, and if it is expected what I should do to allow
> > > access from localhost. Google has not provided any leads that have
> > > helped me. I found links explaining how to *block* access from
> > > localhost but not the reverse, which suggests to me that access should
> > > not be blocked by default.
> > >
> > > I can provide the IPtables list if anyone is willing, and has the
> > > time, to look at it, for which I would be most grateful. If so which
> > > command should I use? iptables -L?
> > >
> > > Colin
> > >
> > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet \
> > > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u \
> > > verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat \
> > > aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband \
> > > houdt met risico's verbonden aan het elektronisch verzenden van berichten.
> > > This message may contain information that is not intended for you. If you are \
> > > not the addressee or if this message was sent to you by mistake, you are \
> > > requested to inform the sender and delete the message. The State accepts no \
> > > liability for damage of any kind resulting from the risks inherent in the \
> > > electronic transmission of messages.
> > > --
> > > ubuntu-users mailing list
> > > ubuntu-users@lists.ubuntu.com
> > > Modify settings or unsubscribe at: \
> > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: \
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic