ufw blocking 443, port 443 open in ispconfig

Discussion in 'Installation/Configuration' started by francoisPE, Nov 30, 2022.

  1. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello,
    I use ispconfig to setup my ufw.
    I have issues with users blocked on port 443 (and 5349 turnserver which is also open)
    here is ufw.log extract (IPs and MAC hidden)
    Code:
    /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.510872] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=688801 PROTO=TCP SPT=56178 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.553295] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=384775 PROTO=TCP SPT=56190 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.586225] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=476811 PROTO=TCP SPT=56196 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.573924] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=194661 PROTO=TCP SPT=34174 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.669950] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=221606 PROTO=TCP SPT=34188 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.669960] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=221606 PROTO=TCP SPT=34188 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    /var/log/syslog.1:Nov 29 12:22:46 ns2 kernel: [227606.281791] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:3d1e DST=2a000:0001 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=456008 PROTO=TCP SPT=60680 DPT=5349 WINDOW=0 RES=0x00 RST URGP=0
    
    I try to look at ufw conf files like users6.rules
    Code:
    ### tuple ### allow tcp 443 ::/0 any ::/0 in
    -A ufw6-user-input -p tcp --dport 443 -j ACCEPT
    (...)
    ### tuple ### allow tcp 5349 ::/0 any ::/0 in
    -A ufw6-user-input -p tcp --dport 5349 -j ACCEPT
    
    I don't understand that behavior.
    It is very penalizing...
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Are those being blocked by fail2ban perhaps?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I recommend using ufw command instead of looking into its config files, and ufw can contain other rules than the ones set in ISPConfig when it was installed or when you or other software you use added additional rules.
     
  4. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I look fail2ban : nothing in log at Nov 29 12:22 !
    and
    Code:
    ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), deny (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    80/tcp                 ALLOW IN    Anywhere
    443/tcp               ALLOW IN    Anywhere
    5349/tcp             ALLOW IN    Anywhere
    5349/udp            ALLOW IN    Anywhere
    
    80/tcp (v6)                ALLOW IN    Anywhere (v6)
    443/tcp (v6)              ALLOW IN    Anywhere (v6)
    5349/tcp (v6)            ALLOW IN    Anywhere (v6)
    5349/udp (v6)           ALLOW IN    Anywhere (v6)
    
    could it come from elsewhere ?
     
  5. francoisPE

    francoisPE Active Member HowtoForge Supporter

    iptables -L
    gives
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
    f2b-recidive  tcp  --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:57292
    ufw-before-logging-input  all  --  anywhere             anywhere
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    ufw-after-logging-input  all  --  anywhere             anywhere
    ufw-reject-input  all  --  anywhere             anywhere
    ufw-track-input  all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    REJECT     all  --  anywhere             anywhere             reject-with icmp-admin-prohibited
    DROP       all  --  10.x.x.0/24        anywhere
    ufw-before-logging-forward  all  --  anywhere             anywhere
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    ufw-after-logging-forward  all  --  anywhere             anywhere
    ufw-reject-forward  all  --  anywhere             anywhere
    ufw-track-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-logging-output  all  --  anywhere             anywhere
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    ufw-after-logging-output  all  --  anywhere             anywhere
    ufw-reject-output  all  --  anywhere             anywhere
    ufw-track-output  all  --  anywhere             anywhere
    
    Chain f2b-recidive (1 references)
    target     prot opt source               destination
    REJECT     all  --  181.179.192.35.bc.googleusercontent.com  anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  ns3928712.ip-54-36-126.eu  anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.53        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.52        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.51        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.50        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.5         anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.49        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.48        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.47        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.46        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.39        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.37        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.36        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.173.35        anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.172.124       anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.172.114       anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  61.177.172.108       anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  218.92.0.221         anywhere             reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    REJECT     all  --  45-141-84-10.sshvps.ru  anywhere             reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
    ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ufw-user-forward  all  --  anywhere             anywhere
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
    ufw-not-local  all  --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
    ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
    ufw-user-input  all  --  anywhere             anywhere
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ufw-user-output  all  --  anywhere             anywhere
    
    Chain ufw-logging-allow (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
    
    Chain ufw-logging-deny (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-skip-to-policy-forward (0 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-skip-to-policy-input (7 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-skip-to-policy-output (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain ufw-track-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
    ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submissions
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sieve
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:munin
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tproxy
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5349
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:5349
    
    Chain ufw-user-limit (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    
    Chain ufw-user-limit-accept (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain ufw-user-logging-forward (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-input (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-output (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    
     
  6. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Any idea ?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Your server does not block the port with UFW as far as I can see according to the rules you posted. If the port is blocked, it must be blocked outside your server. But you can test it, stop ufw firewall to see if it works then. Also, ISPConfig is not blocking any outgoing traffic using firewall features, if outgoing traffic is blocked, it must be done by you manually or a different software that you use.
     
  8. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I am completely lost:
    Look at that log from machine on ip : 2a02:xxx:xxx:xxx::1

    Code:
    apache2/other_vhosts_access.log:my.dom.fr:443 2a02:xxx:xxx:xxx::1 - - [06/Dec/2022:10:02:25 +0100] "POST /api/v1/room/iflmzrc HTTP/1.1" 200 6340 "-" "Nextcloud Server Crawler"
    apache2/other_vhosts_access.log:my.dom.fr:443 2a02:xxx:xxx:xxx::1 - - [06/Dec/2022:10:02:26 +0100] "POST /api/v1/room/iflmzrc HTTP/1.1" 200 6340 "-" "Nextcloud Server Crawler"
    
    and
    Code:
    syslog:Dec  6 10:02:26 ns2 kernel: [823983.192200] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=464184 PROTO=TCP SPT=52570 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    syslog:Dec  6 10:02:26 ns2 kernel: [823983.262188] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=947832 PROTO=TCP SPT=52584 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    syslog:Dec  6 10:02:26 ns2 kernel: [823983.262199] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=947832 PROTO=TCP SPT=52584 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
    
    How do you understand that : for me it is opposite
    - first is http 200
    - second is UFW BLOCK
    :(
     
    Last edited: Dec 6, 2022
  9. francoisPE

    francoisPE Active Member HowtoForge Supporter

Share This Page