Hello, I use ispconfig to setup my ufw. I have issues with users blocked on port 443 (and 5349 turnserver which is also open) here is ufw.log extract (IPs and MAC hidden) Code: /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.510872] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=688801 PROTO=TCP SPT=56178 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.553295] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=384775 PROTO=TCP SPT=56190 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:15 ns2 kernel: [227575.586225] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=476811 PROTO=TCP SPT=56196 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.573924] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=194661 PROTO=TCP SPT=34174 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.669950] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=221606 PROTO=TCP SPT=34188 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:43 ns2 kernel: [227603.669960] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:0001 DST=2a000:0001 LEN=60 TC=40 HOPLIMIT=59 FLOWLBL=221606 PROTO=TCP SPT=34188 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 /var/log/syslog.1:Nov 29 12:22:46 ns2 kernel: [227606.281791] [UFW BLOCK] IN=eth0 OUT= MAC=00:6:dd SRC=2a0:3d1e DST=2a000:0001 LEN=60 TC=0 HOPLIMIT=53 FLOWLBL=456008 PROTO=TCP SPT=60680 DPT=5349 WINDOW=0 RES=0x00 RST URGP=0 I try to look at ufw conf files like users6.rules Code: ### tuple ### allow tcp 443 ::/0 any ::/0 in -A ufw6-user-input -p tcp --dport 443 -j ACCEPT (...) ### tuple ### allow tcp 5349 ::/0 any ::/0 in -A ufw6-user-input -p tcp --dport 5349 -j ACCEPT I don't understand that behavior. It is very penalizing...
I recommend using ufw command instead of looking into its config files, and ufw can contain other rules than the ones set in ISPConfig when it was installed or when you or other software you use added additional rules.
I look fail2ban : nothing in log at Nov 29 12:22 ! and Code: ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 5349/tcp ALLOW IN Anywhere 5349/udp ALLOW IN Anywhere 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6) 5349/tcp (v6) ALLOW IN Anywhere (v6) 5349/udp (v6) ALLOW IN Anywhere (v6) could it come from elsewhere ?
iptables -L gives Code: Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- anywhere anywhere multiport dports ssh f2b-recidive tcp -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:57292 ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-admin-prohibited DROP all -- 10.x.x.0/24 anywhere ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain f2b-recidive (1 references) target prot opt source destination REJECT all -- 181.179.192.35.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable REJECT all -- ns3928712.ip-54-36-126.eu anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.53 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.52 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.51 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.50 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.5 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.49 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.48 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.47 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.46 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.39 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.37 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.36 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.173.35 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.172.124 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.172.114 anywhere reject-with icmp-port-unreachable REJECT all -- 61.177.172.108 anywhere reject-with icmp-port-unreachable REJECT all -- 218.92.0.221 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 45-141-84-10.sshvps.ru anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:submissions ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:sieve ACCEPT tcp -- anywhere anywhere tcp dpt:munin ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:5349 ACCEPT udp -- anywhere anywhere udp dpt:5349 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
Your server does not block the port with UFW as far as I can see according to the rules you posted. If the port is blocked, it must be blocked outside your server. But you can test it, stop ufw firewall to see if it works then. Also, ISPConfig is not blocking any outgoing traffic using firewall features, if outgoing traffic is blocked, it must be done by you manually or a different software that you use.
I am completely lost: Look at that log from machine on ip : 2a02:xxx:xxx:xxx::1 Code: apache2/other_vhosts_access.log:my.dom.fr:443 2a02:xxx:xxx:xxx::1 - - [06/Dec/2022:10:02:25 +0100] "POST /api/v1/room/iflmzrc HTTP/1.1" 200 6340 "-" "Nextcloud Server Crawler" apache2/other_vhosts_access.log:my.dom.fr:443 2a02:xxx:xxx:xxx::1 - - [06/Dec/2022:10:02:26 +0100] "POST /api/v1/room/iflmzrc HTTP/1.1" 200 6340 "-" "Nextcloud Server Crawler" and Code: syslog:Dec 6 10:02:26 ns2 kernel: [823983.192200] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=464184 PROTO=TCP SPT=52570 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 syslog:Dec 6 10:02:26 ns2 kernel: [823983.262188] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=947832 PROTO=TCP SPT=52584 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 syslog:Dec 6 10:02:26 ns2 kernel: [823983.262199] [UFW BLOCK] IN=eth0 OUT= MAC=00:hidden:dd SRC=2a02:yyy:yyy:yyy:0000:0000:0000:0001 DST=2a02:xxx:xxx:xxx:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=60 FLOWLBL=947832 PROTO=TCP SPT=52584 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 How do you understand that : for me it is opposite - first is http 200 - second is UFW BLOCK
I investigate. for those that had that same situation : https://askubuntu.com/questions/118...43-tcp-although-configured-to-allow-that-port This can be created by a bad/uncomplete closing connection
