Hi,
Thanks for coming back to me about this issue. Unfortunately, as it was
too critical an issue to keep in "prod" (on a self-hosted server), I
chose to switch to another firewall controller.
I had the following custom apps:
[OpenSSH600]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=600/tcp
[Mail]
title=AnBuCo Mail
description=Dovecot+Postfix+Sieve
ports=143,993,25,465,587,4190/tcp
[F2BMail]
title= Fail2ban Mail
description=Dovecot+Postfix+Sieve
ports=143,993,25,465,587,4190/tcp
[F2BRecidive]
title=Fail2ban recidive
description=close all connections
ports=143,993,25,465,587,41910,600/tcp
and the rules were enabled like so:
# ufw allow in OpenSSH600
# ufw allow out OpenSSH600
# ufw allow in Mail
# ufw allow out Mail
# ufw allow in 'Nginx Full'
# ufw allow out 'Nginx Full'
# ufw allow out DNS
The "F2BXXXX" rules were added and deleted by fail2ban using the default
/etc/fail2ban/action.d/ufw.conf actions.
Skipping the fail2ban rules, 'ufw status verbose' was returning when
running well:
> 80,443/tcp (Nginx Full) ALLOW IN Anywhere
> 8080/tcp (WWW Cache) ALLOW IN Anywhere
> 53 (DNS) ALLOW IN Anywhere
> 123/udp ALLOW IN Anywhere # NTP
> 24441 ALLOW IN Anywhere # Pyzor
> 873/tcp ALLOW IN Anywhere # Rsync
> 137,138/udp (Samba) ALLOW IN Anywhere
> 139,445/tcp (Samba) ALLOW IN Anywhere
> 600/tcp (OpenSSH600) ALLOW IN Anywhere
> 25,143,465,587,993,4190/tcp (Mail) ALLOW IN Anywhere
> 67/udp ALLOW IN Anywhere
> 68/udp ALLOW IN Anywhere
>
> 123/udp ALLOW OUT Anywhere # NTP
> 2703/tcp ALLOW OUT Anywhere # Razor
> 7/tcp ALLOW OUT Anywhere # Razor
> 24441 ALLOW OUT Anywhere # Pyzor
> 11371 ALLOW OUT Anywhere # GPG Keys
> 873/tcp ALLOW OUT Anywhere # Rsync
> 67/udp ALLOW OUT Anywhere
> 68/udp ALLOW OUT Anywhere
> 25,143,465,587,993,4190/tcp (Mail) ALLOW OUT Anywhere
> 80,443/tcp (Nginx Full) ALLOW OUT Anywhere
> 53 (DNS) ALLOW OUT Anywhere
> 137,138/udp (Samba) ALLOW OUT Anywhere
> 139,445/tcp (Samba) ALLOW OUT Anywhere
Some rules disappeared while other stayed when 'ufw app update all' was
triggered. I cannot unfortunately tell you precisely which apps were
deleted; my logs seem to indicate that it was in majority outgoing rules
for 'Nginx Full', 'DNS' and 'Mail'.
Sorry if I cannot be more helpful, the issue was in my opinion a bit too
critical to continue with ufw at the time.
Cheers
Eloi
Le 25/08/2019 à 20:48, Jamie Strandboge a écrit :
I believe this will be fixed with this:
https://git.launchpad.net/ufw/commit/?id=569edf283bd18c5816f980b8480cf02f1d1ead03
However there isn't enough information in this bug report to be sure.
Can you provide the full list of ufw app rules in the order you add them
for any rules that reference Nginx Full, DNS and Mail? You can send that
to me privately if you prefer.
Thanks!
