On Tue, 27 Aug 2019, Eloi Coutant wrote: > Hi, > > Thanks for coming back to me about this issue. Unfortunately, as it was too > critical an issue to keep in "prod" (on a self-hosted server), I chose to > switch to another firewall controller.
No worries, the information you provided lets me know that you would see the issue without this fix: https://git.launchpad.net/ufw/commit/?id=569edf283bd18c5816f980b8480cf02f1d1ead03 This will be fixed in the next ufw upload. > > I had the following custom apps: > > [OpenSSH600] > title=Secure shell server, an rshd replacement > description=OpenSSH is a free implementation of the Secure Shell protocol. > ports=600/tcp > > [Mail] > title=AnBuCo Mail > description=Dovecot+Postfix+Sieve > ports=143,993,25,465,587,4190/tcp > > [F2BMail] > title= Fail2ban Mail > description=Dovecot+Postfix+Sieve > ports=143,993,25,465,587,4190/tcp > > [F2BRecidive] > title=Fail2ban recidive > description=close all connections > ports=143,993,25,465,587,41910,600/tcp > > and the rules were enabled like so: > # ufw allow in OpenSSH600 > # ufw allow out OpenSSH600 > # ufw allow in Mail > # ufw allow out Mail > # ufw allow in 'Nginx Full' > # ufw allow out 'Nginx Full' > # ufw allow out DNS > > The "F2BXXXX" rules were added and deleted by fail2ban using the default > /etc/fail2ban/action.d/ufw.conf actions. > > Skipping the fail2ban rules, 'ufw status verbose' was returning when running > well: > > > 80,443/tcp (Nginx Full) ALLOW IN Anywhere > > 8080/tcp (WWW Cache) ALLOW IN Anywhere > > 53 (DNS) ALLOW IN Anywhere > > 123/udp ALLOW IN Anywhere # NTP > > 24441 ALLOW IN Anywhere # Pyzor > > 873/tcp ALLOW IN Anywhere # Rsync > > 137,138/udp (Samba) ALLOW IN Anywhere > > 139,445/tcp (Samba) ALLOW IN Anywhere > > 600/tcp (OpenSSH600) ALLOW IN Anywhere > > 25,143,465,587,993,4190/tcp (Mail) ALLOW IN Anywhere > > 67/udp ALLOW IN Anywhere > > 68/udp ALLOW IN Anywhere > > > > 123/udp ALLOW OUT Anywhere # NTP > > 2703/tcp ALLOW OUT Anywhere # Razor > > 7/tcp ALLOW OUT Anywhere # Razor > > 24441 ALLOW OUT Anywhere # Pyzor > > 11371 ALLOW OUT Anywhere # GPG Keys > > 873/tcp ALLOW OUT Anywhere # Rsync > > 67/udp ALLOW OUT Anywhere > > 68/udp ALLOW OUT Anywhere > > 25,143,465,587,993,4190/tcp (Mail) ALLOW OUT Anywhere > > 80,443/tcp (Nginx Full) ALLOW OUT Anywhere > > 53 (DNS) ALLOW OUT Anywhere > > 137,138/udp (Samba) ALLOW OUT Anywhere > > 139,445/tcp (Samba) ALLOW OUT Anywhere > > > Some rules disappeared while other stayed when 'ufw app update all' was > triggered. I cannot unfortunately tell you precisely which apps were > deleted; my logs seem to indicate that it was in majority outgoing rules for > 'Nginx Full', 'DNS' and 'Mail'. > > Sorry if I cannot be more helpful, the issue was in my opinion a bit too > critical to continue with ufw at the time. > > Cheers > Eloi > > Le 25/08/2019 à 20:48, Jamie Strandboge a écrit : > > I believe this will be fixed with this: > > https://git.launchpad.net/ufw/commit/?id=569edf283bd18c5816f980b8480cf02f1d1ead03 > > > > However there isn't enough information in this bug report to be sure. > > Can you provide the full list of ufw app rules in the order you add them > > for any rules that reference Nginx Full, DNS and Mail? You can send that > > to me privately if you prefer. > > > > Thanks! > > -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
