I set up ufw firewall on a Debian 12.1 sever. This is my configuration:
sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
646 ALLOW IN Anywhere
7886 ALLOW IN 172.16.0.0/12
7886 DENY IN Anywhere
646 (v6) ALLOW IN Anywhere (v6)
7886 (v6) DENY IN Anywhere (v6)
As you can see, first I allow all incoming and all outgoing connection. Then I selectively block a specific port (it should only be accessible from inside). This is working fine.
BUT, my syslog is getting spammed with log entries like
[Fr Okt 20 20:32:51 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=185.11.61.222 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=14551 PROTO=TCP SPT=48993 DPT=62873 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:36 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.11.61.222 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=59605 PROTO=TCP SPT=48993 DPT=6148 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:37 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=77.90.185.189 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=7911 PROTO=TCP SPT=40738 DPT=1999 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:33:49 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=176.113.115.104 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17273 PROTO=TCP SPT=57674 DPT=8532 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:14 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=79.124.62.130 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=35581 PROTO=TCP SPT=50976 DPT=41519 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:24 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=46.161.27.54 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=42873 PROTO=TCP SPT=42205 DPT=4477 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:34:55 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=194.26.135.157 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=28309 PROTO=TCP SPT=57742 DPT=9504 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:10 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.233.19.185 DST=46.127.133.1 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=15502 PROTO=TCP SPT=58914 DPT=9376 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:36 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=185.11.61.212 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31908 PROTO=TCP SPT=57640 DPT=50904 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:35:50 2023] [UFW BLOCK] IN=ens3 OUT= MAC=36:35:1f:08:90:3f:84:03:28:62:58:18:08:00 SRC=80.66.83.76 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=58996 PROTO=TCP SPT=44063 DPT=10749 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:04 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=78.128.113.250 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=8239 PROTO=TCP SPT=40186 DPT=35046 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:38 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=185.11.61.229 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=20645 PROTO=TCP SPT=49077 DPT=29163 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:36:41 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=62.233.50.217 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17901 PROTO=TCP SPT=40917 DPT=42703 WINDOW=1200 RES=0x00 RST URGP=0
[Fr Okt 20 20:37:17 2023] [UFW BLOCK] IN=ens3 OUT= MAC=46:32:1f:08:90:3f:10:0e:1e:26:f2:c0:18:01 SRC=80.66.83.84 DST=46.127.133.1 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=25857 PROTO=TCP SPT=43931 DPT=5370 WINDOW=1200 RES=0x00 RST URGP=0
Logging is set to “low”, I read that then ufw will
store logs related to blocked packets that do not match the current
firewall rules and will show log entries related to logged rules.
As my default rule is “allow all incoming”, why does ufw block those incoming connection attempts? Why all those logs?
In case it helps, here’s the output of iptables (but I did not touch anything with iptables)
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:1020
ACCEPT tcp -- anywhere 172.21.0.2 tcp dpt:25565
ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.20.0.18 tcp dpt:22000
ACCEPT udp -- anywhere 172.20.0.18 udp dpt:22000
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:2019
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:2015
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:https
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:https
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:646
ACCEPT udp -- anywhere anywhere udp dpt:646
ACCEPT tcp -- 172.16.0.0/12 anywhere tcp dpt:7886
ACCEPT udp -- 172.16.0.0/12 anywhere udp dpt:7886
DROP tcp -- anywhere anywhere tcp dpt:7886
DROP udp -- anywhere anywhere udp dpt:7886
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
