Should ufw block access to localhost?

Thu Mar 14 09:09:41 UTC 2019

On Thu, 14 Mar 2019 at 08:36, Tony Arnold <tony.arnold at manchester.ac.uk> wrote:
>
> Hi Colin,
>
> I guess a detailed examination of the IPtables that UFW has set up might yield some clues. But you've no doubt done that already!

No, because my knowledge of IPtables is only skin deep.  I think the
principle reason for using ufw is to isolate one from the much more
complex details of IPtables.

What I was hoping for was at least confirmation that what I am seeing
is, is not, expected, and if it is expected what I should do to allow
access from localhost.  Google has not provided any leads that have
helped me.  I found links explaining how to *block* access from
localhost but not the reverse, which suggests to me that access should
not be blocked by default.

I can provide the IPtables list if anyone is willing, and has the
time, to look at it, for which I would be most grateful.  If so which
command should I use?  iptables -L?

Colin

>
> Regards,
> Tony.
>
> On Wed, 2019-03-13 at 22:10 +0000, Colin Law wrote:
>
> I am setting up ufw on a server and have a symptom I don't understand.
>
> I am running mosquitto with TLS on port 8883 on the server so in ufw I
>
> have opened that port
>
> sudo ufw allow 8883
>
> and can then access port 8883 from another machine, as expected.  I
>
> cannot access it if I do not open that port, again as expected.
>
>
> However I also access mosquitto locally on the server using
>
> localhost:8883 and the feature I do not understand is that if ufw is
>
> enabled then I cannot access it via localhost whether the port is
>
> opened or not.  If I *disable* ufw then I *can* access mosquitto via
>
> localhost.
>
>
> ufw status shows
>
> $ sudo ufw status verbose
>
> Status: active
>
> Logging: on (low)
>
> Default: deny (incoming), allow (outgoing), deny (routed)
>
> New profiles: skip
>
> To                         Action      From
>
> --                         ------      ----
>
> 22                         ALLOW IN    Anywhere
>
> 80                         ALLOW IN    Anywhere
>
> 443                        ALLOW IN    Anywhere
>
> 8883                       ALLOW IN    Anywhere
>
> 22 (v6)                    ALLOW IN    Anywhere (v6)
>
> 80 (v6)                    ALLOW IN    Anywhere (v6)
>
> 443 (v6)                   ALLOW IN    Anywhere (v6)
>
> 8883 (v6)                  ALLOW IN    Anywhere (v6)
>
>
> Can anyone explain what is going on?
>
>
> Colin
>
>
> --
>
> Tony Arnold MBCS, CITP | Senior IT Security Analyst | Directorate of IT Services | Desk 51, Office 2, Kilburn Building | The University of Manchester | Manchester M13 9PL | T: +44 161 275 6093 | M: +44 773 330 0039
>
> -----BEGIN PGP SIGNATURE-----
>
> iF0EABECAB0WIQSlfPAJpi2Fe3pLv3UizIoT93bWGQUCXIoRwwAKCRAizIoT93bW
> GcRLAJoCUCxSsr0BvBC3eN/Ip4p4l7fM4ACgv/+RTYIivGr3ccof2T+kTaYgt5k=
> =iNjJ
> -----END PGP SIGNATURE-----
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users