ufw blocking apt
Solution 1
I've found the answer:
Port 53 needs to be opened, for DNS
Port 123 seems to be a good idea too
Port reference: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Solution 2
These rules helped me to successfully get rate limiting on SSH, allow in/out http and https, enable git, and have apt and aptitude working no problem:
ufw default deny incoming
ufw default deny outgoing
ufw limit ssh
ufw allow svn
ufw allow git
ufw allow out http
ufw allow in http
ufw allow out https
ufw allow in https
ufw allow out 53
ufw logging on
ufw enable
Note: I did initiate these rules with a ufw reset
in order to start fresh.
Solution 3
from ufw man page
Rule ordering is important and the first match wins. Therefore when adding rules, add the more specific rules first with more general rules later.
from the output you've posted looks like you're deny all is getting caught before you're allow rules
Related videos on Youtube
Katai
Updated on September 18, 2022Comments
-
Katai over 1 year
I have the same Problem as described here, but the given solution doesnt work for me:
When I add the rule
ufw deny out to any
, and add the port80, 443/tcp, ssh-port
as exceptions, and then addiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I still am not able to use apt-get update, or similar things.root@iof304:~# ufw status Status: active
To Action From -- ------ ---- 22 DENY Anywhere 80 ALLOW Anywhere (ssh) LIMIT Anywhere 22 DENY Anywhere (v6) 80 ALLOW Anywhere (v6) (ssh) ALLOW Anywhere (v6) (ssh) ALLOW OUT Anywhere Anywhere DENY OUT Anywhere 80 ALLOW OUT Anywhere 443/tcp ALLOW OUT Anywhere (ssh) ALLOW OUT Anywhere (v6) Anywhere (v6) DENY OUT Anywhere (v6) 80 ALLOW OUT Anywhere (v6) 443/tcp ALLOW OUT Anywhere (v6)
Now, I'll delete the
ufw deny out to any
(with that, everything works fine) but I'ld like to restrict everything as good as possible, so what I probably would need to know, are the ports used forapt-get
- they have to be OUT ports, since onlydeny out to any
blocks everything, butapt-get
doesnt seem to have a problem downloading stuff with that rule disabled (is that a sign that the other IN ports arent blocked?)Thanks in advance
-
Katai over 11 yearsTried to switch them around (deleted 'deny out any' and added it aggain) now it appears at the end, but
aptitude update
still gets blocked -
MER over 7 yearsJust want to add that this is a really important point when setting up the rules logged into a server remotely. Saved my bacon.