Why is ufw logging 'BLOCK' messages regarding a port for which ufw is configured to 'ALLOW' connections?

11.10 networking firewall log ufw
8,714

Solution 1

The thread referenced by Caffeine Coma indicates this is related to low-level technicalities in closing TCP network connections... Obscure and subtle differences between the way operating systems (Windows, Mac, Linux) handle connection termination apparently result in some harmless confusion between server and client, and this somehow results in the above-described log messages.

I don't entirely understand the technicalities, nor why this would lead to UFW "BLOCK" log messages, but I'll take it, as it's the only answer I've come across that makes any sense, and I've seen no other symptom of something being wrong on my server -- only these harmless (albeit annoying) UFW log messages.

Refer to the mentioned forum thread for a more technical explanation.

Solution 2

I can explain it a bit in detail, without getting technical.

I'll just use a simile.

Just imaging two people talking to each other and let's asume that they do business with each other and furthermore that they agree to conduct their business in a certain way.

Every time they have a transaction, it is done the same way.

  1. Meet and Greet - they agree that a transaction is only successful if they sit in the same room and shake hands, at the beginning. It's a mandatory step.

  2. Listening and Re"send" - They agree that a transaction is only successful, if all the data necessary to this transaction is understood and if one side doesn't get a proper response, they reevalute the status and "retalk" about certain aspects of this transaction, until both sides are satisfied with the result and agree that the transaction is in order.

This includes

  1. a) The confirmation in form of a handshake at the beginning of every meetup and b) A final confirmation at the end from both sides. Also the seller has to remain in the room for a certain time until he is sure the buyer has left satsified.

The TCP connections work in a similar way. Is there soemthing wrong then the firewall tells you about this.

Could be a fake buyer, who just says hello and then leaves again (probe) Could be a real buyer, which isn't so certain anymore in the middle of things and leaves the room (user) Could be a communications problem (routing, network, etc.)

HTH, s1mmel

Share:
8,714

Related videos on Youtube

Chris W.
Author by

Chris W.

Updated on September 18, 2022

Comments

  • Chris W.
    Chris W. over 1 year

    Here's an example log message:

    May 25 10:36:07 myserver kernel: [7057243.392334] [UFW BLOCK] IN=eth0 OUT= MAC=00:02:55:67:82:eb:00:06:b1:3a:ef:62:08:00 SRC=69.197.128.26 DST=192.168.100.101 LEN=44 TOS=0x00 PREC=0x00 TTL=32 ID=0 PROTO=TCP SPT=48788 DPT=80 WINDOW=972 RES=0x00 RST URGP=0

    My understanding is that DPT stands for "destination port", but since I have ufw configured to allow incoming connections on port 80, I'm puzzled as to why I'd be seeing such a log message -- a log message which seems to be indicating ufw blocked a connection attempt on that port.

    The following are the relevant lines from ufw status:

    To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere (v6)

    I've now seen this on both Ubuntu 11.10, and now (after upgrading the same machine) on Ubuntu 12.04.

    • david6
      david6 almost 11 years
      Two questions first: Why are you using Ubuntu 11.10, which is end-of-life (May 9, 2013)? Why do you want inbound connections on Port 80? This is exceptionally bad security practice.
    • Chris W.
      Chris W. almost 11 years
      (1) I'm going to try upgrading to a more recent (hopefully latest) Ubunutu (but to answer your question, because it's a pain as I have to coordinate with our hosting provider). (2) How else does one run a web-server? Doesn't that require allowing clients to connect on port 80?
    • Chris W.
      Chris W. almost 11 years
      I've upgraded to Ubuntu 12.04, the latest LTS release, but still seeing the mystery log messages unfortunately...
    • Caffeine Coma
      Caffeine Coma almost 11 years
      I'm also seeing this on 12.10. Interestingly I'm seeing it block addresses from Google's crawlers.
  • Chris W.
    Chris W. almost 11 years
    Thanks for the link, CC. I don't fully understand it, but it seems to explain the log messages I'm seeing.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ufw firewall deny outgoing but allow browser
Configure UFW to allow only established and related conections (on IPv4)
How do I allow local IPv6 subnets in ufw?
UFW wont delete rule
How do I allow multiple ports simultaneously in UFW?
UFW - allow range of IP addresees?
Understanding UFW log
What are ICMP redirects and should they be blocked?
Open port 80 on Ubuntu server
UFW for OpenVPN