I have the same Problem as described here, but the given solution doesnt work for me:

ufw blocking apt and dns

When I add the rule ufw deny out to any, and add the port 80, 443/tcp, ssh-port as exceptions, and then add iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I still am not able to use apt-get update, or similar things.

root@iof304:~# ufw status Status: active

To                         Action      From
--                         ------      ----
22                         DENY        Anywhere
80                         ALLOW       Anywhere
(ssh)                      LIMIT       Anywhere
22                         DENY        Anywhere (v6)
80                         ALLOW       Anywhere (v6)
(ssh)                      ALLOW       Anywhere (v6)

(ssh)                      ALLOW OUT   Anywhere
Anywhere                   DENY OUT    Anywhere
80                         ALLOW OUT   Anywhere
443/tcp                    ALLOW OUT   Anywhere
(ssh)                      ALLOW OUT   Anywhere (v6)
Anywhere (v6)              DENY OUT    Anywhere (v6)
80                         ALLOW OUT   Anywhere (v6)
443/tcp                    ALLOW OUT   Anywhere (v6)

Now, I'll delete the ufw deny out to any (with that, everything works fine) but I'ld like to restrict everything as good as possible, so what I probably would need to know, are the ports used for apt-get - they have to be OUT ports, since only deny out to any blocks everything, but apt-get doesnt seem to have a problem downloading stuff with that rule disabled (is that a sign that the other IN ports arent blocked?)

Thanks in advance


These rules helped me to successfully get rate limiting on SSH, allow in/out http and https, enable git, and have apt and aptitude working no problem:

ufw default deny incoming
ufw default deny outgoing
ufw limit ssh
ufw allow svn
ufw allow git
ufw allow out http
ufw allow in http 
ufw allow out https
ufw allow in https
ufw allow out 53
ufw logging on
ufw enable

Note: I did initiate these rules with a ufw reset in order to start fresh.


I've found the answer:

Port 53 needs to be opened, for DNS

Port 123 seems to be a good idea too

Port reference: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


from ufw man page

Rule ordering is important and the first match wins. Therefore when adding rules, add the more specific rules first with more general rules later.

from the output you've posted looks like you're deny all is getting caught before you're allow rules