UFW is blocking all even when I set rules to allow

Open a terminal and type the following commands:

Start off by doing a reset, which will remove all the existing rules:

sudo ufw reset

Next,

sudo ufw app list

This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:

sudo ufw app info OpenSSH

Here's the output:

Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
  22/tcp

To allow OpenSSH access, you can use the following rule:

sudo ufw allow 22/tcp

Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

If you want to add UDP just do this as well.

sudo ufw allow 80/udp
sudo ufw allow 443/udp

Disable and enable ufw to apply the changes:

sudo ufw disable
sudo ufw enable

To show your rules:

sudo ufw status

Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.


You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.

To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.

sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp

FYI: in case others have this problem.

In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.

I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.

Here's what the top level chains should look like (on Debian 9.4).

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0           

I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.

sudo apt-get purge ufw
sudo apt-get install ufw