ping and traceroute does not work when UFW deny outgoing by default

networking firewall ufw

How to make ping and traceroute work after setting UFW with deny outgoing by default?

Here is my UFW configuration:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
123/udp                    ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
123/udp (v6)               ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

53                         ALLOW OUT   Anywhere
80/tcp                     ALLOW OUT   Anywhere
443/tcp                    ALLOW OUT   Anywhere
587/tcp                    ALLOW OUT   Anywhere
123/udp                    ALLOW OUT   Anywhere
53 (v6)                    ALLOW OUT   Anywhere (v6)
80/tcp (v6)                ALLOW OUT   Anywhere (v6)
443/tcp (v6)               ALLOW OUT   Anywhere (v6)
587/tcp (v6)               ALLOW OUT   Anywhere (v6)
123/udp (v6)               ALLOW OUT   Anywhere (v6)

Here are ping and traceroute results:

ping google.com
PING google.com (173.194.121.34) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

traceroute google.com
traceroute to google.com (173.194.121.34), 30 hops max, 60 byte packets
send: Operation not permitted

I found this post (http://www.kelvinism.com/2010/09/enable-icmp-through-ufw_461.html) that recommends to add these lines to /etc/ufw/before.rules:

# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

It seems to work for ping but not for traceroute. Any idea?

Thanks


Solution 1:

I had to use sudo for traceroute and the -I option (Use ICMP ECHO for tracerouting):

sudo traceroute google.com -I

Solution 2:

This worked for me:

ufw allow out to any port 33434:33524 proto udp

Solution 3:

For traceroute you need to allow outgoing UDP packets in the range 33434:33524. Some tools will allow you to use ICMP echo requests as well. As you have PING working, you must have enabled ICMP echo-requests packets.

Return packets will be mostly ICMP time-exceeded packets. If you have enabled the required ICMP types, you won't need to configure anything.

Related

Hyper-V offline migration between AMD and Intel Processors
How to make connections answer from the same gateway they entered in RouterOS?
How does LSI MegaRAID actually lay out RAID10 sets?
Proxy dropping custom headers with https
The requested operation requires elevation
Complex chain rule for complex valued functions
Can a sequence of unbounded functions be uniformly convergent?
How to explain the division rule in counting problem in a easy way?
Models in set theory and continuum hypothesis
Any left ideal of $M_n(\mathbb{F})$ is principal
Every subgroup of a quotient group is a quotient group itself
Find all natural numbers $x,y$ such that $3^x=2y^2+1$.