UFW logging a block on a permitted port

Solution 1:

As per https://askubuntu.com/questions/803276/ufw-block-syslog-tcp-ip-is-blocked-and-this-is-allowed-in-ufw-gps-tracking-t above, the issue revolves around different vendors closing connections in different ways. This results in UFW receiving some packets on port 8080 on connections the source thought was still open but that UFW though had closed. To get around this we first delete the allow port 8080 rule in ufw by using sudo ufw delete <rule number of 8080 rule>

Then we tell UFW to accept all 8080 packets whether or not they're valid. We do this by editing /etc/ufw/before.rules for ipv4 and /etc/ufw/before6.rules for ipv6. Sometime before the 'drop INVALID packets' section.

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Accept everything from tcp 8080 
#Stops ufw.log filling with 8080 notices despite port 8080 being 'allowed'
-A ufw-before-input -p tcp --dport 8080 -j ACCEPT


# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

It's a good idea to remind yourself of this rule because it won't appear when you run ufw status. I have a rule that opens some other ports for the same service (unifi controller) so I added a note using

ufw allow from x.x.x.x to any proto tcp port 8443,27117 comment 'UniFi ports. Also see manual rule for 8080 in /etc/ufw/before.rules'

ufw status shows the comment:

8443,27117/tcp  ALLOW  10.1.0.0/16  # UniFi ports. Also see manual rule for 8080 in /etc/ufw/before.rules

I'm not using ipv6 in my instance so I can't test it, but you'd edit before6.rules and add the appropriate rule there.