UFW logging a block on a permitted port

Question

My current ufw status is as follows. UFW is set to default deny.

[ 1] SSH                        ALLOW IN    10.1.0.0/16               
[ 2] DNS                        ALLOW IN    10.1.0.0/16               
[ 3] DNS                        ALLOW IN    192.168.0.0/16            
[ 4] 1900,3478,10001/udp        ALLOW IN    10.1.0.0/16                # UniFi UDP ports
[ 5] 6789,8080,8443,8843,8880,27117/tcp ALLOW IN    10.1.0.0/16                # UniFi TCP ports
[ 6] 5353/udp                   ALLOW IN    10.1.0.0/16                # Multicast DNS aka Bonjour

So incoming TCP packets to port 8080 from the 10.1.0.0/16 block should all be allowed, but in my ufw.log I see constant repeats of the following:

Mar 10 18:28:48 pi-hole kernel: [97820.380848] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:ef:23:6a:b4:fb:e4:28:d2:48:08:00:45:00:00:34:52:72:40:00:40:06:d1:51 SRC=10.1.1.1 DST=10.1.1.254 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21106 DF PROTO=TCP SPT=36656 DPT=8080 WINDOW=245 RES=0x00 ACK FIN URGP=0 
Mar 10 18:29:10 pi-hole kernel: [97841.880829] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:ef:23:6a:b4:fb:e4:28:d2:48:08:00:45:00:00:34:55:42:40:00:40:06:ce:81 SRC=10.1.1.1 DST=10.1.1.254 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21826 DF PROTO=TCP SPT=36657 DPT=8080 WINDOW=245 RES=0x00 ACK FIN URGP=0 
Mar 10 18:29:31 pi-hole kernel: [97863.530929] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:ef:23:6a:b4:fb:e4:28:d2:48:08:00:45:00:00:34:87:7d:40:00:40:06:9c:46 SRC=10.1.1.1 DST=10.1.1.254 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34685 DF PROTO=TCP SPT=36658 DPT=8080 WINDOW=245 RES=0x00 ACK FIN URGP=0 

implying it is blocking incoming TCP packets from 10.1.1.1 going to port 8080.

I tried running ufw reload to no avail. I have also tried allowing 8080 from any IP address, same problem.

I have even completely removed UFW using apt purge ufw and reinstalled and rebuilt my rules, but still get the same issue.

Any ideas?

Answer 1

As per https://askubuntu.com/questions/803276/ufw-block-syslog-tcp-ip-is-blocked-and-this-is-allowed-in-ufw-gps-tracking-t above, the issue revolves around different vendors closing connections in different ways. This results in UFW receiving some packets on port 8080 on connections the source thought was still open but that UFW though had closed. To get around this we first delete the allow port 8080 rule in ufw by using sudo ufw delete <rule number of 8080 rule>

Then we tell UFW to accept all 8080 packets whether or not they're valid. We do this by editing /etc/ufw/before.rules for ipv4 and /etc/ufw/before6.rules for ipv6. Sometime before the 'drop INVALID packets' section.

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Accept everything from tcp 8080 
#Stops ufw.log filling with 8080 notices despite port 8080 being 'allowed'
-A ufw-before-input -p tcp --dport 8080 -j ACCEPT


# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

It's a good idea to remind yourself of this rule because it won't appear when you run ufw status. I have a rule that opens some other ports for the same service (unifi controller) so I added a note using

ufw allow from x.x.x.x to any proto tcp port 8443,27117 comment 'UniFi ports. Also see manual rule for 8080 in /etc/ufw/before.rules'

ufw status shows the comment:

8443,27117/tcp  ALLOW  10.1.0.0/16  # UniFi ports. Also see manual rule for 8080 in /etc/ufw/before.rules

I'm not using ipv6 in my instance so I can't test it, but you'd edit before6.rules and add the appropriate rule there.