ufw won't put custom rule in the correct place at reboot | pressku.com

Trending 2 months ago

My wide rumor is that I suffer interaction pinch my Ubuntu 23.04 connected ssh erstwhile I adjacent my ports utilizing knockd. I would for illustration for it to support existing connections.

I person a civilization rule

> iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

that will hole my rumor erstwhile added. When I effort and adhd nan norm to

> ufw/before.rules

as nan first imaginable norm truthful that it will load that measurement astatine footwear time, upon

ufw reload

the norm will look successful nan #2 position arsenic it should and knockd performs arsenic expected/required.

But upon reboot, ufw will spot my civilization norm into nan #4 position and past knockd fails to activity arsenic expected, until I rumor the

ufw reload

command. Then my civilization norm will look successful nan #2 position and nan #4, while knockd behaves arsenic it should.

yoda@email:~$ sudo iptables -L --line-numbers Chain INPUT (policy DROP) num target prot opt root destination 1 f2b-sshd tcp -- anyplace anyplace multiport dports ssh 2 ACCEPT each -- anyplace anyplace ctstate RELATED,ESTABLISHED 3 f2b-ufw tcp -- anyplace anyplace 4 ACCEPT each -- anyplace anyplace ctstate RELATED,ESTABLISHED 5 ufw-before-logging-input each -- anyplace anyplace 6 ufw-before-input each -- anyplace anyplace 7 ufw-after-input each -- anyplace anyplace 8 ufw-after-logging-input each -- anyplace anyplace 9 ufw-reject-input each -- anyplace anyplace 10 ufw-track-input each -- anyplace anyplace Chain FORWARD (policy DROP) num target prot opt root destination 1 ufw-before-logging-forward each -- anyplace anyplace 2 ufw-before-forward each -- anyplace anyplace 3 ufw-after-forward each -- anyplace anyplace 4 ufw-after-logging-forward each -- anyplace anyplace 5 ufw-reject-forward each -- anyplace anyplace 6 ufw-track-forward each -- anyplace anyplace Chain OUTPUT (policy ACCEPT) num target prot opt root destination 1 ufw-before-logging-output each -- anyplace anyplace 2 ufw-before-output each -- anyplace anyplace 3 ufw-after-output each -- anyplace anyplace 4 ufw-after-logging-output each -- anyplace anyplace 5 ufw-reject-output each -- anyplace anyplace 6 ufw-track-output each -- anyplace anyplace Chain f2b-sshd (1 references) num target prot opt root destination 1 REJECT each -- agmk.uz anyplace reject-with icmp-port-unreachable 2 REJECT each -- 178.128.84.59 anyplace reject-with icmp-port-unreachable 3 REJECT each -- 124.156.200.144 anyplace reject-with icmp-port-unreachable 4 REJECT each -- 162.62.135.19 anyplace reject-with icmp-port-unreachable 5 REJECT each -- 167.172.103.180 anyplace reject-with icmp-port-unreachable 6 RETURN each -- anyplace anyplace Chain f2b-ufw (1 references) num target prot opt root destination 1 REJECT each -- scan-43n.shadowserver.org anyplace reject-with icmp-port-unreachable 2 REJECT each -- 45-79-145-84.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 3 REJECT each -- 143-42-1-52.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 4 REJECT each -- 104-237-156-209.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 5 REJECT each -- 143-42-1-123.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 6 REJECT each -- 173-255-221-22.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 7 REJECT each -- 194.33.191.29 anyplace reject-with icmp-port-unreachable 8 REJECT each -- 45-79-92-218.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 9 REJECT each -- 80.66.83.49 anyplace reject-with icmp-port-unreachable 10 REJECT each -- 79.110.62.153 anyplace reject-with icmp-port-unreachable 11 REJECT each -- 79.110.62.184 anyplace reject-with icmp-port-unreachable 12 REJECT each -- recyber.net anyplace reject-with icmp-port-unreachable 13 REJECT each -- apzg-0721m-038.stretchoid.com anyplace reject-with icmp-port-unreachable 14 REJECT each -- carthage.scan.bufferover.run anyplace reject-with icmp-port-unreachable 15 REJECT each -- 173-255-210-89.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 16 REJECT each -- 131.150.216.162.bc.googleusercontent.com anyplace reject-with icmp-port-unreachable 17 REJECT each -- 115.146.127.123 anyplace reject-with icmp-port-unreachable 18 REJECT each -- 143-42-164-204.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 19 REJECT each -- proxychecker.vultr.com anyplace reject-with icmp-port-unreachable 20 REJECT each -- apzg-0721-a-076.stretchoid.com anyplace reject-with icmp-port-unreachable 21 REJECT each -- 192-155-84-194.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable 22 REJECT each -- 79.110.62.78 anyplace reject-with icmp-port-unreachable 23 REJECT each -- ip-58-18.4vendeta.com anyplace reject-with icmp-port-unreachable 24 REJECT each -- 45-56-83-149.ip.linodeusercontent.com anyplace reject-with icmp-port-unreachable Chain ufw-after-forward (1 references) num target prot opt root destination Chain ufw-after-input (1 references) num target prot opt root destination 1 ufw-skip-to-policy-input udp -- anyplace anyplace udp dpt:netbios-ns 2 ufw-skip-to-policy-input udp -- anyplace anyplace udp dpt:netbios-dgm 3 ufw-skip-to-policy-input tcp -- anyplace anyplace tcp dpt:netbios-ssn 4 ufw-skip-to-policy-input tcp -- anyplace anyplace tcp dpt:microsoft-ds 5 ufw-skip-to-policy-input udp -- anyplace anyplace udp dpt:bootps 6 ufw-skip-to-policy-input udp -- anyplace anyplace udp dpt:bootpc 7 ufw-skip-to-policy-input each -- anyplace anyplace ADDRTYPE lucifer dst-type BROADCAST Chain ufw-after-logging-forward (1 references) num target prot opt root destination 1 LOG each -- anyplace anyplace limit: avg 3/min burst 10 LOG level pass prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) num target prot opt root destination 1 LOG each -- anyplace anyplace limit: avg 3/min burst 10 LOG level pass prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) num target prot opt root destination Chain ufw-after-output (1 references) num target prot opt root destination Chain ufw-before-forward (1 references) num target prot opt root destination 1 ACCEPT each -- anyplace anyplace ctstate RELATED,ESTABLISHED 2 ACCEPT icmp -- anyplace anyplace icmp destination-unreachable 3 ACCEPT icmp -- anyplace anyplace icmp time-exceeded 4 ACCEPT icmp -- anyplace anyplace icmp parameter-problem 5 ACCEPT icmp -- anyplace anyplace icmp echo-request 6 ufw-user-forward each -- anyplace anyplace Chain ufw-before-input (1 references) num target prot opt root destination 1 ACCEPT each -- anyplace anyplace 2 ACCEPT each -- anyplace anyplace ctstate RELATED,ESTABLISHED 3 ufw-logging-deny each -- anyplace anyplace ctstate INVALID 4 DROP each -- anyplace anyplace ctstate INVALID 5 ACCEPT icmp -- anyplace anyplace icmp destination-unreachable 6 ACCEPT icmp -- anyplace anyplace icmp time-exceeded 7 ACCEPT icmp -- anyplace anyplace icmp parameter-problem 8 ACCEPT icmp -- anyplace anyplace icmp echo-request 9 ACCEPT udp -- anyplace anyplace udp spt:bootps dpt:bootpc 10 ufw-not-local each -- anyplace anyplace 11 ACCEPT udp -- anyplace mdns.mcast.net udp dpt:mdns 12 ACCEPT udp -- anyplace 239.255.255.250 udp dpt:1900 13 ufw-user-input each -- anyplace anyplace Chain ufw-before-logging-forward (1 references) num target prot opt root destination Chain ufw-before-logging-input (1 references) num target prot opt root destination Chain ufw-before-logging-output (1 references) num target prot opt root destination Chain ufw-before-output (1 references) num target prot opt root destination 1 ACCEPT each -- anyplace anyplace 2 ACCEPT each -- anyplace anyplace ctstate RELATED,ESTABLISHED 3 ufw-user-output each -- anyplace anyplace Chain ufw-logging-allow (0 references) num target prot opt root destination 1 LOG each -- anyplace anyplace limit: avg 3/min burst 10 LOG level pass prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) num target prot opt root destination 1 RETURN each -- anyplace anyplace ctstate INVALID limit: avg 3/min burst 10 2 LOG each -- anyplace anyplace limit: avg 3/min burst 10 LOG level pass prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) num target prot opt root destination 1 RETURN each -- anyplace anyplace ADDRTYPE lucifer dst-type LOCAL 2 RETURN each -- anyplace anyplace ADDRTYPE lucifer dst-type MULTICAST 3 RETURN each -- anyplace anyplace ADDRTYPE lucifer dst-type BROADCAST 4 ufw-logging-deny each -- anyplace anyplace limit: avg 3/min burst 10 5 DROP each -- anyplace anyplace Chain ufw-reject-forward (1 references) num target prot opt root destination Chain ufw-reject-input (1 references) num target prot opt root destination Chain ufw-reject-output (1 references) num target prot opt root destination Chain ufw-skip-to-policy-forward (0 references) num target prot opt root destination 1 DROP each -- anyplace anyplace Chain ufw-skip-to-policy-input (7 references) num target prot opt root destination 1 DROP each -- anyplace anyplace Chain ufw-skip-to-policy-output (0 references) num target prot opt root destination 1 ACCEPT each -- anyplace anyplace Chain ufw-track-forward (1 references) num target prot opt root destination Chain ufw-track-input (1 references) num target prot opt root destination Chain ufw-track-output (1 references) num target prot opt root destination 1 ACCEPT tcp -- anyplace anyplace ctstate NEW 2 ACCEPT udp -- anyplace anyplace ctstate NEW Chain ufw-user-forward (1 references) num target prot opt root destination Chain ufw-user-input (1 references) num target prot opt root destination 1 ACCEPT tcp -- anyplace anyplace tcp dpt:ssh 2 ACCEPT tcp -- anyplace anyplace tcp dpt:http 3 ACCEPT tcp -- anyplace anyplace tcp dpt:https 4 ACCEPT tcp -- anyplace anyplace tcp dpt:imap2 5 ACCEPT tcp -- anyplace anyplace tcp dpt:imaps 6 ACCEPT tcp -- anyplace anyplace tcp dpt:pop3 7 ACCEPT tcp -- anyplace anyplace tcp dpt:pop3s Chain ufw-user-limit (0 references) num target prot opt root destination 1 LOG each -- anyplace anyplace limit: avg 3/min burst 5 LOG level pass prefix "[UFW LIMIT BLOCK] " 2 REJECT each -- anyplace anyplace reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) num target prot opt root destination 1 ACCEPT each -- anyplace anyplace Chain ufw-user-logging-forward (0 references) num target prot opt root destination Chain ufw-user-logging-input (0 references) num target prot opt root destination Chain ufw-user-logging-output (0 references) num target prot opt root destination Chain ufw-user-output (1 references) num target prot opt root destination

How do I get knockd to load my norm astatine footwear clip to nan correct position successful my firewall?

More
close