rules fail using Gufw

Asked by T. Velmoun on 2017-10-15

Help! Please! (sorry for the long question...)

I either don’t understand or doing something wrong…

I cannot seem to add a rule using GUFW that allows (ACCEPT) access if the INPUT chain policy is DENY (iptables DROP). If I add the rule using UFW commands directly, INPUT chain policy is DROP, every thing works fine.

Running Linux Mint 17.3, Cinnamon, 32 bit, UFW version 0.34~rc-0ubuntu2, GUFW version 14.04.2 LTS and iptables version v1.6.0

- INPUT policy is DENY (iptables DROP) – I want everything blocked by default, specifically allowing access per application.
- OUTPUT policy is ALLOW (iptables ACCEPT)
- FORWARD policy is DENY (iptables DROP)

Example 1 - UFW command
--------------
UFW rule for VNC, port 5900:

       ufw allow proto tcp from 10.0.0.168 to any port 5900

as shown in the GUFW Rules pane:

       5900/tcp ALLOW IN 10.0.0.168

In iptables (iptables -L), Chain ufw-user-input, the rule is shown as:

       ACCEPT tcp -- 10.0.0.168 anywhere tcp spt: 5900

which works perfectly - VNC access is allowed for - only - 10.0.0.168 on port 5900.

Example 2 - GUFW +/Advanced
--------------
If I attempt to add this rule using GUFW, access to VNC remains blocked.

GUFW +/Advanced parameters:

     Name: VNC
     Policy: Allow
     Direction: In
     Interface: All Interfaces
     Log: Do not Log
     Protocol: TCP
     From: 10.0.0.92 Port: 5900
     To: <blank> Port: <blank>

resulting, as shown in the GUFW Rules pane:

      Anywhere ALLOW IN 10.0.0.168/tcp VNC

which fails - access to port 5900 remains blocked for all IP’s.

In iptables (iptables -L), Chain ufw-user-input, the rule is shown as:

       ACCEPT tcp -- 10.0.0.168 anywhere tcp spt: 5900

Example 3 - GUFW +/Advanced setting 'To' parameters
--------------
Setting the 'To' fields as well:

     To: 10.0.0.92 Port: 5900

results in the rule shown in the GUFW Rules pane:

       10.0.0.92 5900/tcp ALLOW IN 10.0.0.168 5900/tcp VNC

In iptables (iptables -L), Chain ufw-user-input, the rule is shown as:

       ACCEPT tcp -- 10.0.0.168 10.0.0.92 tcp spt: 5900 dpt: 5900

also fails - access to VNC remains blocked.

Interesting (at least to me) is that the iptables rule added by the UFW command (Example 1) is (appears) the same as the GUFW generated rule (Example 2), but the rule created using GUFW doesn't 'unblock' the IP/port, while the rule created using the UFW command unblocks allowing access.

Obviously iptables and/or UFW commands can be used directly, but I remotely support (using VNC) several elderly Linux Mint users and thus need a simple/easy way for them to change the source IP on their system if my WAN IP changes - which happens occassionally. My hope is that GUFW would make this possible. Of course I could have them execute 'ufw disable' and/or 'iptables -F' to temporarily disable the firewall if this happens, but since these are commands that require 'root' (sudo) access thru a terminal... well... remember 'elderly users' (I r one...)…

Note: the IP addresses used in the above above, 10.0.0.x, are internal LAN, which I’m using to test locally – the actual IP’s are of course WAN IP’s.

Thank you for any information, ideas, clarifications, solutions, comments...

Question information

Language:
English Edit question
Status:
Expired
For:
Gufw Edit question
Assignee:
No assignee Edit question
Last query:
2017-10-31
Last reply:
2017-11-16
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

T. Velmoun (tvelmoun) said : #2

Trying again as this is still an issue for me...

Thanks

Launchpad Janitor (janitor) said : #3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.