Documentation: "allowed packets not matching the defined policy"

Asked by bozonius

I'm not an expert on firewalls. The ufw man page states that the logging level medium includes "allowed packets not matching the defined policy" -- I do not understand how a packet which does not match policy could be allowed; my thinking is that packets failing the policy's rules would result in REJECT or DENY, rather than ALLOW. Thus, how would these packets ever get logged?

Maybe I am just not parsing you. Please clarify which packets this *specific* phrase (I understand the rest) refers to. It is NOT clear to me.

Question information

English Edit question
Ubuntu ufw Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said :

Don't confuse policy with rules.

Revision history for this message
bozonius (bozonius) said :

Manfred: If the POLICY of a chain is, say, DENY, then any packets not matching and rule in that chain will be DENIED. No confusion over that. There is no way for a packet to not match a POLICY; a packet either matches some rule in the chain, or the POLICY serves as the default. It is rules that match, not a policy, the policy being the default for the chain.

It is the language that is the problem here, not a problem in understanding the difference between policy and rules. You seem to mean something I don't understand when the ufw man page uses the phrase "allowed packets not matching the defined policy", which is what I am asking you to explain. Thank you for your patient and thoughtful response.

Revision history for this message
Manfred Hampl (m-hampl) said :

Where do you see a reference to a "policy in a chain"? I only see one overall default policy (per direction).

See the man pages:
default allow|deny|reject DIRECTION
              change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYNTAX for more on deny and reject.

I read this the following way:
You first set the overall policy to define what should happen in case that there is no rule for a certain packet, and then you set the rules for those packets that should be handled different than the default policy.
So if the default policy is deny or reject, but a specific rule allows a packet, then this packet is not matching the policy but is still allowed.

Can you help with this problem?

Provide an answer of your own, or ask bozonius for more information if necessary.

To post a message you must log in.