4

I am using ubuntu 10.04 on a VPS. Without enabling UFW everythign works fine - imap using port 143. And sends emails using smtp port 587.

However, when I turn on UFW a lot of problems are encountered. Email fails, ssh log ins are very slow, and dig command does not work - it times out. Also, Apt-get install does not work.

ufw status verbose returns :

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    my.ip.address.0
Anywhere                   ALLOW IN    my.ip.address.0/24
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
25/tcp                     ALLOW IN    Anywhere
587                        ALLOW IN    Anywhere
143                        ALLOW IN    Anywhere
993                        ALLOW IN    Anywhere
465/tcp                    ALLOW IN    Anywhere
587/tcp                    ALLOW IN    Anywhere
143/tcp                    ALLOW IN    Anywhere
587/udp                    ALLOW IN    Anywhere
53/tcp                     ALLOW IN    Anywhere
53/udp                     ALLOW IN    Anywhere
68/udp                     ALLOW IN    Anywhere
67/udp                     ALLOW IN    Anywhere
53                         ALLOW IN    Anywhere
53                         ALLOW OUT   Anywhere
53/tcp                     ALLOW OUT   Anywhere
53/udp                     ALLOW OUT   Anywhere

In my syslog I get the following (and same again with port 53 allowed):

Aug 25 13:55:31 VPS##-###-## postfix/smtpd[23611]: NOQUEUE: reject: RCPT from unknown[ip.address.here.0]: 450 4.1.8 <my@gmail.com>: Sender address rejected: Domain not found; from=<my@gmail.com> to=<my@server.com> proto=ESMTP helo=<mail-qy0-f179.google.com>

/var/log/messages does not seem to contain anything relevant even though ufw logging is on

NimChimpsky
  • 460
  • 2
  • 5
  • 18
  • Are you inadvertently blocking outgoing traffic? That would cause TCP connections to fail (since the handshake can't complete) and may impact SSH because SSH may be doing a DNS lookup for the client. – cjc Aug 25 '11 at 14:16
  • How will know that ? I did ufw default deny ? – NimChimpsky Aug 25 '11 at 14:17

3 Answers3

6

You're blocking DNS, which would break lookups for mail and explains the SSH login slowdown as well.

Allow port 53 - both TCP and UDP.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Tried it, no luck .... ? See edit and ufw status verbose output – NimChimpsky Aug 25 '11 at 14:32
  • Check if you can resolve names - `dig example.com`. How is the device's DNS resolution configured? – Shane Madden Aug 25 '11 at 14:51
  • 1
    You want to just allow DNS traffic, not just allow in. Your server is making an outgoing DNS query on port 53. The return traffic for DNS will not be on 53. Your firewall rule for DNS is more for running a DNS server, rather than for making queries. – cjc Aug 25 '11 at 14:54
  • Actually, apt-get install doe snto work with ufw enabled, it does when disabled. Just did it to get dnsutils – NimChimpsky Aug 25 '11 at 14:54
  • @NimChimpsky That's also indication that name resolution is broken. Your default outgoing is set to allow, but doesn't seem to be working. Try `ufw allow out 53`. – Shane Madden Aug 25 '11 at 15:20
  • @Shane Madden, tried see updated output. Still not working. – NimChimpsky Aug 25 '11 at 15:39
  • @NimChimpsky Huh. Well, it certainly seems to be UFW doing it. What DNS server is the device using? Check for block messages in `/var/log/messages` after trying name resolution. If all else fails, try `ufw reset` then re-configure it with the needed rules.. – Shane Madden Aug 25 '11 at 15:44
  • 1
    For sanity, can you do "sudo iptables -L -n" and edit the results into your original question? UFW is supposed to be an easy-to-use interface to iptables, so, given the problems we're seeing, we may as well go to the source and look at the iptables rules. In particular, we should look at the INPUT and OUTPUT chains. – cjc Aug 25 '11 at 18:05
2

This worked for me, Besides allowing port 53, i also added sudo ufw allow 25 and then i did sudo ufw status to make sure my new rule is active on place.

misterzik
  • 121
  • 3
1

I'm a good minute late but what finally got my smtp server working was using "ufw reload" to update the new rules I added to the firewall. Ofc 587 and the previously mentioned configurations were mentioned.

Naughty Noodler
  • 11
  • 2