ping and traceroute does not work when UFW deny outgoing by default

Question

How to make ping and traceroute work after setting UFW with deny outgoing by default?

Here is my UFW configuration:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
123/udp                    ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
123/udp (v6)               ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

53                         ALLOW OUT   Anywhere
80/tcp                     ALLOW OUT   Anywhere
443/tcp                    ALLOW OUT   Anywhere
587/tcp                    ALLOW OUT   Anywhere
123/udp                    ALLOW OUT   Anywhere
53 (v6)                    ALLOW OUT   Anywhere (v6)
80/tcp (v6)                ALLOW OUT   Anywhere (v6)
443/tcp (v6)               ALLOW OUT   Anywhere (v6)
587/tcp (v6)               ALLOW OUT   Anywhere (v6)
123/udp (v6)               ALLOW OUT   Anywhere (v6)

Here are ping and traceroute results:

ping google.com
PING google.com (173.194.121.34) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

traceroute google.com
traceroute to google.com (173.194.121.34), 30 hops max, 60 byte packets
send: Operation not permitted

I found this post (http://www.kelvinism.com/2010/09/enable-icmp-through-ufw_461.html) that recommends to add these lines to /etc/ufw/before.rules:

# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

It seems to work for ping but not for traceroute. Any idea?

Thanks

score 3 · Answer 1 · answered Dec 19 '18 at 08:59

3

This worked for me:

ufw allow out to any port 33434:33524 proto udp

answered Dec 19 '18 at 08:59

Rob Mascaro

131
2

score 2 · Answer 2 · answered Dec 08 '14 at 04:33

2

I had to use sudo for traceroute and the -I option (Use ICMP ECHO for tracerouting):

sudo traceroute google.com -I

answered Dec 08 '14 at 04:33

Michael

471
1
7
14

score 1 · Answer 3 · answered Dec 07 '14 at 20:02

1

For traceroute you need to allow outgoing UDP packets in the range 33434:33524. Some tools will allow you to use ICMP echo requests as well. As you have PING working, you must have enabled ICMP echo-requests packets.

Return packets will be mostly ICMP time-exceeded packets. If you have enabled the required ICMP types, you won't need to configure anything.

answered Dec 07 '14 at 20:02

BillThor

27,737
3
37
69

It works with sudo and the -I option. Thanks for your time. – Michael Dec 08 '14 at 04:34

ServerMonkey · Answer 4 · 2014-12-06T23:07:04.370

0

Suggest you allow a wider ICMP response.

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

edited Dec 06 '14 at 23:07

answered Dec 06 '14 at 22:58

ServerMonkey

257
4
13

These rules are for input, not output correct? They are already by default in my `/etc/ufw/before.rules` file and I still had the issue. I think I need output rules to make things work. I still canot make traceroute work though. – Michael Dec 07 '14 at 18:11
Have you tried sudo traceroute www.google.com? – ServerMonkey Dec 08 '14 at 00:49
Thanks, it helped. I also had to use the -I option (Use ICMP ECHO for tracerouting). – Michael Dec 08 '14 at 04:32

ping and traceroute does not work when UFW deny outgoing by default

4 Answers4