I manage a Debian (Bookworm) host. The sshd config is set to disallow login as root. I've tested that one cannot login as root, as expected. However, I see hundreds of login attempts daily as root in /var/log/auth.log. Even though I have what I think is adequate reason to believe they can't succeed, the constant brute-force attacks make me uneasy. I am considering adding a ufw rule in /etc/ufw/before.rules to block any attempt to connect with ssh as root. Is there any value in adding the proposed rule or something like it? Or would that be redundant and/or potentially cause problems?

I am trying to setup logging on ubuntu server 20.04.4 using ufw, but I'll take non-ufw advice as well. I am running a test https server on port 20000 and want to log all connections to it. Here's what I did.

ufw allow log-all 20000/tcp

Here's my ufw status:

To          Action          From          
--          ---------       -----
20000/tcp   ALLOW IN        Anywhere         (log-all)

Now the only records I see in my log file (/var/log/ufw.log) are the "blocks" being generated from other rules. I am able to connect to the server from outside, and my test server runs fine (*delivers the content I need*). But I just don't see any records pertaining to this rule in ufw logs. What might I be missing? Edit 1: Since I cannot comment yet, I am reacting to @mashuptwice's advice here. My ufw logging is on (low). If I did

ufw logging medium

wouldn't that apply to all rules? I only need extra logging for this specific rule.

I don't mean the files under /etc/ufw/, as best I can tell, because I have rules with comments in them and those comments do not exist in any file in that directory. The .rules there are the derived commands for iptables, and their comments contain only the app name. Say ufw status numbered shows this rule:

To                         Action      From
     --                         ------      ----
[ 1] MyAppName                  ALLOW IN    Anywhere                   # myuniquecomment

MyAppName is defined under /etc/ufw/applications.d/ but I can't find myuniquecomment except in the output of ufw commands. So where are the originals located?

I know you can add rules one by one. But is there a way to add rules in one go - For instance, this is how you add rules in ufw in Debian - $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp $ sudo ufw allow 22/udp Now instead of doing it 1 by 1, is there a way to do it all at once ? I did try - $ sudo ufw allow 80/tcp 443/tcp 22/udp but that didn't work, any ideas ?

I need to unlock only outgoing 443 and 80 port, only for navigate through internet, actually im using the rules: ufw default deny incoming ufw default deny outgoing ufw allow out from any to any port 443 proto tcp ufw allow out from any to any port 80 proto tcp ufw enable But unfortunally ufw blocks all internet, and the pages does not load. Do you have any solution to my problem or another alternative? Note: With CSF config server firewall, is not necessary the incoming traffic in the 443 and 80 ports for connect to internet only the outgoing 443 and 80, but in ufw how i can do it?

With ufw disable on remote postgres system i'm able to connect from my local system However, the connection does not work when I ufw enable as shown below: C:\Users\HOME>telnet 80.240.24.195 5432 Connecting To 80.240.24.195...Could not open connection to the host, on port 5432: Connect failed Below is my postgres configuration at the time of restart. cat /etc/postgresql/12/main/postgresql.conf # - Connection Settings - listen_addresses = '*' # what IP address(es) to listen on; # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) port = 5432 # (change requires restart) max_connections = 100 # (change requires restart) #superuser_reserved_connections = 3 # (change requires restart) unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories cat /etc/postgresql/12/main/pg_hba.conf # Database administrative login by Unix domain socket local all postgres peer # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: host all all 127.0.0.1/32 md5 host all all 0.0.0.0/0 md5 # IPv6 local connections: host all all ::1/128 md5 telnet works when tried from the postgres host itself, but then I try to make the connection from my local laptop it fails. root@DKERP:/# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 8069 ALLOW IN Anywhere [ 3] 443/tcp DENY IN Anywhere [ 4] 443 DENY IN Anywhere [ 5] 80/tcp DENY IN Anywhere [ 6] 80,443,5432/tcp DENY IN Anywhere [ 7] 80 DENY IN Anywhere [ 8] 4433/tcp DENY IN Anywhere [ 9] 5432/tcp ALLOW IN Anywhere 22 (v6) ALLOW IN Anywhere (v6) 8069 (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) DENY IN Anywhere (v6) 443 (v6) DENY IN Anywhere (v6) 80/tcp (v6) DENY IN Anywhere (v6) 80,443,5432/tcp (v6) DENY IN Anywhere (v6) 80 (v6) DENY IN Anywhere (v6) 4433/tcp (v6) DENY IN Anywhere (v6) 5432/tcp (v6) ALLOW IN Anywhere (v6) Can you please suggest what needs to be further done to get the postgres to connect to work from my local laptop?

Totally new to netfilter thing, currently am running an application which uses three interfaces eth0/eth1/eth2, my application will run on two servers and they both can communicate between them via their own interfaces (eth0/eth1/eth2) In ubuntu 18.04 (kernel version 4.*), I just used iptables commands to break the communication between them. In 22.04 (kernel version 6.2.*), I use the same iptable commands to break the communication between two servers but things are not working as expected (My app code remains unchanged) -- my application has the mechanism to report whether the neighbor server is reachable or not -- in 22.04 with iptables rules applied, it still reports the other server is reachable (not the case in 18.04). I could see there's a lot has been changed regard to how Network traffic can be filtered between two kernel versions (more tools in recent one). I removed the ufw just to avoid conflicts with nftables, one observation is, when I applied the rule, for a brief moment my app reports the neighbor server is unreachable and suddenly it will change to reachable, something is overriding the rule, am unsure. Now am seeking help here to see what I have missed... -A INPUT -s x.x.x.x/32 -d y.y.y.y/32 -i eth2 -j DROP -A INPUT -s x.x.x.y/32 -d y.y.y.x/32 -i eth1 -j DROP -A INPUT -s x.x.y.y/32 -d y.y.x.x/32 -i eth0 -j DROP -A OUTPUT -s y.y.y.y/32 -d x.x.x.x/32 -o eth2 -j DROP -A OUTPUT -s y.y.y.x/32 -d x.x.x.y/32 -o eth1 -j DROP -A OUTPUT -s y.y.x.x/32 -d x.x.y.y/32 -o eth0 -j DROP Note: All my rules are prepended in the chain to make sure that are taking precedence over anything else Chain INPUT (policy DROP) target prot opt source destination DROP all -- xxxx yyyy DROP all -- zzzz AAAA DROP all -- BBBB CCCC

I am looking the output of sudo iptables -L --line-numbers I got Chain ufw-before-forward (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable 3 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 4 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 5 ACCEPT icmp -- anywhere anywhere icmp echo-request 6 ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 3 ufw-logging-deny all -- anywhere anywhere ctstate INVALID 4 DROP all -- anywhere anywhere ctstate INVALID 5 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable 6 ACCEPT icmp -- anywhere anywhere icmp time-exceeded 7 ACCEPT icmp -- anywhere anywhere icmp parameter-problem 8 ACCEPT icmp -- anywhere anywhere icmp echo-request 9 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc 10 ufw-not-local all -- anywhere anywhere 11 ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns 12 ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 13 ufw-user-input all -- anywhere anywhere Ufw sudo ufw status numbered [sudo] password for centa: Status: active To Action From -- ------ ---- [ 1] Anywhere DENY IN 192.168.0.13 This is just part of the output,but I can not decipher it. Ok I understand the protocol but anywhere means that everything is open? Where to read more?

I am trying to set up UFW to allow DHCP and DNS for the clients connected to the Wi-Fi hotspot created using nmcli. I want the setup to be as restrictive as possible to avoid any DHCP clashes on the wired (eth0) -- i.e., "internet" -- interface etc. In a nutshell: * the hotspot clients on wlan0 must be behind NAT and must be able to get the IP and DNS configuration from the respective hotspot DHCP, * the hotspot clients on wlan0 must be able to access the internet provided by the wired interface (eth0), * other devices on the wired network (eth0) must be ignorant of the fact that one of their "neighbours" acts as a gateway, provides DHCP/DNS, etc. I have already set up NAT and forwarding via iptables, and everything works fine _provided that the client devices use static IP configuration._ However, when configured to use DHCP, the client devices fail to obtain this information, and consequently fail to connect to the hotspot. The subnet used by the hotspot is 10.42.0.0/24 with the gateway being 10.42.0.1 (the NetworkManager defaults). When I try to allow DHCP and DNS ports on wlan0 using # DHCP ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 port 67 proto udp ufw allow out on wlan0 from 10.42.0.1 to 10.42.0.0/24 port 68 proto udp # DNS ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 port 53 ufw allow out on wlan0 from 10.42.0.1 to 10.42.0.0/24 port 53 my UFW configuration becomes (i.e., only these four extra rules exist): $ ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 10.42.0.1 67/udp on wlan0 ALLOW IN 10.42.0.0/24 10.42.0.1 53 on wlan0 ALLOW IN 10.42.0.0/24 10.42.0.0/24 68/udp ALLOW OUT 10.42.0.1 on wlan0 10.42.0.0/24 53 ALLOW OUT 10.42.0.1 on wlan0 _But:_ even with these rules, hotspot clients fail to obtain IP/DNS configuration from DHCP. Needless to say that there are no such issues when I temporarily disable UFW... In a comment by the user "telcoM" in [this post](https://unix.stackexchange.com/a/638482) , I found that it might be necessary to allow the bootps and bootpc protocols instead of ports 67 and 68, respectively. Nonetheless, I am unable to find the UFW syntax needed to do so -- all attempts made thus far (e.g., ufw allow in on wlan0 from 10.42.0.0/24 to 10.42.0.1 bootps) resulted in UFW complaining (usually ERROR: Wrong number of arguments). What am I doing wrong? Thanks.

Every time I try running sudo rsnapshot -v alpha I get this type of error(it errors for every backup entry I have):

ERROR: /usr/bin/rsync returned 255 while processing root@151.131.222.222:/etc/
    /usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
        --rsh=/usr/bin/ssh -i /home/user/ssh/id_ed25519 \
        root@151.131.222.222:/usr/share/ \
        /var/cache/rsnapshot/alpha.0/server_backup/

1. Yes, rsync installed on the server and this machine 2. Yes, rsync works if I try to manually copy some files with these root credentials from the remote 3. There is one thing that can be potentially it. When I tried to run the errored out command it demanded quotes around arguments for the rsh. Otherwise it would throw syntax error. But I am not sure how to forse rsnapshot to do that. And if I run the errored out command with quotes around the rsh key it will error with 255 code as well. 4. Firewall does not block ssh. 5. Server allows only public key authentication 6. I host my ubuntu server on Vultr Here is my rsnapshot.conf file

#################################################
    # rsnapshot.conf - rsnapshot configuration file #
    #################################################
    #                                               #
    # PLEASE BE AWARE OF THE FOLLOWING RULE:        #
    #                                               #
    # This file requires tabs between elements      #
    #                                               #
    #################################################

    #######################
    # CONFIG FILE VERSION #
    #######################

    config_version	1.2

    ###########################
    # SNAPSHOT ROOT DIRECTORY #
    ###########################

    # All snapshots will be stored under this root directory.
    #
    snapshot_root	/var/cache/rsnapshot/

    # If no_create_root is enabled, rsnapshot will not automatically create the
    # snapshot_root directory. This is particularly useful if you are backing
    # up to removable media, such as a FireWire or USB drive.
    #
    #no_create_root	1

    #################################
    # EXTERNAL PROGRAM DEPENDENCIES #
    #################################

    # LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
    # EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
    #
    # See the README file or the man page for more details.
    #
    cmd_cp		/bin/cp

    # uncomment this to use the rm program instead of the built-in perl routine.
    #
    cmd_rm		/bin/rm

    # rsync must be enabled for anything to work. This is the only command that
    # must be enabled.
    #
    cmd_rsync	/usr/bin/rsync

    # Uncomment this to enable remote ssh backups over rsync.
    #
    cmd_ssh	/usr/bin/ssh

    # Comment this out to disable syslog support.
    #
    cmd_logger	/usr/bin/logger

    # Uncomment this to specify the path to "du" for disk usage checks.
    # If you have an older version of "du", you may also want to check the
    # "du_args" parameter below.
    #
    #cmd_du		/usr/bin/du

    # Uncomment this to specify the path to rsnapshot-diff.
    #
    #cmd_rsnapshot_diff	/usr/bin/rsnapshot-diff

    # Specify the path to a script (and any optional arguments) to run right
    # before rsnapshot syncs files
    #
    #cmd_preexec	/path/to/preexec/script

    # Specify the path to a script (and any optional arguments) to run right
    # after rsnapshot syncs files
    #
    #cmd_postexec	/path/to/postexec/script

    # Paths to lvcreate, lvremove, mount and umount commands, for use with
    # Linux LVMs.
    #
    #linux_lvm_cmd_lvcreate	/sbin/lvcreate
    #linux_lvm_cmd_lvremove	/sbin/lvremove
    #linux_lvm_cmd_mount	/bin/mount
    #linux_lvm_cmd_umount	/bin/umount

    #########################################
    #     BACKUP LEVELS / INTERVALS         #
    # Must be unique and in ascending order #
    # e.g. alpha, beta, gamma, etc.         #
    #########################################

    retain	alpha	6
    retain	beta	7
    retain	gamma	4
    #retain	delta	3

    ############################################
    #              GLOBAL OPTIONS              #
    # All are optional, with sensible defaults #
    ############################################

    # Verbose level, 1 through 5.
    # 1     Quiet           Print fatal errors only
    # 2     Default         Print errors and warnings only
    # 3     Verbose         Show equivalent shell commands being executed
    # 4     Extra Verbose   Show extra verbose information
    # 5     Debug mode      Everything
    #
    verbose		2

    # Same as "verbose" above, but controls the amount of data sent to the
    # logfile, if one is being used. The default is 3.
    # If you want the rsync output, you have to set it to 4
    #
    loglevel	3

    # If you enable this, data will be written to the file you specify. The
    # amount of data written is controlled by the "loglevel" parameter.
    #
    logfile	/var/log/rsnapshot.log

    # If enabled, rsnapshot will write a lockfile to prevent two instances
    # from running simultaneously (and messing up the snapshot_root).
    # If you enable this, make sure the lockfile directory is not world
    # writable. Otherwise anyone can prevent the program from running.
    #
    lockfile	/var/run/rsnapshot.pid

    # By default, rsnapshot check lockfile, check if PID is running
    # and if not, consider lockfile as stale, then start
    # Enabling this stop rsnapshot if PID in lockfile is not running
    #
    #stop_on_stale_lockfile		0

    # Default rsync args. All rsync commands have at least these options set.
    #
    #rsync_short_args	-a
    #rsync_long_args	--delete --numeric-ids --relative --delete-excluded

    # ssh has no args passed by default, but you can specify some here.
    #
    ssh_args	-i /home/user/ssh/id_ed25519

    # Default arguments for the "du" program (for disk space reporting).
    # The GNU version of "du" is preferred. See the man page for more details.
    # If your version of "du" doesn't support the -h flag, try -k flag instead.
    #
    #du_args	-csh

    # If this is enabled, rsync won't span filesystem partitions within a
    # backup point. This essentially passes the -x option to rsync.
    # The default is 0 (off).
    #
    #one_fs		0

    # The include and exclude parameters, if enabled, simply get passed directly
    # to rsync. If you have multiple include/exclude patterns, put each one on a
    # separate line. Please look up the --include and --exclude options in the
    # rsync man page for more details on how to specify file name patterns.
    #
    #include	???
    #include	???
    #exclude	???
    #exclude	???

    # The include_file and exclude_file parameters, if enabled, simply get
    # passed directly to rsync. Please look up the --include-from and
    # --exclude-from options in the rsync man page for more details.
    #
    #include_file	/path/to/include/file
    #exclude_file	/path/to/exclude/file

    # If your version of rsync supports --link-dest, consider enabling this.
    # This is the best way to support special files (FIFOs, etc) cross-platform.
    # The default is 0 (off).
    #
    #link_dest	0

    # When sync_first is enabled, it changes the default behaviour of rsnapshot.
    # Normally, when rsnapshot is called with its lowest interval
    # (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
    # intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
    # and all interval calls simply rotate files. See the man page for more
    # details. The default is 0 (off).
    #
    #sync_first	0

    # If enabled, rsnapshot will move the oldest directory for each interval
    # to [interval_name].delete, then it will remove the lockfile and delete
    # that directory just before it exits. The default is 0 (off).
    #
    #use_lazy_deletes	0

    # Number of rsync re-tries. If you experience any network problems or
    # network card issues that tend to cause ssh to fail with errors like
    # "Corrupted MAC on input", for example, set this to a non-zero value
    # to have the rsync operation re-tried.
    #
    #rsync_numtries 0

    # LVM parameters. Used to backup with creating lvm snapshot before backup
    # and removing it after. This should ensure consistency of data in some special
    # cases
    #
    # LVM snapshot(s) size (lvcreate --size option).
    #
    #linux_lvm_snapshotsize	100M

    # Name to be used when creating the LVM logical volume snapshot(s).
    #
    #linux_lvm_snapshotname	rsnapshot

    # Path to the LVM Volume Groups.
    #
    #linux_lvm_vgpath	/dev

    # Mount point to use to temporarily mount the snapshot(s).
    #
    #linux_lvm_mountpath	/path/to/mount/lvm/snapshot/during/backup

    ###############################
    ### BACKUP POINTS / SCRIPTS ###
    ###############################

    # REMOTE SERVER
    backup	root@151.131.222.222:/home/	server_backup/
    backup	root@151.131.222.222:/etc/	server_backup/

    #backup_script	/usr/local/bin/backup_pgsql.sh	localhost/postgres/
    # You must set linux_lvm_* parameters below before using lvm snapshots
    #backup	lvm://vg0/xen-home/	lvm-vg0/xen-home/

    # EXAMPLE.COM
    #backup_exec	/bin/date "+ backup of example.com started at %c"
    #backup	root@example.com:/home/	example.com/	+rsync_long_args=--bwlimit=16,exclude=core
    #backup	root@example.com:/etc/	example.com/	exclude=mtab,exclude=core
    #backup_exec	ssh root@example.com "mysqldump -A > /var/db/dump/mysql.sql"
    #backup	root@example.com:/var/db/dump/	example.com/
    #backup_exec	/bin/date "+ backup of example.com ended at %c"

    # CVS.SOURCEFORGE.NET
    #backup_script	/usr/local/bin/backup_rsnapshot_cvsroot.sh	rsnapshot.cvs.sourceforge.net/

    # RSYNC.SAMBA.ORG
    #backup	rsync://rsync.samba.org/r	syncftp/	rsync.samba.org/rsyncftp/

My sshd logs look this way:

2025-01-21T16:47:06.445342+00:00 server sshd: Connection from 99.11.11.11 port 57908 on 151.131.222.222 port 22 rdomain ""
2025-01-21T16:47:06.445890+00:00 server sshd: debug1: Local version string SSH-2.0-OpenSSH_9.7p1 Ubuntu-7ubuntu4
2025-01-21T16:47:06.446150+00:00 server sshd: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
2025-01-21T16:47:06.446387+00:00 server sshd: debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
2025-01-21T16:47:06.448025+00:00 server sshd: debug1: permanently_set_uid: 109/65534 [preauth]
2025-01-21T16:47:06.448401+00:00 server sshd: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2025-01-21T16:47:06.448865+00:00 server sshd: debug1: SSH2_MSG_KEXINIT sent [preauth]
2025-01-21T16:47:06.473088+00:00 server sshd: debug1: SSH2_MSG_KEXINIT received [preauth]
2025-01-21T16:47:06.473305+00:00 server sshd: debug1: kex: algorithm: curve25519-sha256 [preauth]
2025-01-21T16:47:06.473602+00:00 server sshd: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
2025-01-21T16:47:06.473829+00:00 server sshd: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:  compression: none [preauth]
2025-01-21T16:47:06.474193+00:00 server sshd: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:  compression: none [preauth]
2025-01-21T16:47:06.474496+00:00 server sshd: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2025-01-21T16:47:06.502026+00:00 server sshd: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
2025-01-21T16:47:06.509345+00:00 server sshd: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
2025-01-21T16:47:06.509768+00:00 server sshd: debug1: rekey out after 134217728 blocks [preauth]
2025-01-21T16:47:06.510085+00:00 server sshd: debug1: SSH2_MSG_NEWKEYS sent [preauth]
2025-01-21T16:47:06.510210+00:00 server sshd: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
2025-01-21T16:47:06.510573+00:00 server sshd: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2025-01-21T16:47:06.543286+00:00 server sshd: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
2025-01-21T16:47:06.543606+00:00 server sshd: debug1: SSH2_MSG_NEWKEYS received [preauth]
2025-01-21T16:47:06.543946+00:00 server sshd: debug1: rekey in after 134217728 blocks [preauth]
2025-01-21T16:47:06.544260+00:00 server sshd: debug1: KEX done [preauth]
2025-01-21T16:47:06.636933+00:00 server sshd: debug1: userauth-request for user root service ssh-connection method none [preauth]
2025-01-21T16:47:06.637064+00:00 server sshd: debug1: attempt 0 failures 0 [preauth]
2025-01-21T16:47:06.638069+00:00 server sshd: debug1: PAM: initializing for "root"
2025-01-21T16:47:06.641531+00:00 server sshd: debug1: PAM: setting PAM_RHOST to "99.11.11.11"
2025-01-21T16:47:06.642045+00:00 server sshd: debug1: PAM: setting PAM_TTY to "ssh"
2025-01-21T16:47:06.664190+00:00 server sshd: Connection closed by authenticating user root 99.11.11.11 port 57908 [preauth]
2025-01-21T16:47:06.665162+00:00 server sshd: debug1: do_cleanup [preauth]
2025-01-21T16:47:06.666011+00:00 server sshd: debug1: monitor_read_log: child log fd closed
2025-01-21T16:47:06.666354+00:00 server sshd: debug1: do_cleanup
2025-01-21T16:47:06.666609+00:00 server sshd: debug1: PAM: cleanup
2025-01-21T16:47:06.667644+00:00 server sshd: debug1: Killing privsep child 2070
2025-01-21T16:47:06.668031+00:00 server sshd: debug1: audit_event: unhandled event 12

My iptables rules look like this:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             mdns.mcast.net       udp dpt:mdns
ACCEPT     udp  --  anywhere             239.200.200.200      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             dns.google           udp dpt:domain
ACCEPT     tcp  --  anywhere             dns.google           tcp dpt:domain

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

My sshd_config file:

PermitRootLogin yes


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Include /etc/ssh/sshd_config.d/*.conf

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
#   systemctl daemon-reload
#   systemctl restart ssh.socket
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Thank you for your attention, hopefully someone can help me solve this. I spent the whole day on this issue. If you think I can use another tool for the backups, please let me know. I am new to system administrating so will gladly appreciate any help!

I am running Debian 11 on a server with UFW. The defaults are set to Deny incoming and Allow outgoing and a specific ALLOW IN for SSH and HTTPS. However, I can still FTP into my server? I also see ports 25, 80, 143, 993 and 995 are open. Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 443 ALLOW IN Anywhere A ufw show listening shows a lot more ports than 22 and 443. On a different server, where I have UFW enabled too, I am not seeing this issue and only the ports I have opened are shown under listening.

Under the new Wayland display server, several applications requiring root permission fail to run. I actually have an answer (one way of working around the issue). I welcome any better solutions or criticisms. Many other answers to this issue recommend adding root to xhost which, while it solves the issue, breaks the Wayland security model a bit. It is much better that we add root to xhost only for the duration of the running of the program, be it synaptic or gparted or whichever. **Gufw:** Edit your gufw.desktop file (/usr/share/applications/gufw.desktop in Debian 10) and change the line:

=gufw

to

=sh -c "xhost +si:localuser:root && gufw && xhost -si:localuser:root"

**Synaptic:** Inspired by the post at: https://discourse.ubuntu.com/t/adding-applications-to-start-up/9288 Edit /usr/bin/synaptic-pkexec to comment out the zenity warning message (assuming Debian 10) and change the line:

"/usr/sbin/synaptic" "$@"

to

xhost +si:localuser:root
pkexec "/usr/sbin/synaptic" "$@"
xhost -si:localuser:root

I imagine other programs can mostly be adapted in the same way as gufw. This does not solve the underlying issue of old programs running everything including GUI as root but at least they can function like before.

I am on a Raspberry Pi trying to install the ufw package and have been getting this error I have no idea how to deal with. After running sudo apt install ufw I get these errors:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ufw
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 164 kB of archives.
After this operation, 852 kB of additional disk space will be used.
Get:1 http://raspbian.raspberrypi.org/raspbian  buster/main armhf ufw all 0.36-1 [164 kB]
Err:1 http://raspbian.raspberrypi.org/raspbian  buster/main armhf ufw all 0.36-1
  File has unexpected size (2567 != 164352). Mirror sync in progress? [IP: *ip here*]
  Hashes of expected file:
   - SHA256:798b91b28eba5a49d3c06f023dcc38be4daa3f2460113acc420882f8d291a4a2
   - SHA1:9ee5e07bd552fccd53e7525c47828a43b2da34e0 [weak]
   - MD5Sum:fd529b954c032fc0839b0aec4e52659a [weak]
   - Filesize:164352 [weak]
E: Failed to fetch https://register.be.xfinity.com/activate?channel=WALLEDGARDEN   File has unexpected size (2567 != 164352). Mirror sync in progress? [IP: *ip here* ]

   Hashes of expected file:
    - SHA256:798b91b28eba5a49d3c06f023dcc38be4daa3f2460113acc420882f8d291a4a2
    - SHA1:9ee5e07bd552fccd53e7525c47828a43b2da34e0 [weak]
    - MD5Sum:fd529b954c032fc0839b0aec4e52659a [weak]
    - Filesize:164352 [weak]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

I then tried running sudo apt install ufw --fix-missing like it suggested and ended up with:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ufw
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 164 kB of archives.
After this operation, 852 kB of additional disk space will be used.
Get:1 http://raspbian.raspberrypi.org/raspbian  buster/main armhf ufw all 0.36-1                                                                                                                                                              [164 kB]
Err:1 http://raspbian.raspberrypi.org/raspbian  buster/main armhf ufw all 0.36-1
  File has unexpected size (2567 != 164352). Mirror sync in progress? [IP: *ip here*]
  Hashes of expected file:
   - SHA256:798b91b28eba5a49d3c06f023dcc38be4daa3f2460113acc420882f8d291a4a2
   - SHA1:9ee5e07bd552fccd53e7525c47828a43b2da34e0 [weak]
   - MD5Sum:fd529b954c032fc0839b0aec4e52659a [weak]
   - Filesize:164352 [weak]
E: Failed to fetch https://register.be.xfinity.com/activate?channel=WALLEDGARDEN   File has unexpected size (2567 != 164352). Mirror sync in progress? [IP: *ip here*]
   Hashes of expected file:
    - SHA256:798b91b28eba5a49d3c06f023dcc38be4daa3f2460113acc420882f8d291a4a2
    - SHA1:9ee5e07bd552fccd53e7525c47828a43b2da34e0 [weak]
    - MD5Sum:fd529b954c032fc0839b0aec4e52659a [weak]
    - Filesize:164352 [weak]
E: Internal Error, ordering was unable to handle the media swap

sudo apt-get update didn't seem to do anything either. Any help appreciated.

I've an instance created in my aws account, this instance was created with Ubuntu image system, the sequence of the packages installation is, Java and MySQL, after install mysql I initiate the configuration of UFW for 3306 port to communicate Workbench Windows to mysql on ubuntu, when I type the command "ufw enable" the ufw says that ssh can be destroyed and ask me "yes" or "no", after answering "yes" I lose my ubuntu system, if I open another connection to my ip address the result is:

"Command 'lesspipe' is available in the following places
 * /bin/lesspipe
 * /usr/bin/lesspipe
The command could not be located because '/bin:/usr/bin' is not included in the PATH environment variable.
lesspipe: command not found
Command 'dircolors' is available in the following places
 * /bin/dircolors
 * /usr/bin/dircolors
The command could not be located because '/usr/bin:/bin' is not included in the PATH environment variable.
dircolors: command not found"

but I don't have access to any command of ubuntu system. I don't have any idea how to solve this problem. Thanks and best regards.

I have a VServer, in which I installed the firewall UFW. I scanned the Server with NMAP but I it showed a lot open Ports, which I didnt open. Is it a Bug? Or did I installed UFW false? Thank you ufw status: http://prntscr.com/pgp5db nmap: nmap -T4 -A -v ********* //edit I solved the problem. The Problem was I just used the wrong nmap command. So the ports where already closed.

I've appended to my /etc/ufw/before6.rules file the following -A ufw6-before-input -p tcp -s XX.XX.XXX.XX -j ACCEPT -A ufw6-before-output -p tcp -d XX.XX.XXX.XX -j ACCEPT but still am not able to successfully connect unless I disable ufw firewall.

In order to access my webserver (behind CGNAT on my home PC), I established a wireguard tunnel between my home PC (wireguard IP 10.8.0.3) and a VPS (wireguard IP 10.8.0.1 and public IP 11.22.33.44). I also have a domain (my.domain) that is associated with the VPS' public IP. **Wireguard conf on the VPS**

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

[Peer]
## my home pc
PublicKey = QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
AllowedIPs = 10.8.0.3/32

**Wireguard conf on my home pc**

[Interface]
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Address = 10.8.0.3/32

[Peer]
PublicKey = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
AllowedIPs = 0.0.0.0/0
Endpoint = 11.22.33.44:51820
PersistentKeepalive = 25

I also have UFW installed on the VPS (no firewall on my home pc) using which I am port forwarding 80 from the internet to my home pc.

To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   ALLOW IN    10.8.0.0/24                     
[ 2] 51820/udp                  ALLOW IN    Anywhere                   
[ 3] 51820/udp (v6)             ALLOW IN    Anywhere (v6)

**/etc/ufw/before.rules**

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.3:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.3:443
-A OUTPUT -o lo -p tcp --dport 80 -j DNAT --to-destination 10.8.0.3:80
-A OUTPUT -o lo -p tcp --dport 443 -j DNAT --to-destination 10.8.0.3:443
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Using these configurations, I am able to access my website using my domain from the internet (browser on my phone with different network) and my vps (tested via curl -4 -v my.domain). However, when I perform curl -4 -v my.domain from my home pc (10.8.0.3), I get the following error:

root@home-pc:~# curl -4 -v my.domain
*   Trying 11.22.33.44:80...
* connect to 11.22.33.44 port 80 failed: Connection refused
* Failed to connect to my.domain port 80 after 25 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to my.domain port 80 after 25 ms: Couldn't connect to server

I know that I can directly connect to my website from my home pc using localhost (or 192.168.50.2) but I am unable to figure out why I cannot connect to my home pc via the VPN. I would like to do this because then I want to connect to localhost using my.domain. How can I achieve this? Thanks in advance for any leads.

Setting up a new Debian 12 server fully remotely (I have no physical access to the machine). I'd like to be extra sure that I don't mess up. I'd like to turn on ufw but keep the service disabled. So that in case I mess up, I can reboot and the system will reboot with ufw turned off again. I've searched and all Google turns up is people troubleshooting why it does NOT turn on on reboot. Gemini says systemctl start ufw, but that immediately exits: root@server:/etc# journalctl -u ufw Jul 24 13:19:23 server systemd: Starting ufw.service - Uncomplicated firewall... Jul 24 13:19:23 server systemd: Finished ufw.service - Uncomplicated firewall. root@server:/etc# ufw version ufw 0.36.2 Copyright 2008-2023 Canonical Ltd. root@server:/etc# systemctl status ufw ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; preset: enabled) Active: active (exited) since Wed 2024-07-24 13:19:23 UTC; 1min 34s ago Docs: man:ufw(8) Process: 1054133 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS) Main PID: 1054133 (code=exited, status=0/SUCCESS) CPU: 1ms

>Jul 14 03:52:03 abysslocal kernel: [532579.389726] [UFW BLOCK] IN=enp9s0 OUT= MAC=08:62:66:26:28:c6:04:f4:d8:09:9e:88:08:00 SRC=192.168.4.37 DST=192.168.4.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64656 DF PROTO=TCP SPT=46644 DPT=8096 WINDOW=32723 RES=0x00 ACK FIN URGP=0 I get lots of this entry in my logs (journalctl - Ubuntu) It is all internal. Source IP is my Roku Device running Jellyfin on my TV. Destination is my home media server. My UFW is set to allow all subnet traffic. UFW rule to follow. 1. Jellyfin works just fine on my Roku device. 2. Rules should not be triggering UFW BLOCK 3. Fail2Ban is setup to block SSH traffic from external. 4. I do run Jelllyfin, http, and https to outside world with UFW. Why do I get this message and how can I stop it? I've tried for a week and can't figure it out. 80/tcp ALLOW Anywhere 443 ALLOW Anywhere 8096 ALLOW Anywhere 8000/tcp ALLOW Anywhere Anywhere ALLOW 192.168.4.0/24 Please help. Thank you.

You all probably heard of Tunnelvision attack on VPN's. Basically, it is about this: the attacker in rogue LAN abuses DHCP option 121 to set a route on the VPN user’s system that is more specific than those used by most VPNs. By abusing this option, an attacker on the local network can set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates. And can therefore eavesdrop on target computer. **So what would be a solution?** One would be to ignore DHCP option 121, but probably much better would be to implement "VPN kill switch" - something, that blocks all internet activity, **UNLESS**, it is going to the VPN server. So here is my script. First I run this (*only once*): MyVPN="xx.xx.xx.xx" sudo ufw default deny incoming sudo ufw default deny outgoing # DNS, also from local interfaces: sudo ufw allow out on any from any to any port 53 # DHCP, also from local interfaces: sudo ufw allow out on any from any to any port 67 sudo ufw allow out on any from any to any port 68 # If you are using default OpenVPN istallation on 1194/UDP: sudo ufw allow out to $MyVPN port 1194 proto udp # If you are using OpenVPN on 443/TCP: sudo ufw allow out to $MyVPN port 443 proto tcp # If you are using default Wireguard installation on 451194/UDP: sudo ufw allow out to $MyVPN port 51194 proto udp # Assuming OpenVPN uses tun0 interface: sudo ufw allow out on tun0 from any to any # Assuming Wireguard uses wg0 interface: sudo ufw allow out on wg0 from any to any # If we want to allow connections from VPN network to our computer (again, OpenVPN - tun0, Wireguard - wg0) sudo ufw allow in on tun0 from any to any sudo ufw allow in on wg0 from any to any # Enable UFW sudo ufw enable Now the "VPN kill switch" is on. If you want to turn it **off**: sudo ufw default allow outgoing If you want to turn it back **on**: sudo ufw default deny outgoing (You can then use these commands in OpenVPN or Wireguard "post up" / "post down" commands). So when your VPN connection is established, turn the switch on automatically. **Now, there are a couple of problems.** **1.** This works quite well, but after I turn the switch on, the NetworkManager's WiFi icon (I am using WiFi connection to LAN on my computer) shows I am not connected to the internet. Why, because wlp3s0 network interface (my WiFi) is trying to connect to connectivity-check.ubuntu.com. And it is blocked by "VPN kill switch". Please not that if I ping connectivity-check.ubuntu.com from the terminal, connection is established, but that is because terminal uses tun0/wg0 interface. Now, the problem is, that UFW can not allow (or block) connections to domains (FQDN), but to IP addresses. And connectivity-check.ubuntu.com has a pool of always changing IP addresses. A quick and dirty solution would be to use /etc/hosts file, but what if Canonical changes IP addresses of their servers? So one option would be to redirect all traffic from wlp3s0 to VPN (tun0/wg0 interface). My question is: - how to do that? - are there any serious drawbacks if I am redirecting ALL traffic from wlp3s0 interface? **2.** I have read that it would be wise to allow some connections to wlp3s0 (and other local interfaces). Like DHCP and similar protocols. So my question is: is enough to allow 67 and 68 ports (and 53 for DNS) for all interfaces, or I need to do something else?