Home / ubuntu / Questions / 2447
Accepted
A Student at a University
Asked: 2010-08-17 19:16:17 +0800 CST

Trouble with UFW blocking stuff from NAT machine to inside of NAT

  • 772

I've got a NAT box (Ubu 10.04) running ufw with the following sudo ufw status verbose:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22480/tcp                  LIMIT IN    Anywhere

When I nmap -PN -p 22 192.168.0.0/24 to find all the SSHes running on my NATed (working fine) inside network, I get the following: 

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-16 23:06 EDT
0 ports scanned on 192.168.0.0

Interesting ports on 192.168.0.1:
PORT   STATE  SERVICE
22/tcp closed ssh

Interesting ports on 192.168.0.2:
PORT   STATE    SERVICE
22/tcp filtered ssh

Interesting ports on 192.168.0.3:
PORT   STATE    SERVICE
22/tcp filtered ssh

Interesting ports on 192.168.0.4:
PORT   STATE    SERVICE
22/tcp filtered ssh

... Continuing for all 254 IPs ...

Note that there are not machines at those other IPs (2, 3, 4, ...).

Why is this UFW rule causing this?? Why should a UFW input rule mess with the ability to nmap out from the router into the internal network? That's not an input, and ufw is set to the default config (except as above) of blocking input ports and not blocking output to ports.

Also, how can I get it to stop logging all the crap that isn't important that it receives? I do want it to log stuff destined to my IP, but not broadcast traffic from Windows machines on the outside (routable) network. The logging of this stuff is really making the logs huge.

10.04 networking firewall

2 Answers

  1. Best Answer

    I don't know anything about ufw. But nmap always returns filtered if you test a machine that doesn't exist without discovering it first.

    If the machine doesn't answer, nmap can't really know if it is because it doesn't exists or just because it's ignoring the packages. As you are disabling ping (-PN) Nmap doesn't try to discover hosts so it's assumes that it exists and is filtering the packets.

    • 2

  2. For the ufw logging, ufw has several different log levels. You can adjust them like so: $ sudo ufw logging low

    If you want some logging, but not all, you can set the loglevel and then insert a deny rule at the beginning of your chain. Eg:

    $ sudo ufw insert 1 deny to 192.168.1.255

    • 2