[09:42] <Skyrider> Can I ask a ufw related question here?
[09:48] <Skyrider> Might as well.. Used ufw to block an ip range x.x.0.0/16, yet it doesn't appear to work. All the other ufw rules are working, just not this ranged deny I created.
[12:58] <tomreyn> Skyrider: i would not recommend ufw for a server firewall. rather use iptables directly or some framework around it such as shorewall.
[12:58] <JanC> well, ufw is a framework around it
[12:59] <tomreyn> yes, but... not a complete or really good one
[13:02] <JanC> it should be able to do what most people need for a simple server, no?
[13:03] <tomreyn> yes, as long as they don't use the GUI for managing it.
[13:04] <tomreyn> thats my personal POV, anyways
[13:04] <JanC> ufw itself doesn't have a GUI
[13:05] <tomreyn> gufw is a separate package, but i think it's preinstalled.
[13:05] <tomreyn> ...on desktops
[13:05] <JanC> I doubt it is
[13:06] <JanC> it never supported ufw correctly, and hasn't been updated in a decade probably?
[13:06] <tomreyn> hmm its in universe, probably not then, right
[13:07] <Skyrider> Using ufw as I prefer its simplicity.
[13:07] <tomreyn> so let's say ufw can be fine, just dont use gufw
[13:07] <JanC> Skyrider: I assume you didn't forget to reload the firewall after adding that rule?
[13:09] <JanC> also "doesn't appear to work" is rather vague
[13:13] <Skyrider> all rules added through ufw should be instantly loaded.
[13:13] <Skyrider> As for gufw, don't see a point in that seeing I use a headless server.
[13:14] <Skyrider> And "doesn't work", I blocked an ip range and had to block the IP range in nginx as well. The blocked IP's keeps showing up in nginx's logs, while it shouldn't be logged at all as ufw should deal with it.
[13:14] <Skyrider> Maybne ufw ip range deny/reject is borked?
[13:15] <JanC> there is no other rule overriding it?
[13:16] <Skyrider> Guess that's a fair point I haven't considered. allow port 80 I suppose.
[13:16] <Skyrider> But shouldn't deny/reject override allow?
[13:17] <Skyrider> It is listed in iptables: -A ufw-user-input -s 159.138.0.0/16 -j REJECT --reject-with icmp-port-unreachabl                                                                                                                                                             e
[13:19] <Skyrider> As for ufw, was last updated 2018-12-14
[13:22] <JanC> rule ordering?
[13:23] <JanC> you'd need to have the deny for that range before the one to allow port 80
[13:25] <JanC> as the first one that matches will be applied
[13:30] <JanC> Skyrider: ^^^
[13:40] <Skyrider> Thanks JanC, but I double checked. All rejects in ufw are set to top.
[13:40] <Skyrider> [10] Anywhere                   REJECT IN   159.138.0.0/16
[13:40] <Skyrider> [11] 80/tcp                     ALLOW IN    Anywhere
[13:40] <Skyrider> 1 to 9 are also rejects.