Firewall – enabling ufw disables some of the settings in sysctl.conf

firewallsysctlufw

When I add rules to ufw and then enable it, some of my settings in sysctl.conf become void so I have to do sysctl -p after doing ufw enable.

So for example one of my settings in sysctl.conf is to not reply to ping, after enabling ufw, you can ping the server again.

Why is this?

Here are some of the settings in my sysctl.conf:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
kernel.panic = 10
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
net.ipv4.ip_local_port_range = 1204 65000
net.core.rmem_max = 262140
net.core.rmem_default = 262140
net.ipv4.tcp_rmem = 4096 131072 262140
net.ipv4.tcp_wmem = 4096 131072 262140
net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_keepalive_time = 60000
net.ipv4.tcp_keepalive_intvl = 15000
net.ipv4.tcp_fin_timeout = 30

EDIT

Thank you Aaron!
I have come to rely on Google so much that I didn't think of inspecting the config files for ufw in etc – and there it was, so easy!

For anyone looking for an answer to this, you can either set your config in that file or even better, edit /etc/default/ufw file so it uses the system default sysctl.conf file in /etc/sysctl.conf

Best Answer

UncomplicatedFirewall

UFW has it's own sysctl settings that can override the system global settings.

Please take a look at:

/etc/ufw/sysctl.conf

If that file does not exist, grep through the files in that directory for anything calling sysctl.

Related Solutions

Linux webhost security settings in /etc/sysctl.conf

A smurf attack is where someone sends packets to a broadcast address, usually with a spoofed source, to trick you into sending a large number of replies.
The clog your logs with error messages. Ignoring them keeps the logs uncluttered. It's not like you can fix the Internet anyway.
A SYN flood attack is one where an attacker hits a server with a large number of TCP connection requests. The idea is to consume memory on the server, forcing it to keep track of all the connection requests. SYN cookies allow the server to handle connection requests without using any memory.
Source routed packets are bad because they can be used by outsiders to cause your internal network policy to be ignored or violated. Logging spoofed, source routed, or redirect packets makes sense because unlike bad ICMP error messages, these usually indicate someone doing something deliberate, rather than a configuration error or broken router.
Reverse path filtering causes your router to drop a packet if it was received on an interface you would not use to send packets to that source. Personally, I always disable it. In my experience, it creates far more problems than it solves, for example, breaking IP multipath.

Ubuntu Logging – Where Are the Logs for UFW Located on Ubuntu Server?

Perform sudo ufw status verbose to see if you're even logging in the first place. If you're not, perform sudo ufw logging on if it isn't. If it is logging, check /var/log/ for files starting with ufw. For example, sudo ls /var/log/ufw*

If you are logging, but there are no /var/log/ufw* files, check to see if rsyslog is running: sudo service rsyslog status. If rsyslog is running, ufw is logging, and there are still no logs files, search through common log files for any mention of UFW. For example: grep -i ufw /var/log/syslog and grep -i ufw /var/log/messages as well as grep -i ufw /var/log/kern.log.

If you find a ton of ufw messages in the syslog, messages, and kern.log file, then rsyslog might need to be told to log all UFW messages to a separate file. Add a line to the top of /etc/rsyslog.d/50-default.conf that says the following two lines:

:msg, contains, “UFW” -/var/log/ufw.log
& ~

And you should then have a ufw.log file that contains all ufw messages!

NOTE:

Check the 50-default.conf file for pre-existing configurations.

Make sure to backup the file before saving edits!

Best Answer

Related Solutions

Linux webhost security settings in /etc/sysctl.conf

Ubuntu Logging – Where Are the Logs for UFW Located on Ubuntu Server?

NOTE:

Related Topic