How to make ping and traceroute work after setting UFW with deny outgoing
by default?
Here is my UFW configuration:
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
123/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
123/udp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
53 ALLOW OUT Anywhere
80/tcp ALLOW OUT Anywhere
443/tcp ALLOW OUT Anywhere
587/tcp ALLOW OUT Anywhere
123/udp ALLOW OUT Anywhere
53 (v6) ALLOW OUT Anywhere (v6)
80/tcp (v6) ALLOW OUT Anywhere (v6)
443/tcp (v6) ALLOW OUT Anywhere (v6)
587/tcp (v6) ALLOW OUT Anywhere (v6)
123/udp (v6) ALLOW OUT Anywhere (v6)
Here are ping and traceroute results:
ping google.com
PING google.com (173.194.121.34) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
traceroute google.com
traceroute to google.com (173.194.121.34), 30 hops max, 60 byte packets
send: Operation not permitted
I found this post (http://www.kelvinism.com/2010/09/enable-icmp-through-ufw_461.html) that recommends to add these lines to /etc/ufw/before.rules
:
# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
It seems to work for ping but not for traceroute. Any idea?
Thanks
Best Answer
I had to use sudo for
traceroute
and the-I
option (Use ICMP ECHO for tracerouting
):