Ubuntu – Why is ufw logging ‘BLOCK’ messages regarding a port for which ufw is configured to ‘ALLOW’ connections

11.10firewalllognetworkingufw

Here's an example log message:

May 25 10:36:07 myserver kernel: [7057243.392334] [UFW BLOCK] IN=eth0 OUT= MAC=00:02:55:67:82:eb:00:06:b1:3a:ef:62:08:00 SRC=69.197.128.26 DST=192.168.100.101 LEN=44 TOS=0x00 PREC=0x00 TTL=32 ID=0 PROTO=TCP SPT=48788 DPT=80 WINDOW=972 RES=0x00 RST URGP=0

My understanding is that DPT stands for "destination port", but since I have ufw configured to allow incoming connections on port 80, I'm puzzled as to why I'd be seeing such a log message — a log message which seems to be indicating ufw blocked a connection attempt on that port.

The following are the relevant lines from ufw status:

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere (v6)

I've now seen this on both Ubuntu 11.10, and now (after upgrading the same machine) on Ubuntu 12.04.

Best Answer

  • The thread referenced by Caffeine Coma indicates this is related to low-level technicalities in closing TCP network connections... Obscure and subtle differences between the way operating systems (Windows, Mac, Linux) handle connection termination apparently result in some harmless confusion between server and client, and this somehow results in the above-described log messages.

    I don't entirely understand the technicalities, nor why this would lead to UFW "BLOCK" log messages, but I'll take it, as it's the only answer I've come across that makes any sense, and I've seen no other symptom of something being wrong on my server -- only these harmless (albeit annoying) UFW log messages.

    Refer to the mentioned forum thread for a more technical explanation.

  • Related Question