Linux for system administrators

Marcel Galke - Trans4mation | 20 Dec 2011 16:41

RE: UFW logging

The  lines containing " ... [UFW BLOCK] ...PROTO=TCP SPT=56527 DPT=80 " definitively refer to HTTP, for me. 

May be it's the best to inform your security team about your problems. They got better wappons then ufw. ;)
The source IPs are changing quickly, so it's not possible to set a connection limit per host.
Have you set a connection limit for your websites?

Regards Marcel

> -----Original Message-----
> From: linux-admin-owner <at> vger.kernel.org [mailto:linux-admin-
> owner <at> vger.kernel.org] On Behalf Of Dermot Paikkos
> Sent: Tuesday, December 20, 2011 4:30 PM
> To: linux-admin <at> vger.kernel.org
> Subject: RE: UFW logging
> 
> > -----Original Message-----
> >
> > Hello Dermot,
> >
> > as far as I can see, HTTP is blocked (DPT=80).
> >
> > Why are you using UFW. You've got a DMZ?
> >
> >
> > Regards Marcel
> 
> Well I really hope that port 80 is open! I have not heard any complaints
> from users and I can still connect.
> 
> The command I ran was `ufw allow "Apache Full"`. This should have

(Continue reading)

headers

Dermot Paikkos | 20 Dec 2011 17:32

RE: UFW logging

Well if there is a security team, then I am it :)

Yes the IP does change. The MAC address is consistent but I am guessing 
that this refers to eth0 on the server.

I am not sure what sort of connection limit you mean. One that is set on 
the httpd server on somewhere else?

This rule 'should' allow port 80 and 443 through though!

ACCEPT tcp  --  *   * 0.0.0.0/0  0.0.0.0/0   multiport dports 80,443 /* 
'dapp_Apache%20Full'

so I don't know why the are log entries that say port 80 is blocked. 
Like I said, I have not heard from anyone that they cannot connect to 
the site either. Perhaps I should increase the log level in case that 
gives me more details.
Dp.

> -----Original Message-----
> From: Marcel Galke - Trans4mation 
[mailto:Marcel.Galke <at> trans4mation.de]
> Sent: 20 December 2011 15:42
> To: linux-admin <at> vger.kernel.org
> Subject: RE: UFW logging
> 
> The  lines containing " ... [UFW BLOCK] ...PROTO=TCP SPT=56527 DPT=80 
"
> definitively refer to HTTP, for me.
>

(Continue reading)