DevHeads.net

Should ufw block access to localhost?

I am setting up ufw on a server and have a symptom I don't understand.
I am running mosquitto with TLS on port 8883 on the server so in ufw I
have opened that port
sudo ufw allow 8883
and can then access port 8883 from another machine, as expected. I
cannot access it if I do not open that port, again as expected.

However I also access mosquitto locally on the server using
localhost:8883 and the feature I do not understand is that if ufw is
enabled then I cannot access it via localhost whether the port is
opened or not. If I *disable* ufw then I *can* access mosquitto via
localhost.

ufw status shows
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
8883 ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
8883 (v6) ALLOW IN Anywhere (v6)

Can anyone explain what is going on?

Colin

Comments

Re: Should ufw block access to localhost?

By Tony Arnold at 03/14/2019 - 04:33

Hi Colin,
I guess a detailed examination of the IPtables that UFW has set up
might yield some clues. But you've no doubt done that already!
Regards,Tony.
On Wed, 2019-03-13 at 22:10 +0000, Colin Law wrote:

Re: Should ufw block access to localhost?

By Colin Law at 03/14/2019 - 05:09

On Thu, 14 Mar 2019 at 08:36, Tony Arnold <tony. ... at manchester dot ac.uk> wrote:
No, because my knowledge of IPtables is only skin deep. I think the
principle reason for using ufw is to isolate one from the much more
complex details of IPtables.

What I was hoping for was at least confirmation that what I am seeing
is, is not, expected, and if it is expected what I should do to allow
access from localhost. Google has not provided any leads that have
helped me. I found links explaining how to *block* access from
localhost but not the reverse, which suggests to me that access should
not be blocked by default.

I can provide the IPtables list if anyone is willing, and has the
time, to look at it, for which I would be most grateful. If so which
command should I use? iptables -L?

Colin