Logging is enabled. Only allow rules are logged. The very last line of my firewall rules is:
Anywhere DENY Anywhere
No logging is asked for, however two IPs repeatedly show up in my firewall logs as blocked:
Dec 28 16:54:13 openvpn kernel: [1059666.384183] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:3d:09:b4:2c:21:72:a0:20:81:08:00 SRC=216.4.95.62 DST=XXX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57899 DF PROTO=TCP SPT=47785 DPT=5555 WINDOW=0 RES=0x00 ACK RST URGP=0
Dec 28 16:54:13 openvpn kernel: [1059666.665564] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:3d:09:b4:2c:21:72:a0:20:81:08:00 SRC=4.71.37.46 DST=XXX.XX.XXX.XXX LEN=40 TOS=0x08 PREC=0x40 TTL=244 ID=21110 DF PROTO=TCP SPT=33071 DPT=5555 WINDOW=0 RES=0x00 ACK RST URGP=0
Connections are blocked as requested, but why are they logged? Bothers me when things are unexpected. All other blocks (there are 1000s) are not logged as requested. Both addresses are from Level 3's address range. DPT 5555 is typically the HP Data Protector port (not installed on my server). Server is hosted on Host Virtual. Output from uname:
Linux XXX.XXX.XXX 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
All current updates are applied
Adding requested ufw here: root@openvpn:~# ufw status verbose
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip
To Action From
20/udp ALLOW IN Anywhere (log)
22 ALLOW IN XXX.XX.XX.0/22 (log)
443/udp ALLOW IN XX.XXX.XXX.0/20 (log)
22 ALLOW IN YYY.YYY.YYY.0/22 (log)
443/udp ALLOW IN YYY.YYY.YYY.0/22 (log)
80/udp ALLOW IN WWW.WW.WW.0/22 (log)
80/udp ALLOW IN WWW.WW.WW.0/22 (log)
22 ALLOW IN WWW.WW.WW.0/22 (log)
22 ALLOW IN XX.XXX.XXX.0/20 (log)
Anywhere DENY IN Anywhere
ufw status verbose