0

I'm trying to setup my server so that port 5432 (Postgres) is accessible only from localhost. So I've denied everything, and added back port 5432, however I cannot connect to it.

Here is my UFW config:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
127.0.0.1 5432             ALLOW IN    127.0.0.1
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

80                         ALLOW OUT   Anywhere
22                         ALLOW OUT   Anywhere
443                        ALLOW OUT   Anywhere
53                         ALLOW OUT   Anywhere
33434:33524/udp            ALLOW OUT   Anywhere
127.0.0.1 5432             ALLOW OUT   127.0.0.1
80 (v6)                    ALLOW OUT   Anywhere (v6)
22 (v6)                    ALLOW OUT   Anywhere (v6)
443 (v6)                   ALLOW OUT   Anywhere (v6)
53 (v6)                    ALLOW OUT   Anywhere (v6)
33434:33524/udp (v6)       ALLOW OUT   Anywhere (v6)

And netstat:

$ netstat -an | grep "LISTEN "
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN
tcp6       0      0 :::55056                :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::5432                 :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN

Just to confirm it's really ufw that prevents the connection, since if I disable it it works fine. Any idea what I am missing?

Improve this question

1 Answer 1

Reset to default
1

From your netstat, we can see that there's only one mention of the port 5432 (namely, the tcp6 line listening on :::5432. This shows us that your program is only listening on IPv6. Your Firewall only allows IPv4. There are two options, one is that you permit IPv6 address ::1 (which is the IPv6 localhost equivalent) to connect to that service in your firewall, and the other is to get your program to listen on IPv4. The best is probably to do both.

Improve this answer
3
  • Linux sockets opened on IPv6 IN6ADDR_ANY also listen on IPv4 by default.
    – Michael Hampton
    Dec 4, 2020 at 15:36
  • @MichaelHampton That might be the case, but his list of listening sockets don't show any IPv4 listener on port 5432, so that would be still be a part of the problem, regardless of how whatever service he is using opens those sockets.
    – rhbvkleef
    Dec 4, 2020 at 16:21
  • The whole point is that you wouldn't ses this in netstat.
    – Michael Hampton
    Dec 4, 2020 at 16:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .