Topic: ufw and apparmor

[MysteryFalcon]

Hello

I've just setup a new webserver and I thought I'd explore apparmor with ufw.

I see in the sysinfo log, a constant brigade of outputs like:
[ 4089.623593] [UFW BLOCK] IN=enp1s0 OUT= MAC=00:e0:4c:68:01:49:00:d0:f6:59:af:88:08:00 SRC=..... DST=....... LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=47869 PROTO=TCP SPT=58920 DPT=62900 WINDOW=1024 RES=0x00 SYN URGP=0

This was to be expected I guess. But I'm wondering, if anyone knows, since I can't find anything on it when I search for it: how do I list all blocked IPs?

Furthermore, if anyone knows: is it possible to turn off logging for this to syslog but still keep it in the ufw.log ?

Cheers!

[tangent]

I decided not to use ufw as a wrapper to iptables, but rather tackled using iptables directly. That said, I don't believe the default ufw configuration is working against a blacklist of IPs, but rather is simply logging (and blocking) non-approved port requests, invalid packets, etc.

Any server that is Internet facing will be getting an enormous number of connection attempts/probes from various sources, so over time your blocked IP list will be massive. If you really want to, believe you'd have to script parsing all the blocked SRC IPs from the ufw.log file (a non-trivial task), bearing in mind those logs get rotated and aged via /etc/logrotate.d/ufw. This was one of the reasons I chose to use iptables directly, in that I could decide what gets dropped, logged, etc.

The solution to removing the ufw entries from syslog, is out there on the net. Namely, edit the /etc/rsyslog.d/20-ufw.conf file, and uncomment the final entry to leave "& stop". Then restart rsyslogd "systemctl restart rsyslog".