0

I am trying to block outgoing traffic to port 9200 temporarily. My use case is I want to test what happens when an Elasticsearch cluster (at port 9200) becomes unreachable to my application.

I configured firewall rule sudo ufw deny out 9200. The response was

rules updated
rules updated (v6)

What is the correct way to block outgoing traffic sent to port 9200?

Then I tried checking whether the port really is blocked using curl remotemachine:9200. Curl received the normal Elasticsearch response:

...
  "version" : {
    "number" : "7.17.3",
    "build_flavor" : "default",
    "build_type" : "rpm",
...
Jacob Quisenberry
  • 103
  • 3

1 Answers1

1

You can see your rule by following the items here which essentially is sudo ufw show added.

Here's a dry-run and won't change anything with a line-by-line rundown:

  1. Grabs the status of ufw
  2. Searches for inactive in the output, if found (or success, denoted by &&) do line 3
  3. Enable ufw, but if inactive was not found (line 2 failed, denoted by ||) then do lines 4 and 5
  4. Show the currently added rules, send stdout to line 5
  5. Search for 9200 (since that's the port we want), if that fails (||) do the next line
  6. Add the deny outbound 9200 rule
sudo ufw status | 
grep inactive && 
sudo ufw --dry-run enable || 
sudo ufw show added | 
grep 9200 || 
sudo ufw --dry-run deny out 9200

Remove --dry-run and you should be sorted, like this:

sudo ufw status | grep inactive && sudo ufw enable || sudo ufw show added | grep 9200 || sudo ufw deny out 9200

There is nothing wrong with your syntax (it does block UDP and TCP - you can add proto for that but this use case doesn't matter). Your syntax is the same as:

sudo ufw deny out to any port 9200

CG3
  • 306