After configuring ufw with DENY OUTGOING can't ping

Since I started using Linux many years ago I have always set ufw in deny all in & allow all out. I recently changed this policy to deny all out & allowing only specific outgoing ports like 80, 443, etc which are required for daily activities like web browsing, email, etc.

Problem is I cant ping any IP. This is what happens

PING ( 56(84) bytes of data.

It just stays like that. No reply at all. How do I enable outgoing ping ?

The answers are out there just search for “Allow icmp through ufw”. Any way below is two links that might help you.

1 Like

The issue you have is that ufw rules apply only to udp and tcp protocols.
Ping is ICMP.

You can allow is by adding ip tables rules.

# ok icmp codes for OUTPUT
-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT

to /etc/ufw/before.rules

WARNING: I am no expert on network security and this may be a terrible idea (I do not know). Please do your own research on ip table.
I just copied input part and replaced input with output. :crazy_face:

Didn’t work this is the error

$ sudo ufw reload
ERROR: problem running ufw-init
iptables-restore: line 79 failed


$ sudo ufw reload
ERROR: problem running ufw-init
iptables-restore: line 78 failed

Problem running '/etc/ufw/before.rules'

try to put it before COMMIT line :wink:

Success ! I just added these 2 line before the COMMIT line & did ufw reload

# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

@arch_lover loking back at what I wrote only

-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT

is related to ping