Can not ping any hostname/domain when ufw enabled

Muhammad Dyas Yaskur asked:

Why I can’t ping any domain/hostname when ufw enabled?

[[email protected] ec2-user]# ping google.com
ping: google.com: Name or service not known
[[email protected] ec2-user]# ufw disable
Firewall stopped and disabled on system startup
[[email protected] ec2-user]# ping google.com
PING google.com (74.125.24.100) 56(84) bytes of data.
64 bytes from 74.125.24.100 (74.125.24.100): icmp_seq=1 ttl=100 time=2.14 ms
64 bytes from 74.125.24.100 (74.125.24.100): icmp_seq=2 ttl=100 time=2.19 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.149/2.170/2.192/0.051 ms
[[email protected] ec2-user]# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
[[email protected] ec2-user]# ping google.com
ping: google.com: Name or service not known

I was disabled all outgoing traffic except defined by using command ufw default deny outgoing. ufw status:

80                         ALLOW OUT   Anywhere
443                        ALLOW OUT   Anywhere
3306                       ALLOW OUT   Anywhere
2465                       ALLOW OUT   Anywhere
3306/tcp                   ALLOW OUT   Anywhere
3306/udp                   ALLOW OUT   Anywhere
127.0.0.1 3306             ALLOW OUT   Anywhere
80 (v6)                    ALLOW OUT   Anywhere (v6)
443 (v6)                   ALLOW OUT   Anywhere (v6)
3306 (v6)                  ALLOW OUT   Anywhere (v6)
2465 (v6)                  ALLOW OUT   Anywhere (v6)
3306/tcp (v6)              ALLOW OUT   Anywhere (v6)
3306/udp (v6)              ALLOW OUT   Anywhere (v6)

I already set to accept icmp to the /etc/ufw/before.rules file

# allow outbound icmp
-A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

My answer:


You haven’t allowed outbound DNS traffic, thus names cannot be resolved to IP addresses.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.