this was all done on ubuntu 22.
$ ufw versionufw 0.36.1Copyright 2008-2021 Canonical Ltd.$ cat /etc/os-release | grep VERSIONVERSION_ID="22.04"VERSION="22.04.3 LTS (Jammy Jellyfish)"VERSION_CODENAME=jammyTrying to connect to an ubuntu server from a github runner running ansible, I found that ansible was getting blocked by UFW and subsequently received connection time outs.
The UFW logs showed [UFW LIMIT BLOCK] so I knew it was rate limiting. The strange thing is that I can manually connect using SSH from the github runner just fine, however I know ansible likes to open and close a lot of connections so it was probably triggering the rate limit.
To resolve, the seconds and hit_count for the SSH rule in UFW needs to be changed from the default of seconds: 30 hit_count: 3 to something less aggressive. Unfortunately the only way I found to do this was to modify the UFW source (thanks to https://jb.prose.sh/ufw-limit):/usr/lib/python3/dist-packages/ufw/backend_iptables.py
adjusted the section:
# adjust for limit pat_limit = re.compile(r' -j LIMIT') for i, s in enumerate(snippets): if pat_limit.search(s): tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \ s) tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent'+ \' --update --seconds 30 --hitcount 3'+ \' -j '+ prefix +'-user-limit', s) tmp3 = pat_limit.sub(' -j '+ prefix +'-user-limit-accept', s) snippets[i] = tmp3 snippets.insert(i, tmp2) snippets.insert(i, tmp1) return snippetsand changed to --seconds 10 --hitcount 24
Anything less than that and ansible was blocked again.
implemented with
~$ sudo ufw disable~$ sudo ufw enableufw reload was not sufficient as it would not replace the existing rule, just add the new rule next to it, which makes perfect sense since i'm adjusting the codebase.
Is there a better way of doing this? I cant find much information on overriding the hardcoded defaults in UFW, which I'd assume is done through custom rules, but again, no information.
I also saw that github publishes their action runners ip ranges (https://api.github.com/meta), but holy crap it's long and not something that looked easy to manage in UFW.
