My Robo server can access some IPs, but not some others. Weird!
I explicitely enabled outgoing IPv4 TCP + UDP traffic. Four entries in total:
- IPv4 TCP
- IPv4 UDP
- IPv6 TCP
- IPv6 UDP
Doesn't look like it did anything.
I just restarted the server, waiting for it to come back up...
It didn't help.
apt update... of course, that doesn't work, because I can't access half of the IPs.
Disabling the firewall solves the issue!
I am using the "SSH" firewall template.
I also added my custom SSH rule (deny outgoing TCP 5555 to the Internet).
It worked!
It also works connections to port 5555.
Here is the configuration I ended up with.
Note that everything here is default from the "SSH" template, except the "ADB"/"port 555" rule.
One problem: outgoing DNS requests to Internet resolvers fail, because the UDP response packets don't reach my server.
DNS works like this:
- an UDP packet is sent
- an UDP packet is received
There is no "connection". Hetzner's firewall apparently doesn't keep track of DNS requests.
From what I can see, the response packet is sent in response to the source port of the UDP packet. This port is always high, but I'm too lazy to figure out the range. I am thus allowing all incoming UDP traffic to my machine.
The main difference seems that the template allows "TCP established" packets to be received, with flag set to "ack".
I am a bit surprised, given that I didn't know this was a requirement.
There is so much I have to learn still...