Firewall settings for webhook towards Jenkins


If been trying to setup webhooks to automate jenkins builds since few ‘days’ (not continuously of course) but miserably failed.

Environment: Debian 10.11

My jenkins server resides behind an nginx reverse proxy (a 2nd physical host) which serves as the SSL frontend so it’s used to do a portforwarding of the SSL port towards default 8080 port. On the nginx server/reverse proxy I have a firewall setup which blocks everything except for IP’s that I allow.
If I disable firewall on the nginx server everything works as expected.
Firewall enabled: “Failed to connect to host” as result in the github webhooks recent deliveries.
So the missing link are the correct firewall settings imho.

I have found the meta page ( and added the subnets from the “hooks” section with no limitation on port or protocol.
The incoming address (with the firewall off) is which is part of the as found on the meta page. I have added that address explicitly in the firewall rules, but to no avail.

EDIT added ufw status numbered ouput:

> [68] Anywhere                   ALLOW IN           
> [69] Anywhere                   ALLOW IN          
> [70] Anywhere                   ALLOW IN           
> [71] Anywhere                   ALLOW IN            
> [72] Anywhere                   ALLOW IN

I am most confident that someone here has already put in place the same setup, so if he/she can shed some light or give a hint I would be most grateful.

Yes read about things like but I don’t want to add another hop for something this trivial.

kind regards,

The issue in the end was in the rule hierarchy.

As mentioned my nginx server blocks everything (DROP) based on CIDR zone list I fetch from the internet.
A bash script weekly updates the before.rules accordingly together with fail2ban etc…

Anyway the extra rules I added as mentioned in the opening post where applied AFTER I already dropped the packages… so they never made it in obviously.
Adapted my bash script to skip the creation of the DROP rule for the IP’s delivered by the Github API.

All works well now.