Package: ufw Version: 0.33-2 Severity: important Dear Maintainer,
I just installed ufw. As mentioned in the documentation, the defaults are: Status: active Logging: on (full) Default: deny (incoming), allow (outgoing) New profiles: skip (I just enabled full logging to see what's happening) The problem is that the default setup blocks all my connectivity. Searching into it by running tcpdump on the remote server, I see that outgoing packets are reaching the remote server, but the SYN+ACKs of the remote server never reach me. According to the documentation: "On installation, ufw is disabled with a default incoming policy of deny and a default outgoing policy of allow, with stateful tracking for NEW connections." But it seems to me that that does not work. The responses of the remote server trying to establish a tcp connection that I initiated are not permitted to pass. Here's a listing of iptables --list Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination Chain ufw-after-forward (0 references) target prot opt source destination Chain ufw-after-input (0 references) target prot opt source destination ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-after-output (0 references) target prot opt source destination Chain ufw-before-forward (0 references) target prot opt source destination ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 state INVALID DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] " Chain ufw-before-logging-input (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] " Chain ufw-before-logging-output (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW AUDIT] " Chain ufw-before-output (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] " LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (0 references) target prot opt source destination Chain ufw-reject-input (0 references) target prot opt source destination Chain ufw-reject-output (0 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-input (0 references) target prot opt source destination Chain ufw-track-output (0 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ufw depends on: ii debconf [debconf-2.0] 1.5.53 ii iptables 1.4.21-2 ii python3 3.4.2-1 pn python3:any <none> ii ucf 3.0030 ufw recommends no packages. Versions of packages ufw suggests: ii rsyslog 8.4.2-1 -- debconf information: ufw/existing_configuration: ufw/enable: false ufw/allow_custom_ports: ufw/allow_known_ports: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
