Bug#1035497: ufw: Deny forwarding but still forward ping requests

[Marek Küthe]

Package: ufw
Version: 0.36-7.1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where
appropriate ***

Hello,

I use my server as a kind of VPN server, but I only want my client to
use a specific IP address. So I used the following rules: ```
ufw route deny out on client09 from any to any comment 'vpn client09'
ufw route deny in on client09 from any to any comment 'vpn client09'
ufw route prepend allow in on client09 from 172.22.149.116 comment 'vpn
client09' ufw route prepend allow in on client09 from
fd04:234e:fc31:e::9 comment 'vpn client09' ```

However, I can send ping requests without 'ufw route prepend allow' and
get a response, whereas the rule clearly says Deny. Apparently ping
requests are always allowed through.

As a workaround I can add the following manually:
```
-A ufw-before-forward -i client09 -p icmp -s 172.22.149.116 -j ACCEPT
-A ufw-before-forward -i client09 -p icmp -j DROP

-A ufw6-before-forward -i client09 -p ipv6-icmp -s fd92:58b6:2b2:e::9
-j ACCEPT -A ufw6-before-forward -i client09 -p ipv6-icmp -j DROP
```

I have set `DEFAULT_FORWARD_POLICY="ACCEPT"`.

However, I think (and hope) that this behavior is not intentional.
Hence this bug report. If I forbid a forwarding it has a good reason
and then I also want this to be forbidden.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable') Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-22-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot
set LC_ALL to default locale: No such file or directory UTF-8),
LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ufw depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  iptables               1.8.7-1
ii  lsb-base               11.1.0
ii  python3                3.9.2-3
ii  ucf                    3.0043

ufw recommends no packages.

Versions of packages ufw suggests:
ii  rsyslog  8.2102.0-2+deb11u1

-- debconf information excluded

-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_US:en",
        LC_ALL = (unset),
        LC_TIME = "de_DE.UTF-8",
        LC_MONETARY = "de_DE.UTF-8",
        LC_ADDRESS = "de_DE.UTF-8",
        LC_TELEPHONE = "de_DE.UTF-8",
        LC_NAME = "de_DE.UTF-8",
        LC_MEASUREMENT = "de_DE.UTF-8",
        LC_IDENTIFICATION = "de_DE.UTF-8",
        LC_NUMERIC = "de_DE.UTF-8",
        LC_PAPER = "de_DE.UTF-8",
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").

pgpwQxmw08GBe.pgp
Description: OpenPGP digital signature