[Touch-packages] [Bug 1820350] Re: ufw allows certain incoming packets when policy is set to deny

Thu, 21 Mar 2019 10:46:09 -0700 

Thank you for you report. Please note that for usability a default
ruleset is put in use by design and documented in the ufw(8) man page.
Users are free to fine-tune those defaults for site-specific needs as
described in the ufw-framework(8) man page. As a result option 'a' is
out of scope. Option 'b' does make sense and is something that can be
looked at with 'status verbose' (implementation-wise it might make sense
to check if all the defaults are in use and if they are, mention those
defaults, and if they are not, mention that custom rules are in effect.
I'm not sure yet how this should be represented in the UI.

** Summary changed:

- ufw still allows incoming packets when policy is set to deny
+ ufw allows certain incoming packets when policy is set to deny

** Information type changed from Private Security to Public

** Summary changed:

- ufw allows certain incoming packets when policy is set to deny
+ 'ufw status verbose' should mention some details of the default ruleset

** Changed in: ufw (Ubuntu)
       Status: New => Triaged

** Changed in: ufw (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1820350

Title:
  'ufw status verbose' should mention some details of the default
  ruleset

Status in ufw package in Ubuntu:
  Triaged

Bug description:
  Hello,

  ufw can be configured with a default profile of DENY all incoming
  packets. When "ufw status verbose" is called, it seems like indeed all
  incoming packets would be dropped/denied.

  However, there are some exceptions, which are only visible when
  "iptables -S" is called. Examples for allowed incoming network
  traffic:

  - Incoming datagrams to UDP port 68, when UDP source port is set to 67
  - Incoming datagrams to UDP port 5353, sent to 224.0.0.251/32
  - Incoming datagrams to UDP port 1900, sent to 239.255.255.250/32
  - Incoming ICMP packets of type 3 (Destination Unreachable)
  - Incoming ICMP packets of type 11 (Time Exceeded)
  - Incoming ICMP packets of type 12 (Parameter Problem)
  - Incoming ICMP packets of type 8 (Echo)

  What I'm most worried about, is that these exceptions are not visible
  in the ufw interface, when "ufw status verbose" is called. This is a
  bit misleading, since users who set a DENY all rule would expect that
  really all packets are denied.

  Users could still query iptables directly to see what's going on, but
  as I'm aware ufw deals as a user-friendly wrapper with the advantage
  of not having to deal with iptables, so this can lead to wrong
  expectations.

  
  In particular, consider the following scenarios:

  - Malicious software listens on UDP port 68 (elevated privileges) and
  receives datagrams with a source port of 67 from another piece of
  malware, although ufw policy is set to DENY.

  - Malicious software listens on UDP port 1900 (non-elevated
  privileges) and receives datagrams sent to multicast address
  239.255.255.250/32 from another piece of malware residing in the same
  subnet, although ufw policy is set to DENY.

  - Malicious software listens on UDP port 5353 (non-elevated
  privileges) and receives datagrams sent to multicast address
  224.0.0.251/32 from another piece of malware residing in the same
  subnet, although ufw policy is set to DENY.

  etc.
  ...
  ...

  
  My suggestions (from most to least restrictive):

  a) Really block everything when "ufw default DENY" is called. Without any 
exceptions.
  b) If you would like to keep UDP ports 68, 1900 and 5353 and ICMP types in 
the list, although "ufw default DENY" was called, these exceptions should be 
displayed in "ufw status"

  
  --------------------------------

  In the following you can find the invoked commands and a list of all
  iptables rules, created by ufw when the policy is set to DENY:

  
  Examples:

  ~$ ufw --version
  ufw 0.35
  Copyright 2008-2015 Canonical Ltd.

  ~$ sudo ufw default DENY
  Default incoming policy changed to 'deny'
  (be sure to update your rules accordingly)

  ~$ sudo ufw status verbose
  Status: active
  Logging: on (low)
  Default: deny (incoming), allow (outgoing), disabled (routed)
  New profiles: skip


  ~$ sudo iptables -S
  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT ACCEPT
  -N ufw-after-forward
  -N ufw-after-input
  -N ufw-after-logging-forward
  -N ufw-after-logging-input
  -N ufw-after-logging-output
  -N ufw-after-output
  -N ufw-before-forward
  -N ufw-before-input
  -N ufw-before-logging-forward
  -N ufw-before-logging-input
  -N ufw-before-logging-output
  -N ufw-before-output
  -N ufw-logging-allow
  -N ufw-logging-deny
  -N ufw-not-local
  -N ufw-reject-forward
  -N ufw-reject-input
  -N ufw-reject-output
  -N ufw-skip-to-policy-forward
  -N ufw-skip-to-policy-input
  -N ufw-skip-to-policy-output
  -N ufw-track-forward
  -N ufw-track-input
  -N ufw-track-output
  -N ufw-user-forward
  -N ufw-user-input
  -N ufw-user-limit
  -N ufw-user-limit-accept
  -N ufw-user-logging-forward
  -N ufw-user-logging-input
  -N ufw-user-logging-output
  -N ufw-user-output
  -A INPUT -j ufw-before-logging-input
  -A INPUT -j ufw-before-input
  -A INPUT -j ufw-after-input
  -A INPUT -j ufw-after-logging-input
  -A INPUT -j ufw-reject-input
  -A INPUT -j ufw-track-input
  -A FORWARD -j ufw-before-logging-forward
  -A FORWARD -j ufw-before-forward
  -A FORWARD -j ufw-after-forward
  -A FORWARD -j ufw-after-logging-forward
  -A FORWARD -j ufw-reject-forward
  -A FORWARD -j ufw-track-forward
  -A OUTPUT -j ufw-before-logging-output
  -A OUTPUT -j ufw-before-output
  -A OUTPUT -j ufw-after-output
  -A OUTPUT -j ufw-after-logging-output
  -A OUTPUT -j ufw-reject-output
  -A OUTPUT -j ufw-track-output
  -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
  -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
  -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
  -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
  -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
  -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
  -A ufw-after-input -m addrtype --dst-type BROADCAST -j 
ufw-skip-to-policy-input
  -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG 
--log-prefix "[UFW BLOCK] "
  -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG 
--log-prefix "[UFW BLOCK] "
  -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
  -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
  -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
  -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
  -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
  -A ufw-before-forward -j ufw-user-forward
  -A ufw-before-input -i lo -j ACCEPT
  -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
  -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
  -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
  -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
  -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
  -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
  -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
  -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  -A ufw-before-input -j ufw-not-local
  -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
  -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
  -A ufw-before-input -j ufw-user-input
  -A ufw-before-output -o lo -j ACCEPT
  -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A ufw-before-output -j ufw-user-output
  -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG 
--log-prefix "[UFW ALLOW] "
  -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min 
--limit-burst 10 -j RETURN
  -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG 
--log-prefix "[UFW BLOCK] "
  -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  -A ufw-not-local -j DROP
  -A ufw-skip-to-policy-forward -j DROP
  -A ufw-skip-to-policy-input -j DROP
  -A ufw-skip-to-policy-output -j ACCEPT
  -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
  -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
  -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT 
BLOCK] "
  -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
  -A ufw-user-limit-accept -j ACCEPT

  
  Best Regards,
  Bastian Kanbach

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1820350/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to