Public bug reported:
Binary package hint: ufw
UFW seems to inappropriately block incoming traffic when rules should
allow that traffic.
In the specific configuration in question, traffic for port 37000 is
being blocked as 'INVALID'.
The UFW package in question is ufw 0.16.1 on Ubuntu Hardy 8.04
(Development branch).
/var/log/messages contains several entries such as this one:
---
Apr 13 02:31:51 logic kernel: [470939.097911] [UFW BLOCK INVALID]: IN=eth1 OUT=
MAC=00:02:2a:a0:[redacted]:00:13:46:3f:06:12:[redacted]
SRC=71.59.106.[redacted] DST=192.168.0.101 LEN=48 TOS=0x00 PREC=0x00 TTL=113
ID=10501 DF PROTO=TCP SPT=56917 DPT=37000 WINDOW=8192 RES=0x00 SYN URGP=0
---
This occurs despite having the following rules in the UFW configuration:
---
$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
Anywhere ALLOW 192.168.0.0/16
993:tcp ALLOW Anywhere
37000:tcp ALLOW Anywhere
37000:udp ALLOW Anywhere
37001:tcp ALLOW Anywhere
37001:udp ALLOW Anywhere
37002:tcp ALLOW Anywhere
37002:udp ALLOW Anywhere
---
Traffic for ports 22, 993 is handled correctly.
The following output may or may not be helpful:
---
$ sudo iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min
burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere
Chain ufw-after-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min
burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere
Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
LOG all -- anywhere anywhere ctstate INVALID
LOG level warning prefix `[UFW BLOCK INVALID]: '
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp
parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps
dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min
burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere
Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:37000
ACCEPT udp -- anywhere anywhere udp dpt:37000
ACCEPT tcp -- anywhere anywhere tcp dpt:37001
ACCEPT udp -- anywhere anywhere udp dpt:37001
ACCEPT tcp -- anywhere anywhere tcp dpt:37002
ACCEPT udp -- anywhere anywhere udp dpt:37002
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
---
** Affects: ufw (Ubuntu)
Importance: Undecided
Status: New
--
UFW blocks traffic inappropriately
https://bugs.launchpad.net/bugs/216661
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
