Firewall rule in before6.rules for dhcp6 is wrong
Bug #1882314 reported by
Joshua Stark
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When running DHCPv6, clients are not able get IP address.
The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped and the dst address needs to be removed, as it's a broadcast
The file delivered - /usr/share/
which is then copied to - /etc/ufw/
Delivered by Package:
# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
The ports for
--sport and --dport are swapped
-d fe80::/10 needs to be removed
Should be:
-A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j ACCEPT
Package version found in:
0.36-0ubuntu0.1
Thank you for filing a bug.
The firewall policy is a combination of the default policy for each of 'incoming', 'outgoing' and 'routed' (forward) along with the policies shipped in before{,6}.rules, after{,6}.rules and whatever gets added to user{,6}.rules. Specifically, what is in before{,6}.rules is designed with default deny for incoming (and forward), default allow for outgoing and default accept for established connections. Considering that dhcpv6 uses port 546/udp for the client and port 547/udp for the server, the shipped default policy allows:
* outgoing from this host port 546/udp to any port 547/udp (via default allow outgoing; eg, for dhcp request) ESTABLISHED; eg, dhcp reply from the server we connected to on port 547/udp)
* incoming for established connection (via before6.rules RELATED,
* incoming from fe80::/10 port 547/udp (via the before6.rules you mentioned; eg, for a server responding to the broadcast)
I suspect that you've updated your default policy to deny to perform egress filtering so you need to add a corresponding 'ufw allow out to ff02::1:2 port 547 proto udp comment "dhcpv6 solicit"' rule or similar.