Ubuntu
ufw package

Firewall rule in before6.rules for dhcp6 is wrong

Bug #1882314 reported by Joshua Stark
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When running DHCPv6, clients are not able get IP address.
The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped and the dst address needs to be removed, as it's a broadcast

The file delivered - /usr/share/ufw/iptables/before6.rules
which is then copied to - /etc/ufw/before6.rules

Delivered by Package:

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

The ports for
--sport and --dport are swapped
-d fe80::/10 needs to be removed

Should be:

-A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j ACCEPT

Package version found in:
  0.36-0ubuntu0.1

See original description
Joshua Stark (starkjs)
description: updated
Joshua Stark (starkjs)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for filing a bug.

The firewall policy is a combination of the default policy for each of 'incoming', 'outgoing' and 'routed' (forward) along with the policies shipped in before{,6}.rules, after{,6}.rules and whatever gets added to user{,6}.rules. Specifically, what is in before{,6}.rules is designed with default deny for incoming (and forward), default allow for outgoing and default accept for established connections. Considering that dhcpv6 uses port 546/udp for the client and port 547/udp for the server, the shipped default policy allows:

* outgoing from this host port 546/udp to any port 547/udp (via default allow outgoing; eg, for dhcp request)
* incoming for established connection (via before6.rules RELATED,ESTABLISHED; eg, dhcp reply from the server we connected to on port 547/udp)
* incoming from fe80::/10 port 547/udp (via the before6.rules you mentioned; eg, for a server responding to the broadcast)

I suspect that you've updated your default policy to deny to perform egress filtering so you need to add a corresponding 'ufw allow out to ff02::1:2 port 547 proto udp comment "dhcpv6 solicit"' rule or similar.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking as Invalid since the default firewall policy is working as intended.

Changed in ufw (Ubuntu):
status: New → Invalid
Revision history for this message
Joshua Stark (starkjs) wrote :

Thanks Jamie,

Ah, cool, so that ufw config is when the install is a client.

I am having issues with the install as a DHCPv6 server.

I will revert the UFW changes I have made and add in a new /etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv6 server

Thanks
Josh

PS. isc-dhcp-server6 when setup, by default is not using "raw" sockets and thus the ufw rules are enforced

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.