Firewall rule in before.rules for dhcp is wrong
Bug #1882484 reported by
Joshua Stark
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The file delivered - /usr/share/
which is then copied to - /etc/ufw/
Delivered by Package:
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
The ports for
--sport and --dport are swapped
Should be:
-A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT
Package version found in:
0.36-0ubuntu0.1
Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't drop the packets with the incorrect configuration. This has had me stumped for the last hour.
To post a comment you must log in.
Thank you for filing a bug.
The firewall policy is a combination of the default policy for each of 'incoming', 'outgoing' and 'routed' (forward) along with the policies shipped in before{,6}.rules, after{,6}.rules and whatever gets added to user{,6}.rules. Specifically, what is in before{,6}.rules is designed with default deny for incoming (and forward), default allow for outgoing and default accept for established connections. Considering that dhcp uses port 68/udp for the client and port 67/udp for the server, the shipped default policy allows:
* outgoing from this host port 68/udp to any port 67/udp (via default allow outgoing; eg, for dhcp request) ESTABLISHED; eg, dhcp reply from the server we connected to on port 67/udp)
* incoming for established connection (via before.rules RELATED,
* incoming from port 67/udp (via the before.rules you mentioned; eg, for a server responding to the broadcast)
I suspect that you've updated your default policy to deny to perform egress filtering so you need to add a corresponding 'ufw allow out to any port 67 proto udp comment "dhcp discover"' rule or similar.