ufw broken on Linux Mint 17.3

Bug #1650489 reported by Oliver on 2016-12-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gufw
Undecided
Unassigned
Linux Mint
Undecided
Unassigned
ufw
Undecided
Unassigned

Bug Description

Hi,

on my Linux Mint 17.3 x64 Cinnamon, ufw appears to be broken (0.34~rc-0ubuntu2).

Networking seemed to work alright, surfing was no problem, also FTP and SSH worked. But not Bonjour, which I need to use the scanner that is inside my Canon MX925. So I used gufw (14.04.2-0ubuntu1.2) to add rules that allow packets sent to ports 8610 and 8612, and packets coming from 5353 (Bonjour). But still, some of these packets get blocked, according to syslog.

Looking deeper inside the matter, I realised that the default inbound policy is deny. So surfing should not be possible, but it works alright.

sudo ufw status verbose

Status: Aktiv
Protokollierung: on (medium)
Voreinstellung: reject (eingehend), allow (abgehend), disabled (gesendet)
Neue Profile: skip

Zu Aktion Von
-- ------ ---
8612 ALLOW IN Anywhere (log)
5353 ALLOW IN Anywhere (log)
8612 (v6) ALLOW IN Anywhere (v6) (log)
5353 (v6) ALLOW IN Anywhere (v6) (log)

8610 ALLOW OUT Anywhere (log)
8612 ALLOW OUT Anywhere (log)
8610 (v6) ALLOW OUT Anywhere (v6) (log)
8612 (v6) ALLOW OUT Anywhere (v6) (log)

Bonjour should be the only thing working, but in fact, it's the only thing NOT working. So I looked at those predefined sets of rules that ufw should come with, according to

http://www.larrytalkstech.com/ufw-the-linux-uncomplicated-firewall/

but most of the ones mentioned there are missing.

sudo ufw app list

Verfügbare Anwendungen:
  CUPS
  Samba

Only CUPS and Samba are known? Not even DNS or tcp/80 ? Since surfing works alright, my guess is that ufw does not really work together with iptables, which to my understanding is the "real firewall" that (g)ufw is only a frontend for. So ufw does not show all rules that are in force, and ufw does not correctly apply new rules at the correct position in the chain, so they get defeated by the existing rules, thus Bonjour gets broken.

Dec 15 14:00:30 FSC-neu kernel: [72537.358551] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=63636 PROTO=UDP SPT=5353 DPT=36762 LEN=126

Thanks
Oliver

Jamie Strandboge (jdstrand) wrote :

Thank you for filing a bug. There were several observations made so I'll mention a few things:

- ufw app list will only show apps that have registered with ufw. On your system, that is cups and samba
- surfing/etc work because ufw uses connection tracking and outgoing traffic is allowed by default. This means that if your system initiates a connection to the outside world, the response is allowed
- there are already rules for avahi (bonjour) to make discovery work, but connections to the discovered services would need rules allowing the connection
- you mentioned this is with a scanner. You almost certainly need to add nf_conntrack_sane to IPT_MODULES in /etc/default/ufw

Oliver (ok23) wrote :
Download full text (3.9 KiB)

Hi,

"- there are already rules for avahi (bonjour) to make discovery work, but connections to the discovered services would need rules allowing the connection"

Then connection to port 8612 should work, but it doesn't. PC talks to 8612 of the printer, and then the printer replies from 8612. And this reply gets blocked. It does not matter whether ufw gets stateful for sane or not.

ufw may get this wrong, because the communication starts out as a multicast, thus the recipient address is different than the address that answers. But:

It gets even blocked, when a new rule is introduced to allow ALL inbound traffic to 8612, so this rule just simply doesn't work.

Adding nf_conntrack_sane DOES NOT fix the problem... I have added nf_conntrack_sane. And yes, I have restarted ufw...

This printer/scanner, btw, is not an Epson, but a Canon MX 925. And yes, I have added the BJNP protocol to Sane. But it's not only Sane that does not discover the scanner, also Vuescan does not discover it, and Vuetracks author Ed Hamrick advises me to sniff the packets...

Syslog excerpt of an attempted network discovery:
.31 is the PC, .251 is the printer, .254 would be the router to the internet (not used here, of course).

Dec 17 16:56:09 FSC-neu kernel: [255876.935983] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12815 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24

PC multicast to (all) printers port 8612, ALLOWed

Dec 17 16:56:09 FSC-neu kernel: [255876.936015] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12815 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24

Another multicast...

Dec 17 16:56:09 FSC-neu kernel: [255876.937195] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26547 PROTO=UDP SPT=8612 DPT=59438 LEN=40

Printers reply from 8612 gets BLOCKed

Dec 17 16:56:10 FSC-neu kernel: [255877.438000] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=51278 PROTO=UDP SPT=5353 DPT=59438 LEN=126

Dec 17 16:56:10 FSC-neu kernel: [255877.487316] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12879 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24
Dec 17 16:56:10 FSC-neu kernel: [255877.487333] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12879 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24

PC repeating the mulicast to the printer

Dec 17 16:56:10 FSC-neu kernel: [255877.488620] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59770 PROTO=UDP SPT=8612 DPT=59438 LEN=40

Printers responsed BLOCKed again...

Dec 17 16:56:10 FSC-neu kernel: [255877.986032] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=53766 PROTO=UDP SPT=5353 DPT=59438 LEN=126

Communication from the AVAHI port gets BLOCKed also, despite the rule that should allow that

Dec...

Read more...

Oliver (ok23) wrote :

Sorry, corrrection:
That should have read "b) ufw ignores rules that completely open up incoming traffic from a specified port"

I have added a rule that everything coming from port 8612 shall be allowed. So no matter ufw recognises that state of the communication from the PC to the printer or not, _everyhing_ that the printer sends from its port 8612 must be allowed. But it does get blocked...

This
Dec 17 16:56:09 FSC-neu kernel: [255876.937195] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26547 PROTO=UDP SPT=8612 DPT=59438 LEN=40
should never happen, regardless of ufw's states...

sudo ufw status:
Zu Aktion Von
-- ------ ---
8612 ALLOW Anywhere (log)

Jamie Strandboge (jdstrand) wrote :

Does enabling syncookies help? Eg:

Adjust /etc/ufw/sysctl.conf to have (ie, comment out the line that sets it to '0'):
#net/ipv4/tcp_syncookies=0

Then do:
$ sudo sysctl -w net/ipv4/tcp_syncookies=1

Changed in ufw:
status: New → Incomplete
Oliver (ok23) wrote :

Hi,
I tried it, and the result is

Jan 9 23:33:11 FSC-neu kernel: [ 119.986998] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:bc:05:43:ae:38:1a:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 9 23:33:15 FSC-neu kernel: [ 124.063501] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=57247 PROTO=2
Jan 9 23:34:07 FSC-neu kernel: [ 176.575247] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=27304 PROTO=UDP SPT=5353 DPT=42937 LEN=126
Jan 9 23:34:07 FSC-neu kernel: [ 176.623963] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50220 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:07 FSC-neu kernel: [ 176.623982] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50220 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:07 FSC-neu kernel: [ 176.625233] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41849 PROTO=UDP SPT=8612 DPT=42937 LEN=40
Jan 9 23:34:08 FSC-neu kernel: [ 177.133004] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=21591 PROTO=UDP SPT=5353 DPT=42937 LEN=126
Jan 9 23:34:08 FSC-neu kernel: [ 177.175232] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50353 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:08 FSC-neu kernel: [ 177.175253] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50353 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:08 FSC-neu kernel: [ 177.176434] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58754 PROTO=UDP SPT=8612 DPT=42937 LEN=40
Jan 9 23:34:08 FSC-neu kernel: [ 177.674191] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=56849 PROTO=UDP SPT=5353 DPT=42937 LEN=126
Jan 9 23:34:08 FSC-neu kernel: [ 177.723215] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50448 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:08 FSC-neu kernel: [ 177.723232] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50448 DF PROTO=UDP SPT=42937 DPT=8612 LEN=24
Jan 9 23:34:08 FSC-neu kernel: [ 177.724294] [UFW BLOCK] IN=eth0 OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26443 PROTO=UDP SPT=8612 DPT=42937 LEN=40

Still getting blocked...

Yours

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers