Ubuntu
ufw package

With UFW enabled, kernel reports SYN flooding

Bug #1631553 reported by Matthew Caron
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

So, this is a fun one.

I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html.

Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find:

Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters.

A wireshark capture shows two things:
1.) It is communicating on that port on the "lo" interface, not any real interface.
2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes.

Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry:

Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters.

Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with?

Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ufw 0.35-0ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19
Uname: Linux 4.4.0-38-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: XFCE
Date: Fri Oct 7 20:20:00 2016
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago)
mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226

Revision history for this message
Matthew Caron (matt-mattcaron) wrote :
Revision history for this message
Matthew Caron (matt-mattcaron) wrote :

Oh, relevant tickets from UFW and procps:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ufw (Ubuntu):
status: New → Confirmed
Alberto Salvia Novella (es20490446e)
Changed in ufw (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The tcp syncookies issues is not a ufw bug. In fact, toggling it one way are another your logs show the same kernel message.

The real issue is sane not working with ufw enabled. You need to use the nf_conntrack_sane module. See https://bugs.launchpad.net/ufw/+bug/1595046/comments/14 for details.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Since this bug was opened against ufw with syncookies, I'm going to mark this bug as invalid for ufw. If there is a problem with syncookies, it would be a kernel bug-- feel free to open a bug there if you still feel there is a bug.

Changed in ufw (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Matthew Caron (matt-mattcaron) wrote :

Thanks for the help, but adding the nf_conntrack_sane module didn't help. Adding it and adding ufw allow rules for some packets that were being reported as dropped didn't help. The only way that it reliably works is if I set syncookies to 1 as described above.

I'm not sure there really is a syncookies problem, but that's the only way I can make my scanner work with the firewall enabled.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.