ufw logs noisy services

Bug #488032 reported by dr on 2009-11-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jamie Strandboge
ufw (Ubuntu)
Jamie Strandboge

Bug Description

Binary package hint: ufw

Affects Ubuntu server 9.10, and ubuntu desktop 9.10

Pacakge: ufw 0.29-4ubuntu1

I expected ufw not to log broadcasts and other noisy services, but it does.

The after.rules defaults for ufw in karmic include some lines intended to avoid logging for noisy services.

for example:
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j RETURN

See https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/209709

However, all rules in this chain end in RETURN, so flow of control returns to the INPUT chain, whether or not any rules match.
That chain then continues to the ufw-after-logging-input chain - thereby logging the noisy service, and creating many lines of output in the logs, etc.

Suggest replacing these lines with DROP targets instead:
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j DROP

which cuts the logging out.

Loïc Minier (lool) on 2010-01-21
Changed in ufw (Ubuntu):
status: New → Confirmed
Changed in ufw (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Triaged
Changed in ufw (Ubuntu):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Using '-j DROP' works fine for a default deny firewall, and is a good workaround for people hitting this bug. However, the intention of -j RETURN was to allow for default accept firewalls also. Unfortunately as this bug clearly points out, it was not implemented properly.

Jamie Strandboge (jdstrand) wrote :

Fix committed to trunk.

Changed in ufw (Ubuntu):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Fixed in 0.29.2

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

This was only partially fixed in 0.29.2. It is fully fixed in 0.29.3.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.29.3-0ubuntu1

ufw (0.29.3-0ubuntu1) lucid; urgency=low

  * New upstream release. Fixes:
    LP: #490366
    LP: #512131
    LP: #488032
    LP: #513387
  * debian/ufw.upstart.ubuntu: start before an interface receives traffic
  * debian/postinst: don't sed or chmod a file that doesn't exist
    (LP: #503039)
  * debian/after*.rules.md5sum: updated for ucf (added additional sums for
    people using the workaround in LP: #488032)
 -- Jamie Strandboge <email address hidden> Sat, 30 Jan 2010 09:42:05 -0600

Changed in ufw (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers