Ubuntu
ufw package

ufw logs noisy services

Bug #488032 reported by dr
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Jamie Strandboge
ufw (Ubuntu)
Fix Released
Medium
Jamie Strandboge

Bug Description

Binary package hint: ufw

Affects Ubuntu server 9.10, and ubuntu desktop 9.10

Pacakge: ufw 0.29-4ubuntu1

I expected ufw not to log broadcasts and other noisy services, but it does.

Detail:
The after.rules defaults for ufw in karmic include some lines intended to avoid logging for noisy services.

for example:
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j RETURN

See https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/209709

However, all rules in this chain end in RETURN, so flow of control returns to the INPUT chain, whether or not any rules match.
That chain then continues to the ufw-after-logging-input chain - thereby logging the noisy service, and creating many lines of output in the logs, etc.

Suggest replacing these lines with DROP targets instead:
i.e.
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j DROP

which cuts the logging out.

Loïc Minier (lool)
Changed in ufw (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Triaged
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Using '-j DROP' works fine for a default deny firewall, and is a good workaround for people hitting this bug. However, the intention of -j RETURN was to allow for default accept firewalls also. Unfortunately as this bug clearly points out, it was not implemented properly.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fix committed to trunk.

Changed in ufw (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fixed in 0.29.2

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was only partially fixed in 0.29.2. It is fully fixed in 0.29.3.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.29.3-0ubuntu1

---------------
ufw (0.29.3-0ubuntu1) lucid; urgency=low

  * New upstream release. Fixes:
    LP: #490366
    LP: #512131
    LP: #488032
    LP: #513387
  * debian/ufw.upstart.ubuntu: start before an interface receives traffic
  * debian/postinst: don't sed or chmod a file that doesn't exist
    (LP: #503039)
  * debian/after*.rules.md5sum: updated for ucf (added additional sums for
    people using the workaround in LP: #488032)
 -- Jamie Strandboge <email address hidden> Sat, 30 Jan 2010 09:42:05 -0600

Changed in ufw (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.