ufw

Make before6.rules follow RFC 4890

Bug #1030214 reported by Patrick Fasano
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Unassigned

Bug Description

RFC 4890 lists what ICMPv6 types MUST NOT (in the RFC meaning of the phrase) be blocked by a firewall. The attached patch adds those required ICMPv6 types.

From ufw 0.31.1-1
Ubuntu 12.04

Tags: wishlist
Revision history for this message
Patrick Fasano (kc9jud) wrote :
Patrick Fasano (kc9jud)
tags: added: wishlist
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I guess you are referring to section 4.4 (specifically 4.4.1), however I found this document to be pretty unclear. The shipped ufw configuration is for a host-based firewall. While the RFC states 3 types are defined in the report (router, bridge and 'end host'), the 'end host' is not clearly defined (at least for me). In fact, section 4.4 references a multi-homed host and not the 'end host'. While I definitely want to let through appropriate icmpv6 messages, I need more information before adding the ones you suggest (in fact, you patch misses some that the RFC said must not be denied, furthering the confusion).

I think I would at this point prefer to wait for bugs to come in indicating that ufw's current configuration is broken rather than trying to fix it and possibly getting it wrong. That is unless someone can provide clarity on this (with authoritative references). I am going to mark this as 'Incomplete' for now.

Changed in ufw:
status: New → Incomplete
Revision history for this message
Patrick Fasano (kc9jud) wrote :

Sounds fair -- I mainly noticed this because UFW was being very noisy blocking multicast packets (codes 151-153). I found this RFC and by adding the ICMP codes, I found that it made UFW much quieter, plus seemed to be more "standards compliant" (whatever that means anymore). And now that you point it out, I realize that I forgot "Inverse Neighbor Discovery Solicitation (Type 141)" and "Inverse Neighbor Discovery Advertisement (Type 142)" -- I've re-uploaded the patch to fix this (and added descriptions!).

As for the distinction between router/bridge/end host, it seemed to me that the section at 4.4 fit best based on the description, "This section recommends filtering rules for ICMPv6 traffic addressed to an interface on a firewall." Since ufw is a host-based firewall, these should be a good starting point -- of course individual users can add more types if the so desire, but it seems like these would be the ones to have as the default.

Changed in ufw:
status: Incomplete → Triaged
Changed in ufw:
status: Triaged → Fix Committed
milestone: none → 0.34
importance: Undecided → Medium
Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.