ufw

UFW is not blocking outgoing ipv6 pings

Bug #1908204 reported by Slim
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Invalid
Undecided
Unassigned

Bug Description

$ ufw --version
ufw 0.36

Distribution: arch

Sorry if this is not a bug, but it is at least unexpected to me.

I'm trying to set up UFW to block outgoing connections, except on a specific interface, and also except for a specific IPV4 address+port. Everything seems to be working as expected. IPV4 pings are blocked, but I can still send pings to IPV6 addresses - I expect those to be blocked as well. I don't see any conflicting rules, so I'm not sure if I'm doing something wrong, or if it's a bug, or if this is expected.

I disconnect my tun0 interface, and see successfully blocked IPV4 ping:

$ ping 192.30.255.113 # github.com
PING 192.30.255.113 (192.30.255.113) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

I tried an IPV6 address, but it's not getting blocked:

ping 2001:41d0:701:1100::29c8 # ipv6-test.com
PING 2001:41d0:701:1100::29c8(2001:41d0:701:1100::29c8) 56 data bytes
64 bytes from 2001:41d0:701:1100::29c8: icmp_seq=1 ttl=42 time=181 ms
64 bytes from 2001:41d0:701:1100::29c8: icmp_seq=2 ttl=42 time=181 ms

Here is my UFW status:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22 LIMIT IN Anywhere
Anywhere on tun0 ALLOW IN Anywhere
22 (v6) LIMIT IN Anywhere (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)

Anywhere ALLOW OUT Anywhere on tun0
1.2.3.4 1234 ALLOW OUT Anywhere
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0

Revision history for this message
Slim (slim22) wrote :

# Generated by ip6tables-save v1.8.6
*filter
:INPUT ACCEPT [143:37977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [176:22530]
:ufw6-after-forward - [0:0]
:ufw6-after-input - [0:0]
:ufw6-after-logging-forward - [0:0]
:ufw6-after-logging-input - [0:0]
:ufw6-after-logging-output - [0:0]
:ufw6-after-output - [0:0]
:ufw6-before-forward - [0:0]
:ufw6-before-input - [0:0]
:ufw6-before-logging-forward - [0:0]
:ufw6-before-logging-input - [0:0]
:ufw6-before-logging-output - [0:0]
:ufw6-before-output - [0:0]
:ufw6-reject-forward - [0:0]
:ufw6-reject-input - [0:0]
:ufw6-reject-output - [0:0]
:ufw6-track-forward - [0:0]
:ufw6-track-input - [0:0]
:ufw6-track-output - [0:0]
-A INPUT -j ufw6-before-logging-input
-A INPUT -j ufw6-before-input
-A INPUT -j ufw6-after-input
-A INPUT -j ufw6-after-logging-input
-A INPUT -j ufw6-reject-input
-A INPUT -j ufw6-track-input
-A FORWARD -j ufw6-before-logging-forward
-A FORWARD -j ufw6-before-forward
-A FORWARD -j ufw6-after-forward
-A FORWARD -j ufw6-after-logging-forward
-A FORWARD -j ufw6-reject-forward
-A FORWARD -j ufw6-track-forward
-A OUTPUT -j ufw6-before-logging-output
-A OUTPUT -j ufw6-before-output
-A OUTPUT -j ufw6-after-output
-A OUTPUT -j ufw6-after-logging-output
-A OUTPUT -j ufw6-reject-output
-A OUTPUT -j ufw6-track-output
COMMIT
# Completed

Revision history for this message
Slim (slim22) wrote :

To reproduce, I've ensured my conf is synced with https://git.launchpad.net/ufw/tree/conf
Then ran `sudo ufw default deny outgoing`
Then ran `ping 2001:41d0:701:1100::29c8`

Revision history for this message
Slim (slim22) wrote :

Sorry for churn, ignore last ip6tables-save output, this is the real one. Same issue still applies

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ufw by design is opinionated on traffic that is deemed essential and does not block outgoing ping6 even with the outgoing policy as deny. However, this opinion is expressed in /etc/ufw/before6.rules so that the admin may adjust according to site policies. I think you'll achieve your goals by commenting out '-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT' from /etc/ufw/before6.rules and then reloading the firewall. Good luck!

Changed in ufw:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.