DNS replies are blocked by UFW default settings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Invalid
|
Undecided
|
Unassigned |
Bug Description
DNS replies are blocked by UFW default settings, with no documented way to recover this.
Ufw.log on my Ubuntu PC (192.168.2.237) is flooded with replies from my nameserver (192.168.2.1).
In the graphical interface to ufw, I see no way to let return UDP packets pass.
I have enabled port 53 in the graphical user interface, but no improvement.
Thus, I'd like to report a bug in either the configuration of ufw, or its inner workings.
A workaroubnd would be a way to let these packets pass.
Feb 5 21:14:54 his10 kernel: [42776.445851] [UFW BLOCK] IN=wlan2 OUT= MAC=94:
Feb 5 21:15:06 his10 kernel: [42788.500267] [UFW BLOCK] IN=wlan2 OUT= MAC=94:
Feb 5 21:15:09 his10 kernel: [42791.585554] [UFW BLOCK] IN=wlan2 OUT= MAC=94:
Feb 5 21:15:14 his10 kernel: [42796.482442] [UFW BLOCK] IN=wlan2 OUT= MAC=94:
Feb 5 21:15:21 his10 kernel: [42803.664466] [UFW BLOCK] IN=wlan2 OUT= MAC=94:
$ ufw --version
ufw 0.30pre1-0ubuntu2
Copyright 2008-2010 Canonical Ltd.
$ uname -a
Linux 2.6.32-
Changed in ufw: | |
status: | Invalid → Incomplete |
Thank you for reporting a bug and helping to make Ubuntu better.
When enabled, ufw by default will allow all outgoing connections with connection tracking. This means when your host connects to your DNS server, your DNS server's response will be allowed. Either your /etc/ufw/ before. rules file was altered (you can compare it with /usr/share/ ufw/before. rules, these packets are not associated with an established connection, or an earlier ufw rule is blocking the connection (or you've exhausted the memory for connection tracking, but that is highly unlikely). As a workaround until you can find the root cause, you can use the following rule:
$ sudo ufw allow from 192.168.2.1 port 53
I am going to mark this bug as Invalid for now, since ufw is known to work properly with DNS. Feel free to reopen if you find more details to describe the bug. Thanks again!