Your message dated Fri, 17 Jul 2015 14:19:31 -0500
with message-id <[email protected]>
and subject line Re: Bug#767117: ufw: default settings after install block all
connectivity
has caused the Debian Bug report #767117,
regarding ufw: default settings after install block all connectivity
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
767117: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767117
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ufw
Version: 0.33-2
Severity: important
Dear Maintainer,
I just installed ufw.
As mentioned in the documentation, the defaults are:
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing)
New profiles: skip
(I just enabled full logging to see what's happening)
The problem is that the default setup blocks all my connectivity.
Searching into it by running tcpdump on the remote server, I see that
outgoing packets are reaching the remote server, but the SYN+ACKs of the
remote server never reach me. According to the documentation:
"On installation, ufw is disabled with a default incoming policy of deny
and a default outgoing policy of allow, with stateful tracking for NEW
connections."
But it seems to me that that does not work. The responses of the remote
server trying to establish a tcp connection that I initiated are not
permitted to pass.
Here's a listing of iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
Chain ufw-after-forward (0 references)
target prot opt source destination
Chain ufw-after-input (0 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0
udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0
udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0
udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0
udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW ALLOW] "
Chain ufw-after-output (0 references)
target prot opt source destination
Chain ufw-before-forward (0 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW AUDIT] "
Chain ufw-before-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG
flags 0 level 4 prefix "[UFW AUDIT INVALID] "
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level
4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match
dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match
dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match
dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (0 references)
target prot opt source destination
Chain ufw-reject-input (0 references)
target prot opt source destination
Chain ufw-reject-output (0 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (0 references)
target prot opt source destination
Chain ufw-track-output (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ufw depends on:
ii debconf [debconf-2.0] 1.5.53
ii iptables 1.4.21-2
ii python3 3.4.2-1
pn python3:any <none>
ii ucf 3.0030
ufw recommends no packages.
Versions of packages ufw suggests:
ii rsyslog 8.4.2-1
-- debconf information:
ufw/existing_configuration:
ufw/enable: false
ufw/allow_custom_ports:
ufw/allow_known_ports:
--- End Message ---
--- Begin Message ---
Closing based on feedback from the reporter
--
Jamie Strandboge http://www.ubuntu.com/
--- End Message ---