[Touch-packages] [Bug 2062542] Re: systemd-resolved stub gives SERVFAIL for DNSSEC negative response

2024-04-20 Thread Marco van Zwetselaar
This is on mantic, systemd-resolved 253.5-1ubuntu6.1

** Tags added: mantic

** Description changed:

- This issue surface when researching the issue that Postfix on my system
+ This issue surfaced when researching the issue that Postfix on my system
  (with DANE enabled) deferred mail deliveries with 100s of this warning
  in the log:
  
- Warning: DANE TLSA lookup problem: Host or domain name not found.
+ Warning: DANE TLSA lookup problem: Host or domain name not found.
  Name service error for name=_25._tcp.cluster5.us.messagelabs.com
  type=TLSA: Host not found, try again
  
  The DNS resolver on my machine was pointing at the systemd-resolved
  stub:
  
- $ cat /etc/resolv.conf | grep nameserver
- nameserver 127.0.0.53
+ $ cat /etc/resolv.conf | grep nameserver
+ nameserver 127.0.0.53
  
- $ resolvectl status
- Global
- Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
- resolv.conf mode: stub
+ $ resolvectl status
+ Global
+ Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
+ resolv.conf mode: stub
  
  Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I
  query the TLSA record for the messagelab server, I get a SERVFAIL from
  the stub resolver:
  
- $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
- ;; resolution failed: SERVFAIL
+ $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
+ ;; resolution failed: SERVFAIL
  
  Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC
  validated (negative) response:
  
- $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
- ;; resolution failed: ncache nxrrset
- ; negative response, fully validated
- ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
- ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
- ; _25._tcp.cluster5.us.messagelabs.com. NSEC 
\000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP  SRV NAPTR 
SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
- ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. 
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
- ; messagelabs.com. RRSIG SOA ...
+ $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
+ ;; resolution failed: ncache nxrrset
+ ; negative response, fully validated
+ ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
+ ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
+ ; _25._tcp.cluster5.us.messagelabs.com. NSEC 
\000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP  SRV NAPTR 
SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
+ ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. 
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
+ ; messagelabs.com. RRSIG SOA ...
  
  I assume Postfix (with smtp_tls_security_level = dane i.e.
  "Opportunistic DANE") deals with the negative response by downgrading to
  "encrypt", whereas the SERVFAIL response makes it refuse to connect
  altogether.
  
  My workaround was to switch from the systemd-resolved stub resolver to
  the upstream servers. In /etc/systemd/resolved.conf set:
  
- DNS=... your upstream servers if not already given through DHCP ...
- DNSStubListener=no
+ DNS=... your upstream servers if not already given through DHCP ...
+ DNSStubListener=no
  
  Then restart the service and restart Postfix if it is chrooted (so the
  new /etc/resolv.conf gets copied into the chroot):
  
- systemctl restart systemd-resolved
- systemctl restart postfix
+ systemctl restart systemd-resolved
+ systemctl restart postfix
  
  I am not sure if this could be considered a Postfix bug as well (it
  could consider a SERVFAIL on a TLSA record the same as a negative), but
  surely it seems to me the systemd-resolved stub resolver should not
  return the SERVFAIL here.
  
  For more background on this bug report, please see
  https://serverfault.com/a/1158198/299950

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2062542

Title:
  systemd-resolved stub gives SERVFAIL for DNSSEC negative response

Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  This issue surfaced when researching the issue that Postfix on my
  system (with DANE enabled) deferred mail deliveries with 100s of this
  warning in the log:

  Warning: DANE TLSA lookup problem: Host or domain name not found.
  Name service error for name=_25._tcp.cluster5.us.messagelabs.com
  type=TLSA: Host not found, try again

  The DNS resolver on my machine was pointing at the systemd-resolved
  stub:

  $ cat /etc/resolv.conf | grep nameserver
  nameserver 127.0.0.53

  $ resolvectl status
  Global
  Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
  resolv.conf mode: stub

[Touch-packages] [Bug 2062542] [NEW] systemd-resolved stub gives SERVFAIL for DNSSEC negative response

2024-04-19 Thread Marco van Zwetselaar
Public bug reported:

This issue surface when researching the issue that Postfix on my system
(with DANE enabled) deferred mail deliveries with 100s of this warning
in the log:

Warning: DANE TLSA lookup problem: Host or domain name not found.
Name service error for name=_25._tcp.cluster5.us.messagelabs.com
type=TLSA: Host not found, try again

The DNS resolver on my machine was pointing at the systemd-resolved
stub:

$ cat /etc/resolv.conf | grep nameserver
nameserver 127.0.0.53

$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub

Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I
query the TLSA record for the messagelab server, I get a SERVFAIL from
the stub resolver:

$ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: SERVFAIL

Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC
validated (negative) response:

$ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: ncache nxrrset
; negative response, fully validated
; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
; _25._tcp.cluster5.us.messagelabs.com. NSEC 
\000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP  SRV NAPTR 
SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. 
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
; messagelabs.com. RRSIG SOA ...

I assume Postfix (with smtp_tls_security_level = dane i.e.
"Opportunistic DANE") deals with the negative response by downgrading to
"encrypt", whereas the SERVFAIL response makes it refuse to connect
altogether.

My workaround was to switch from the systemd-resolved stub resolver to
the upstream servers. In /etc/systemd/resolved.conf set:

DNS=... your upstream servers if not already given through DHCP ...
DNSStubListener=no

Then restart the service and restart Postfix if it is chrooted (so the
new /etc/resolv.conf gets copied into the chroot):

systemctl restart systemd-resolved
systemctl restart postfix

I am not sure if this could be considered a Postfix bug as well (it
could consider a SERVFAIL on a TLSA record the same as a negative), but
surely it seems to me the systemd-resolved stub resolver should not
return the SERVFAIL here.

For more background on this bug report, please see
https://serverfault.com/a/1158198/299950

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2062542

Title:
  systemd-resolved stub gives SERVFAIL for DNSSEC negative response

Status in systemd package in Ubuntu:
  New

Bug description:
  This issue surface when researching the issue that Postfix on my
  system (with DANE enabled) deferred mail deliveries with 100s of this
  warning in the log:

  Warning: DANE TLSA lookup problem: Host or domain name not found.
  Name service error for name=_25._tcp.cluster5.us.messagelabs.com
  type=TLSA: Host not found, try again

  The DNS resolver on my machine was pointing at the systemd-resolved
  stub:

  $ cat /etc/resolv.conf | grep nameserver
  nameserver 127.0.0.53

  $ resolvectl status
  Global
  Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
  resolv.conf mode: stub

  Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I
  query the TLSA record for the messagelab server, I get a SERVFAIL from
  the stub resolver:

  $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
  ;; resolution failed: SERVFAIL

  Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC
  validated (negative) response:

  $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
  ;; resolution failed: ncache nxrrset
  ; negative response, fully validated
  ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
  ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
  ; _25._tcp.cluster5.us.messagelabs.com. NSEC 
\000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP  SRV NAPTR 
SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
  ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. 
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
  ; messagelabs.com. RRSIG SOA ...

  I assume Postfix (with smtp_tls_security_level = dane i.e.
  "Opportunistic DANE") deals with the negative response by downgrading
  to "encrypt", whereas the SERVFAIL response makes it refuse to connect
  altogether.

  My workaround was to switch from the systemd-resolved stub resolver to
  the upstream servers. In /etc/systemd/resolved.conf set:

  DNS=... your upstream servers if not already gi

[Touch-packages] [Bug 1701068] Re: motd.ubuntu.com currently shows media item (HBO's Silicon Valley using Ubuntu)

2017-07-05 Thread Marco van Zwetselaar
I actually spent time tracking down this 'bug' because on my upgrade
17.04 servers I kept seeing:

  * Ubuntu 16.10 will reach end of life on Thursday, July 20, 2017
 How to upgrade from 16.10 to 17.04:
 - https://ubu.one/upgY2Z

making me wonder if my upgrade was botched or something.  I have little
against the feature in general (though I would certainly make it opt-in
rather than opt-out), but this motd is confusing.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1701068

Title:
  motd.ubuntu.com currently shows media item (HBO's Silicon Valley using
  Ubuntu)

Status in base-files package in Ubuntu:
  Opinion

Bug description:
  In Ubuntu 17.04 or newer, there is a script at /etc/update-motd.d/50
  -motd-news that reads https://motd.ubuntu.com/ and displays that text
  with the rest of the MOTD.

  Currently, https://motd.ubuntu.com shows a news item about HBO's Silicon 
Valley which has a reference to Ubuntu. 
  Instead, https://motd.ubuntu.com should show relevant items to those that 
  use Ubuntu Server (relevant security issues, etc), instead of items for 
desktop users.

  =
  Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-21-generic x86_64)

   * Documentation:  https://help.ubuntu.com
   * Management: https://landscape.canonical.com
   * Support:https://ubuntu.com/advantage

   * How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow,
     Keras & React Native on Ubuntu
     - https://ubu.one/HBOubu
  ==

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: base-files 9.6ubuntu13
  ProcVersionSignature: Ubuntu 4.10.0-24.28-generic 4.10.15
  Uname: Linux 4.10.0-24-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4
  Architecture: amd64
  Date: Wed Jun 28 12:31:24 2017
  InstallationDate: Installed on 2017-05-02 (56 days ago)
  InstallationMedia: Xubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: base-files
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1504531] [NEW] apt show gibberish in package description

2015-10-09 Thread Marco van Zwetselaar
Public bug reported:

I am not sure whether to report this bug against apt, the vim-snipmate
package, or as a translation bug. It seems to be located in the en_GB
translation of the package description for vim-snipmate.

On my Ubuntu Vivid (locale en_GB) the output of "apt show vim-snipmate"
contains this section:

--- snip ---
 for (i = 0; i < count; i++) {
 .
 Project-Id-Version: ddtp-ubuntu
 Report-Msgid-Bugs-To: FULL NAME 
 POT-Creation-Date: 2014-09-03 08:41+0200
 PO-Revision-Date: 2014-05-06 13:30+
 Last-Translator: FULL NAME 
 Language-Team: English (United Kingdom) 
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 X-Launchpad-Export-Date: 2014-09-04 23:31+
 X-Generator: Launchpad (build 17196)
 .
 To go to the next item in the loop, simply  over to it; if there is
--- snip ---

The middle part starting with "Project-Id-Version" upto "X-Generator"
doesn't belong here. I have checked and it isn't present in the
"DEBIAN/control" file in vim-snipmate_0.87-2_all.deb. Instead the
control file contains the expected single '}' character at that
location.

Grepping through /var/lib/apt I have found the injected bit in the vim-snipmate 
description in
/var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en%5fGB.bz2
It is not present in the vim-snipmate description in 
/var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en.bz

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: apt 1.0.9.7ubuntu4.1
ProcVersionSignature: Ubuntu 3.19.0-30.34-generic 3.19.8-ckt6
Uname: Linux 3.19.0-30-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.17.2-0ubuntu1.5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct  9 15:01:02 2015
InstallationDate: Installed on 2013-09-28 (740 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
SourcePackage: apt
UpgradeStatus: Upgraded to vivid on 2015-05-27 (135 days ago)

** Affects: apt (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug vivid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1504531

Title:
  apt show gibberish in package description

Status in apt package in Ubuntu:
  New

Bug description:
  I am not sure whether to report this bug against apt, the vim-snipmate
  package, or as a translation bug. It seems to be located in the en_GB
  translation of the package description for vim-snipmate.

  On my Ubuntu Vivid (locale en_GB) the output of "apt show vim-
  snipmate" contains this section:

  --- snip ---
   for (i = 0; i < count; i++) {
   .
   Project-Id-Version: ddtp-ubuntu
   Report-Msgid-Bugs-To: FULL NAME 
   POT-Creation-Date: 2014-09-03 08:41+0200
   PO-Revision-Date: 2014-05-06 13:30+
   Last-Translator: FULL NAME 
   Language-Team: English (United Kingdom) 
   MIME-Version: 1.0
   Content-Type: text/plain; charset=UTF-8
   Content-Transfer-Encoding: 8bit
   X-Launchpad-Export-Date: 2014-09-04 23:31+
   X-Generator: Launchpad (build 17196)
   .
   To go to the next item in the loop, simply  over to it; if there is
  --- snip ---

  The middle part starting with "Project-Id-Version" upto "X-Generator"
  doesn't belong here. I have checked and it isn't present in the
  "DEBIAN/control" file in vim-snipmate_0.87-2_all.deb. Instead the
  control file contains the expected single '}' character at that
  location.

  Grepping through /var/lib/apt I have found the injected bit in the 
vim-snipmate description in
  
/var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en%5fGB.bz2
  It is not present in the vim-snipmate description in 
  
/var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en.bz

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: apt 1.0.9.7ubuntu4.1
  ProcVersionSignature: Ubuntu 3.19.0-30.34-generic 3.19.8-ckt6
  Uname: Linux 3.19.0-30-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.17.2-0ubuntu1.5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Oct  9 15:01:02 2015
  InstallationDate: Installed on 2013-09-28 (740 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
  SourcePackage: apt
  UpgradeStatus: Upgraded to vivid on 2015-05-27 (135 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1504531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1434525] Re: Router solicitation blocked, makes network-manager complain

2015-07-01 Thread Marco van Zwetselaar
Confirming that the patch in #2 solves the issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1434525

Title:
  Router solicitation blocked, makes network-manager complain

Status in ufw package in Ubuntu:
  Confirmed

Bug description:
  In Vivid, my syslog is full of complains by network-manager about
  blocked Router solicitation.

  In my log, I get things like this:

  ...
  Mar 20 12:47:04 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852024.960398] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:04 franck-ThinkPad-T430s kernel: [ 8209.218586] [UFW BLOCK] IN= 
OUT=wlan0 SRC=fe80::::2677:03ff:fe8a:47a0 
DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 
PROTO=ICMPv6 TYPE=133 CODE=0 
  Mar 20 12:47:05 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852025.959574] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:08 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852028.958727] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:09 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852029.958873] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:12 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852032.961342] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:13 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852033.959493] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:16 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852036.960008] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:17 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852037.959215] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:20 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852040.961811] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:21 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852041.958641] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:24 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852044.960743] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  Mar 20 12:47:24 franck-ThinkPad-T430s kernel: [ 8229.224325] [UFW BLOCK] IN= 
OUT=wlan0 SRC=fe80::::2677:03ff:fe8a:47a0 
DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 
PROTO=ICMPv6 TYPE=133 CODE=0 
  Mar 20 12:47:25 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852045.958895] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send 
router solicitation: -1.
  Mar 20 12:47:28 franck-ThinkPad-T430s NetworkManager[1134]:  
[1426852048.960527] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send 
router solicitation: -1.
  ...

  and so on.

  I have read through http://www.ietf.org/rfc/rfc4890.txt but this is a
  bit tougth, and I like ufw doing the job for me :-).

  Here is the output of ip6tables --list :

  Chain INPUT (policy DROP)
  target prot opt source   destination 
  ufw6-before-logging-input  all  anywhere anywhere
  ufw6-before-input  all  anywhere anywhere
  ufw6-after-input  all  anywhere anywhere
  ufw6-after-logging-input  all  anywhere anywhere
  ufw6-reject-input  all  anywhere anywhere
  ufw6-track-input  all  anywhere anywhere

  Chain FORWARD (policy DROP)
  target prot opt source   destination 
  ufw6-before-logging-forward  all  anywhere anywhere   
 
  ufw6-before-forward  all  anywhere anywhere
  ufw6-after-forward  all  anywhere anywhere
  ufw6-after-logging-forward  all  anywhere anywhere
  ufw6-reject-forward  all  anywhere anywhere
  ufw6-track-forward  all  anywhere anywhere

  Chain OUTPUT (policy DROP)
  target prot opt source   destination 
  ufw6-before-logging-output  all  anywhere anywhere
  ufw6-before-output  all  anywhere anywhere
  ufw6-after-output  all  anywhere anywhere
  ufw6-after-logging-output  all  anywhere anywhere
  ufw6-reject-output  all  anywhere anywhere
  ufw6-track-output  all  anywhere