[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
Thanks for the help, but adding the nf_conntrack_sane module didn't help. Adding it and adding ufw allow rules for some packets that were being reported as dropped didn't help. The only way that it reliably works is if I set syncookies to 1 as described above. I'm not sure there really is a syncookies problem, but that's the only way I can make my scanner work with the firewall enabled. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: Invalid Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
Since this bug was opened against ufw with syncookies, I'm going to mark this bug as invalid for ufw. If there is a problem with syncookies, it would be a kernel bug-- feel free to open a bug there if you still feel there is a bug. ** Changed in: ufw (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: Invalid Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
The tcp syncookies issues is not a ufw bug. In fact, toggling it one way are another your logs show the same kernel message. The real issue is sane not working with ufw enabled. You need to use the nf_conntrack_sane module. See https://bugs.launchpad.net/ufw/+bug/1595046/comments/14 for details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: Invalid Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
** Changed in: ufw (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: Confirmed Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ufw (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: Confirmed Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1631553] Re: With UFW enabled, kernel reports SYN flooding
Oh, relevant tickets from UFW and procps: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091 https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding Status in ufw package in Ubuntu: New Bug description: So, this is a fun one. I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
