[Touch-packages] [Bug 1882484] Re: Firewall rule in before.rules for dhcp is wrong

2020-06-15 Thread Joshua Stark
Thanks Jamie,

Ah, cool, so that ufw config is when the install is a client.

I am having issues with the install as a DHCPv4 server.

I will revert the UFW changes I have made and add in a new
/etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv4
server

Thanks
Josh


PS. isc-dhcp-server when setup, by default is using "raw" sockets and thus the 
ufw rules are bypassed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882484

Title:
  Firewall rule in before.rules for dhcp is wrong

Status in ufw package in Ubuntu:
  Invalid

Bug description:
  The file delivered - /usr/share/ufw/iptables/before.rules
  which is then copied to - /etc/ufw/before.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

  The ports for
  --sport and --dport are swapped

  Should be:

  -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT

  
  Package version found in:
0.36-0ubuntu0.1

  
  Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't 
drop the packets with the incorrect configuration. This has had me stumped for 
the last hour.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882484/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong

2020-06-15 Thread Joshua Stark
Thanks Jamie,

Ah, cool, so that ufw config is when the install is a client.

I am having issues with the install as a DHCPv6 server.

I will revert the UFW changes I have made and add in a new
/etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv6
server

Thanks
Josh

PS. isc-dhcp-server6 when setup, by default is not using "raw" sockets
and thus the ufw rules are enforced

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882314

Title:
  Firewall rule in before6.rules for dhcp6 is wrong

Status in ufw package in Ubuntu:
  Invalid

Bug description:
  When running DHCPv6, clients are not able get IP address.
  The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped and the dst address needs to be removed, as 
it's a broadcast

  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

  The ports for
  --sport and --dport are swapped
  -d fe80::/10 needs to be removed

  Should be:

  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j
  ACCEPT

  Package version found in:
    0.36-0ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong

2020-06-13 Thread Joshua Stark
** Description changed:

  When running DHCPv6, clients are not able get IP address.
- The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped
+ The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped and the dst address needs to be removed, as 
it's a broadcast
  
  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules
  
  Delivered by Package:
  
  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT
  
  The ports for
  --sport and --dport are swapped
+ -d fe80::/10 needs to be removed
  
  Should be:
  
- -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10
- --dport 547 -j ACCEPT
+ -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j
+ ACCEPT
  
  Package version found in:
    0.36-0ubuntu0.1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882314

Title:
  Firewall rule in before6.rules for dhcp6 is wrong

Status in ufw package in Ubuntu:
  New

Bug description:
  When running DHCPv6, clients are not able get IP address.
  The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped and the dst address needs to be removed, as 
it's a broadcast

  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

  The ports for
  --sport and --dport are swapped
  -d fe80::/10 needs to be removed

  Should be:

  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j
  ACCEPT

  Package version found in:
    0.36-0ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1882484] [NEW] Firewall rule in before.rules for dhcp is wrong

2020-06-07 Thread Joshua Stark
Public bug reported:

The file delivered - /usr/share/ufw/iptables/before.rules
which is then copied to - /etc/ufw/before.rules

Delivered by Package:

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

The ports for
--sport and --dport are swapped

Should be:

-A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT


Package version found in:
  0.36-0ubuntu0.1


Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't 
drop the packets with the incorrect configuration. This has had me stumped for 
the last hour.

** Affects: ufw (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882484

Title:
  Firewall rule in before.rules for dhcp is wrong

Status in ufw package in Ubuntu:
  New

Bug description:
  The file delivered - /usr/share/ufw/iptables/before.rules
  which is then copied to - /etc/ufw/before.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

  The ports for
  --sport and --dport are swapped

  Should be:

  -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT

  
  Package version found in:
0.36-0ubuntu0.1

  
  Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't 
drop the packets with the incorrect configuration. This has had me stumped for 
the last hour.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882484/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong

2020-06-05 Thread Joshua Stark
** Description changed:

- Firewall rule in ip6table is incorrect, the ports need to be swapped
+ When running DHCPv6, clients are not able get IP address.
+ The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped
  
  The file delivered - /usr/share/ufw/iptables/before6.rules
- which is then copied to - /etc/ufw/before6.rules  
+ which is then copied to - /etc/ufw/before6.rules
  
  Delivered by Package:
  
  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT
  
- The ports for 
+ The ports for
  --sport and --dport are swapped
  
  Should be:
  
  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10
  --dport 547 -j ACCEPT
  
  Package version found in:
-   0.36-0ubuntu0.1
+   0.36-0ubuntu0.1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882314

Title:
  Firewall rule in before6.rules for dhcp6 is wrong

Status in ufw package in Ubuntu:
  New

Bug description:
  When running DHCPv6, clients are not able get IP address.
  The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped

  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

  The ports for
  --sport and --dport are swapped

  Should be:

  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10
  --dport 547 -j ACCEPT

  Package version found in:
    0.36-0ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1882317] [NEW] Dual Stack DHCP clobber each other when using /run/dhcp-server/ for pid files

2020-06-05 Thread Joshua Stark
Public bug reported:

When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and
DHCPv6 clobber each others /run/dhcp-server path when you stop or
restart one of the daemons

I found that the config in the systemd unit has the /run path set to the
same location for both DHCPv4 and DHCPv6

In /lib/systemd/system/isc-dhcp-server.service the offending line that 
conflicts is:
  exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf 
$CONFIG_FILE $INTERFACES'

In /lib/systemd/system/isc-dhcp-server6.service the offending line that 
conflicts is:
  exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid -cf 
$CONFIG_FILE $INTERFACES'

This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the
path /run/dhcp-server and removed the pid file for the alternate
process.

I have found a possible fix is to give DHCPv6 it's own /run path, thus I
suggest:

1) update DHCPv6 to use /run/dhcp-server6/

Update /lib/systemd/system/isc-dhcp-server6.service to use /run/dhcp-server6/
ie.
  exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'

Now we need to give dhcp access to this path in Apparmor:

2) Update /etc/apparmor.d/usr.sbin.dhcpd and add an additional line

38d39
  /var/lib/dhcp/dhcpd{,6}.leases* lrw,
  /var/log/ r,
  /var/log/** rw,
  /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,
+  /{,var/}run/{,dhcp-server6/}dhcpd{,6}.pid rw,

Found in package version:
  4.4.1-2ubuntu5

** Affects: isc-dhcp (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and
  DHCPv6 clobber each others /run/dhcp-server path when you stop or
  restart one of the daemons
  
  I found that the config in the systemd unit has the /run path set to the
  same location for both DHCPv4 and DHCPv6
  
- 
  In /lib/systemd/system/isc-dhcp-server.service the offending line that 
conflicts is:
-   exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid 
-cf $CONFIG_FILE $INTERFACES'
- 
+   exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid 
-cf $CONFIG_FILE $INTERFACES'
  
  In /lib/systemd/system/isc-dhcp-server6.service the offending line that 
conflicts is:
-   exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'
+   exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'
  
- 
- This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the path 
/run/dhcp-server and removed the pid file for the alternate process.
+ This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the
+ path /run/dhcp-server and removed the pid file for the alternate
+ process.
  
  I have found a possible fix is to give DHCPv6 it's own /run path, thus I
  suggest:
  
  1) update DHCPv6 to use /run/dhcp-server6/
  
  Update /lib/systemd/system/isc-dhcp-server6.service to use /run/dhcp-server6/
  ie.
-   exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'
+   exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'
  
  Now we need to give dhcp access to this path in Apparmor:
  
  2) Update /etc/apparmor.d/usr.sbin.dhcpd and add an additional line
  
  38d39
-   /var/lib/dhcp/dhcpd{,6}.leases* lrw,
-   /var/log/ r,
-   /var/log/** rw,
-   /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,
+   /var/lib/dhcp/dhcpd{,6}.leases* lrw,
+   /var/log/ r,
+   /var/log/** rw,
+   /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,
  +  /{,var/}run/{,dhcp-server6/}dhcpd{,6}.pid rw,
+ 
+ Found in package version:
+   4.4.1-2ubuntu5

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1882317

Title:
  Dual Stack DHCP clobber each other when using /run/dhcp-server/ for
  pid files

Status in isc-dhcp package in Ubuntu:
  New

Bug description:
  When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and
  DHCPv6 clobber each others /run/dhcp-server path when you stop or
  restart one of the daemons

  I found that the config in the systemd unit has the /run path set to
  the same location for both DHCPv4 and DHCPv6

  In /lib/systemd/system/isc-dhcp-server.service the offending line that 
conflicts is:
    exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid 
-cf $CONFIG_FILE $INTERFACES'

  In /lib/systemd/system/isc-dhcp-server6.service the offending line that 
conflicts is:
    exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid 
-cf $CONFIG_FILE $INTERFACES'

  This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the
  path /run/dhcp-server and removed the pid file for the alternate
  process.

  I have found a possible fix is to give DHCPv6 it's own 

[Touch-packages] [Bug 1882314] [NEW] Firewall rule in before6.rules for dhcp6 is wrong

2020-06-05 Thread Joshua Stark
Public bug reported:

Firewall rule in ip6table is incorrect, the ports need to be swapped

The file delivered - /usr/share/ufw/iptables/before6.rules
which is then copied to - /etc/ufw/before6.rules  

Delivered by Package:

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

The ports for 
--sport and --dport are swapped

Should be:

-A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10
--dport 547 -j ACCEPT

Package version found in:
  0.36-0ubuntu0.1

** Affects: ufw (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882314

Title:
  Firewall rule in before6.rules for dhcp6 is wrong

Status in ufw package in Ubuntu:
  New

Bug description:
  Firewall rule in ip6table is incorrect, the ports need to be swapped

  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules  

  Delivered by Package:

  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

  The ports for 
  --sport and --dport are swapped

  Should be:

  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10
  --dport 547 -j ACCEPT

  Package version found in:
0.36-0ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp