[Touch-packages] [Bug 1882484] Re: Firewall rule in before.rules for dhcp is wrong
Thanks Jamie, Ah, cool, so that ufw config is when the install is a client. I am having issues with the install as a DHCPv4 server. I will revert the UFW changes I have made and add in a new /etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv4 server Thanks Josh PS. isc-dhcp-server when setup, by default is using "raw" sockets and thus the ufw rules are bypassed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882484 Title: Firewall rule in before.rules for dhcp is wrong Status in ufw package in Ubuntu: Invalid Bug description: The file delivered - /usr/share/ufw/iptables/before.rules which is then copied to - /etc/ufw/before.rules Delivered by Package: # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't drop the packets with the incorrect configuration. This has had me stumped for the last hour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong
Thanks Jamie, Ah, cool, so that ufw config is when the install is a client. I am having issues with the install as a DHCPv6 server. I will revert the UFW changes I have made and add in a new /etc/ufw/application.d/dhcpd config to allow the install to run a DHCPv6 server Thanks Josh PS. isc-dhcp-server6 when setup, by default is not using "raw" sockets and thus the ufw rules are enforced -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882314 Title: Firewall rule in before6.rules for dhcp6 is wrong Status in ufw package in Ubuntu: Invalid Bug description: When running DHCPv6, clients are not able get IP address. The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped and the dst address needs to be removed, as it's a broadcast The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped -d fe80::/10 needs to be removed Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong
** Description changed: When running DHCPv6, clients are not able get IP address. - The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped + The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped and the dst address needs to be removed, as it's a broadcast The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped + -d fe80::/10 needs to be removed Should be: - -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10 - --dport 547 -j ACCEPT + -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j + ACCEPT Package version found in: 0.36-0ubuntu0.1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882314 Title: Firewall rule in before6.rules for dhcp6 is wrong Status in ufw package in Ubuntu: New Bug description: When running DHCPv6, clients are not able get IP address. The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped and the dst address needs to be removed, as it's a broadcast The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped -d fe80::/10 needs to be removed Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1882484] [NEW] Firewall rule in before.rules for dhcp is wrong
Public bug reported: The file delivered - /usr/share/ufw/iptables/before.rules which is then copied to - /etc/ufw/before.rules Delivered by Package: # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't drop the packets with the incorrect configuration. This has had me stumped for the last hour. ** Affects: ufw (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882484 Title: Firewall rule in before.rules for dhcp is wrong Status in ufw package in Ubuntu: New Bug description: The file delivered - /usr/share/ufw/iptables/before.rules which is then copied to - /etc/ufw/before.rules Delivered by Package: # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't drop the packets with the incorrect configuration. This has had me stumped for the last hour. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong
** Description changed: - Firewall rule in ip6table is incorrect, the ports need to be swapped + When running DHCPv6, clients are not able get IP address. + The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped The file delivered - /usr/share/ufw/iptables/before6.rules - which is then copied to - /etc/ufw/before6.rules + which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT - The ports for + The ports for --sport and --dport are swapped Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10 --dport 547 -j ACCEPT Package version found in: - 0.36-0ubuntu0.1 + 0.36-0ubuntu0.1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882314 Title: Firewall rule in before6.rules for dhcp6 is wrong Status in ufw package in Ubuntu: New Bug description: When running DHCPv6, clients are not able get IP address. The firewall rule in ip6table is incorrect, and not allowing client requests in. The ports need to be swapped The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10 --dport 547 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1882317] [NEW] Dual Stack DHCP clobber each other when using /run/dhcp-server/ for pid files
Public bug reported: When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and DHCPv6 clobber each others /run/dhcp-server path when you stop or restart one of the daemons I found that the config in the systemd unit has the /run path set to the same location for both DHCPv4 and DHCPv6 In /lib/systemd/system/isc-dhcp-server.service the offending line that conflicts is: exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES' In /lib/systemd/system/isc-dhcp-server6.service the offending line that conflicts is: exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the path /run/dhcp-server and removed the pid file for the alternate process. I have found a possible fix is to give DHCPv6 it's own /run path, thus I suggest: 1) update DHCPv6 to use /run/dhcp-server6/ Update /lib/systemd/system/isc-dhcp-server6.service to use /run/dhcp-server6/ ie. exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' Now we need to give dhcp access to this path in Apparmor: 2) Update /etc/apparmor.d/usr.sbin.dhcpd and add an additional line 38d39 /var/lib/dhcp/dhcpd{,6}.leases* lrw, /var/log/ r, /var/log/** rw, /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw, + /{,var/}run/{,dhcp-server6/}dhcpd{,6}.pid rw, Found in package version: 4.4.1-2ubuntu5 ** Affects: isc-dhcp (Ubuntu) Importance: Undecided Status: New ** Description changed: When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and DHCPv6 clobber each others /run/dhcp-server path when you stop or restart one of the daemons I found that the config in the systemd unit has the /run path set to the same location for both DHCPv4 and DHCPv6 - In /lib/systemd/system/isc-dhcp-server.service the offending line that conflicts is: - exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES' - + exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES' In /lib/systemd/system/isc-dhcp-server6.service the offending line that conflicts is: - exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' + exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' - - This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the path /run/dhcp-server and removed the pid file for the alternate process. + This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the + path /run/dhcp-server and removed the pid file for the alternate + process. I have found a possible fix is to give DHCPv6 it's own /run path, thus I suggest: 1) update DHCPv6 to use /run/dhcp-server6/ Update /lib/systemd/system/isc-dhcp-server6.service to use /run/dhcp-server6/ ie. - exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' + exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server6/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' Now we need to give dhcp access to this path in Apparmor: 2) Update /etc/apparmor.d/usr.sbin.dhcpd and add an additional line 38d39 - /var/lib/dhcp/dhcpd{,6}.leases* lrw, - /var/log/ r, - /var/log/** rw, - /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw, + /var/lib/dhcp/dhcpd{,6}.leases* lrw, + /var/log/ r, + /var/log/** rw, + /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw, + /{,var/}run/{,dhcp-server6/}dhcpd{,6}.pid rw, + + Found in package version: + 4.4.1-2ubuntu5 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1882317 Title: Dual Stack DHCP clobber each other when using /run/dhcp-server/ for pid files Status in isc-dhcp package in Ubuntu: New Bug description: When installing dual stack IPv4 and IPv6 DHCP I found that DHCPv4 and DHCPv6 clobber each others /run/dhcp-server path when you stop or restart one of the daemons I found that the config in the systemd unit has the /run path set to the same location for both DHCPv4 and DHCPv6 In /lib/systemd/system/isc-dhcp-server.service the offending line that conflicts is: exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES' In /lib/systemd/system/isc-dhcp-server6.service the offending line that conflicts is: exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/dhcp-server/dhcpd6.pid -cf $CONFIG_FILE $INTERFACES' This means if you stop/restart DHCPv4 or DHCPv6, then it cleans up the path /run/dhcp-server and removed the pid file for the alternate process. I have found a possible fix is to give DHCPv6 it's own
[Touch-packages] [Bug 1882314] [NEW] Firewall rule in before6.rules for dhcp6 is wrong
Public bug reported: Firewall rule in ip6table is incorrect, the ports need to be swapped The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10 --dport 547 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 ** Affects: ufw (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1882314 Title: Firewall rule in before6.rules for dhcp6 is wrong Status in ufw package in Ubuntu: New Bug description: Firewall rule in ip6table is incorrect, the ports need to be swapped The file delivered - /usr/share/ufw/iptables/before6.rules which is then copied to - /etc/ufw/before6.rules Delivered by Package: # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT The ports for --sport and --dport are swapped Should be: -A ufw6-before-input -p udp -s fe80::/10 --sport 546 -d fe80::/10 --dport 547 -j ACCEPT Package version found in: 0.36-0ubuntu0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp