Public bug reported: So, this is a fun one.
I have an Epson XP-610 multifunction scanner/printer/coffeemaker/whiskey distillery. It uses an XSane plugin, which spawns an intermediary network app (/usr/lib/iscan/network) which detects and talks to the scanner. These packages can all be obtained from here: http://support.epson.net/linux/en/iscan_c.html. Anyway, if you have UFW disabled, it works. If you enable UFW, however it works intermittently and takes forever to start up. Checking my syslog, I find: Oct 6 22:48:00 hiro kernel: [48176.543355] TCP: request_sock_TCP: Possible SYN flooding on port 40796. Dropping request. Check SNMP counters. A wireshark capture shows two things: 1.) It is communicating on that port on the "lo" interface, not any real interface. 2.) There's one SYN. Not a lot. Just a single SYN. And then TCP retries. And then eventually it works. Sometimes. Anyway, if I edit /etc/ufw/sysctl.conf, and set net/ipv4/tcp_syncookies=1, and then disable and reenable UFW, it works, with the following syslog entry: Oct 7 20:26:18 hiro kernel: [13666.745140] TCP: request_sock_TCP: Possible SYN flooding on port 42751. Sending cookies. Check SNMP counters. Now, to be clear, I think the syncookies is a workaround for a more serious problem. Namely, why does the kernel think it's under attack to begin with? Anyway, I'm not certain this is really a UFW bug, but I'm starting here because UFW seems to make it worse. Feel free to reclassify as a kernel bug. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ufw 0.35-0ubuntu2 ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19 Uname: Linux 4.4.0-38-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Oct 7 20:20:00 2016 PackageArchitecture: all SourcePackage: ufw UpgradeStatus: Upgraded to xenial on 2016-09-30 (7 days ago) mtime.conffile..etc.ufw.sysctl.conf: 2016-10-06T23:11:58.680226 ** Affects: ufw (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1631553 Title: With UFW enabled, kernel reports SYN flooding To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1631553/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
