** Description changed: SRU Justification: [ Impact ] When a wi-fi hotspot is being broadcast, NetworkManager does not automatically configure all firewall rules as needed for clients to access the internet. [ Test Plan ] Start wi-fi hotspot on device running ufw that is connected to the internet [ Actual result ] Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet. [ Expected result ] Clients can connect to the internet via the hotspot [ Fix ] At minimum, the following is needed to enable this: 1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names)) 2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT) 3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall - (Discussion ongoing upstream) + This is already implemented by NetworkManager. However, since + applications like UFW configure firewall rules directly through + /etc/sbin/iptables, NetworkManager needs to be configured to do so as + well. Since we don't explicitly set a firewall backend to use in our + config, NM checks for the existence of nftables and uses it since it is + installed on Ubuntu, which is not sufficient to override the rules set + via iptables by UFW and Docker. + + Therefore, the most straightforward solution is to configure Ubuntu's + NetworkManager to use iptables as its firewall backend, bringing it in + line with how UFW orchestrates its firewall rules. [ Where problems could occur ] - Specifics to be researched + While NetworkManager should be configuring the same rules regardless of + the firewall backend used, any differences that might exist between how + /usr/sbin/iptables and /usr/sbin/nftables handles the setup could + manifest as user-visible differences in firewall behavior. Additionally, + since /usr/sbin/iptables is a symlink to /etc/alternatives/iptables, a + user who has changed their /etc/alternatives/iptables target could also + deviate from the behavior of a default Ubuntu configuration. + + With that said, keeping this configuration as-is may also have risks + beyond the hotspot sharing use-case, since even the default firewall + profiles in NM are currently set via the nftables interface, which I've + observed is not always in sync with the UFW-enforced rules set via + /usr/sbin/iptables.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2128668 Title: Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
