gufw-developers team mailing list archive
-
gufw-developers team
-
Mailing list archive
-
Message #00508
[Bug 566764] Re: Enabling firewall with the default rules breaks mintUpdate
Guys, thanks for the followups. I'm not sure why you are not able to
reproduce what I reported. Perhaps there is a misunderstanding between
us. I have some more detail to help explain what I am seeing.
Here are the firewall rules immediately after a fresh installation, i.e.
before enabling the firewall:
$ iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
$ iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
And here are the firewall rules immediately after enabling the firewall
by clicking Enable in gufw's main window:
$ iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
$ iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
iptables -L FORWARD -n
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
Immediately after the new firewall creation:
[UFW BLOCK] IN=eth0 OUT= MAC= SRC=192.168.50.8 DST=192.168.50.255 LEN=267 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=247
[UFW BLOCK] IN=eth0 OUT= MAC= SRC=192.168.50.8 DST=192.168.50.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
Run mintUpdate:
[UFW BLOCK] IN=eth0 OUT= MAC=00:29:aa:6b:13:ca:00:21:1b:52:ef:b0:a7:00
SRC=91.189.88.46 DST=192.168.50.8 LEN=40 TOS=0x00 PREC=0x00 TTL=64
ID=55764 PROTO=TCP SPT=80 DPT=32948 WINDOW=1024 RES=0x00 RST URGP=0
and lots of similar ones for other Canonical servers.
--
Enabling firewall with the default rules breaks mintUpdate
https://bugs.launchpad.net/bugs/566764
You received this bug notification because you are a member of Gufw
Developers, which is the registrant for Gufw.
Status in Gufw: New
Status in The Linux Mint Distribution: Triaged
Status in “gui-ufw” package in Ubuntu: Invalid
Bug description:
In Mint 8 Helena, enabling the firewall by clicking the Enabled button in the Firewall dialog creates a very odd set of default rules that over-cautiously blocks input packets with no allowance being made for RELATED,EXISTING connections. This is undesirable and has several consequences - for example, it completely breaks mintUpdate which can no longer receive data from Canonical's servers on port 80:
[UFW BLOCK] IN=eth0 OUT= MAC=00:29:aa:6b:13:ca:00:21:1b:52:ef:b0:a7:00 SRC=91.189.88.46 DST=192.168.50.8 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=55764 PROTO=TCP SPT=80 DPT=32948 WINDOW=1024 RES=0x00 RST URGP=0
