gufw-developers team mailing list archive

Thread
Date
[Bug 1650489] Re: ufw broken on Linux Mint 17.3

To: gufw-developers@xxxxxxxxxxxxxxxxxxx
From: Oliver <1650489@xxxxxxxxxxxxxxxxxx>
Date: Sat, 17 Dec 2016 16:12:25 -0000
Reply-to: Bug 1650489 <1650489@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi,

"- there are already rules for avahi (bonjour) to make discovery work,
but connections to the discovered services would need rules allowing the
connection"

Then connection to port 8612 should work, but it doesn't. PC talks to
8612 of the printer, and then the printer replies from 8612. And this
reply gets blocked. It does not matter whether ufw gets stateful for
sane or not.

ufw may get this wrong, because the communication starts out as a
multicast, thus the recipient address is different than the address that
answers. But:

It gets even blocked, when a new rule is introduced to allow ALL inbound
traffic to 8612, so this rule just simply doesn't work.

Adding nf_conntrack_sane DOES NOT fix the problem... I have added
nf_conntrack_sane. And yes, I have restarted ufw...

This printer/scanner, btw, is not an Epson, but a Canon MX 925. And yes,
I have added the BJNP protocol to Sane. But it's not only Sane that does
not discover the scanner, also Vuescan does not discover it, and
Vuetracks author Ed Hamrick advises me to sniff the packets...

Syslog excerpt of an attempted network discovery:
.31 is the PC, .251 is the printer, .254 would be the router to the internet (not used here, of course).

Dec 17 16:56:09 FSC-neu kernel: [255876.935983] [UFW ALLOW] IN= OUT=eth0
SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12815
DF PROTO=UDP SPT=59438 DPT=8612 LEN=24

PC multicast to (all) printers port 8612, ALLOWed

Dec 17 16:56:09 FSC-neu kernel: [255876.936015] [UFW ALLOW] IN=eth0 OUT=
MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1
ID=12815 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24

Another multicast...

Dec 17 16:56:09 FSC-neu kernel: [255876.937195] [UFW BLOCK] IN=eth0 OUT=
MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251
DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26547 PROTO=UDP
SPT=8612 DPT=59438 LEN=40

Printers reply from 8612 gets BLOCKed

Dec 17 16:56:10 FSC-neu kernel: [255877.438000] [UFW BLOCK] IN=eth0 OUT=
MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251
DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=51278 PROTO=UDP
SPT=5353 DPT=59438 LEN=126

Dec 17 16:56:10 FSC-neu kernel: [255877.487316] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12879 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24 
Dec 17 16:56:10 FSC-neu kernel: [255877.487333] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12879 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24 

PC repeating the mulicast to the printer

Dec 17 16:56:10 FSC-neu kernel: [255877.488620] [UFW BLOCK] IN=eth0 OUT=
MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251
DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59770 PROTO=UDP
SPT=8612 DPT=59438 LEN=40

Printers responsed BLOCKed again...

Dec 17 16:56:10 FSC-neu kernel: [255877.986032] [UFW BLOCK] IN=eth0 OUT=
MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251
DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=53766 PROTO=UDP
SPT=5353 DPT=59438 LEN=126

Communication from the AVAHI port gets BLOCKed also, despite the rule
that should allow that

Dec 17 16:56:10 FSC-neu kernel: [255878.035296] [UFW ALLOW] IN= OUT=eth0 SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12957 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24 
Dec 17 16:56:10 FSC-neu kernel: [255878.035318] [UFW ALLOW] IN=eth0 OUT= MAC= SRC=192.168.1.31 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=12957 DF PROTO=UDP SPT=59438 DPT=8612 LEN=24 
Dec 17 16:56:10 FSC-neu kernel: [255878.036566] [UFW BLOCK] IN=eth0 OUT= 
MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251 DST=192.168.1.31 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11059 PROTO=UDP SPT=8612 DPT=59438 LEN=40 

And the printer gets BLOCKed one more time.

So the questions remaining are:
a) ufw seems unaware of a protocol that starts multicast, and gets unicast replies.
b) ufw ignores rules that completely open up an incoming port

Yours
Oliver

** This bug is no longer a duplicate of bug 1595046
   UFW and saned... not working togheter...

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1650489

Title:
  ufw broken on Linux Mint 17.3

Status in Gufw:
  New
Status in Linux Mint:
  New
Status in ufw:
  New

Bug description:
  Hi,

  on my Linux Mint 17.3 x64 Cinnamon, ufw appears to be broken (0.34~rc-
  0ubuntu2).

  Networking seemed to work alright, surfing was no problem, also FTP
  and SSH worked. But not Bonjour, which I need to use the scanner that
  is inside my Canon MX925. So I used gufw (14.04.2-0ubuntu1.2) to add
  rules that allow packets sent to ports 8610 and 8612, and packets
  coming from 5353 (Bonjour). But still, some of these packets get
  blocked, according to syslog.

  Looking deeper inside the matter, I realised that the default inbound
  policy is deny. So surfing should not be possible, but it works
  alright.

  sudo ufw status verbose

  Status: Aktiv
  Protokollierung: on (medium)
  Voreinstellung: reject (eingehend), allow (abgehend), disabled (gesendet)
  Neue Profile: skip

  Zu                         Aktion      Von
  --                         ------      ---
  8612                       ALLOW IN    Anywhere (log)
  5353                       ALLOW IN    Anywhere (log)
  8612 (v6)                  ALLOW IN    Anywhere (v6) (log)
  5353 (v6)                  ALLOW IN    Anywhere (v6) (log)

  8610                       ALLOW OUT   Anywhere (log)
  8612                       ALLOW OUT   Anywhere (log)
  8610 (v6)                  ALLOW OUT   Anywhere (v6) (log)
  8612 (v6)                  ALLOW OUT   Anywhere (v6) (log)

  Bonjour should be the only thing working, but in fact, it's the only
  thing NOT working. So I looked at those predefined sets of rules that
  ufw should come with, according to

  http://www.larrytalkstech.com/ufw-the-linux-uncomplicated-firewall/

  but most of the ones mentioned there are missing.

  sudo ufw app list

  Verfügbare Anwendungen:
    CUPS
    Samba

  Only CUPS and Samba are known? Not even DNS or tcp/80 ? Since surfing
  works alright, my guess is that ufw does not really work together with
  iptables, which to my understanding is the "real firewall" that (g)ufw
  is only a frontend for. So ufw does not show all rules that are in
  force, and ufw does not correctly apply new rules at the correct
  position in the chain, so they get defeated by the existing rules,
  thus Bonjour gets broken.

  Dec 15 14:00:30 FSC-neu kernel: [72537.358551] [UFW BLOCK] IN=eth0
  OUT= MAC=90:1b:0e:18:56:e3:60:12:8b:46:ce:55:08:00 SRC=192.168.1.251
  DST=192.168.1.31 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=63636 PROTO=UDP
  SPT=5353 DPT=36762 LEN=126

  Thanks
  Oliver

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1650489/+subscriptions
References

[Bug 1650489] [NEW] ufw broken on Linux Mint 17.3
From: Oliver, 2016-12-16