On Wed, Feb 25, 2015 at 04:30:34AM +0000, Mike Gabriel wrote:
> Control: tag -1 moreinfo
>
> HI Jeffreay,
>
...
> thanks for using/testig UIF.
>
> Can you please send what
>
> sudo iptables -L
>
> prints to stdout if you have a default firewall configuration as
> described above?
...
Hi Mike,
I have attached these three files to this email,
1. Output of iptables -L (iptables-L.uif).
2. The uif.conf in use when 1. was run (uif.conf).
3. Output of iptables -L (iptables-L.ufw), when running ufw for
comparison. Note that ufw does not respond to ping from external
host, unlike uif.
Thanks,
--
Jeffrey Sheinberg
Chain INPUT (policy DROP)
target prot opt source destination
STATEINPUT all -- anywhere anywhere
ACCEPT all -- localhost anywhere
ACCEPT all -- localhost anywhere
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
5DROPlog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
STATEFORWARD all -- anywhere anywhere
7DROPlog all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
STATEOUTPUT all -- anywhere anywhere
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere anywhere
6DROPlog all -- anywhere anywhere
Chain 5DROPlog (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (input): "
MYREJECT all -- anywhere anywhere
Chain 6DROPlog (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (output): "
MYREJECT all -- anywhere anywhere
Chain 7DROPlog (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (forward): "
MYREJECT all -- anywhere anywhere
Chain ACCOUNTINGFORWARD (1 references)
target prot opt source destination
Chain ACCOUNTINGINPUT (1 references)
target prot opt source destination
Chain ACCOUNTINGOUTPUT (1 references)
target prot opt source destination
Chain ACCOUNTINGSTATELESSFORWARD (1 references)
target prot opt source destination
Chain ACCOUNTINGSTATELESSINPUT (1 references)
target prot opt source destination
Chain ACCOUNTINGSTATELESSOUTPUT (1 references)
target prot opt source destination
Chain MYREJECT (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain STATEFORWARD (1 references)
target prot opt source destination
STATELESSFORWARD all -- anywhere anywhere state
INVALID
ACCOUNTINGFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
STATENOTNEW all -- anywhere anywhere ! state NEW
Chain STATEINPUT (1 references)
target prot opt source destination
STATELESSINPUT all -- anywhere anywhere state INVALID
ACCOUNTINGINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
STATENOTNEW all -- anywhere anywhere ! state NEW
Chain STATELESSFORWARD (1 references)
target prot opt source destination
ACCOUNTINGSTATELESSFORWARD all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: "
DROP all -- anywhere anywhere
Chain STATELESSINPUT (1 references)
target prot opt source destination
ACCOUNTINGSTATELESSINPUT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: "
DROP all -- anywhere anywhere
Chain STATELESSOUTPUT (1 references)
target prot opt source destination
ACCOUNTINGSTATELESSOUTPUT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: "
DROP all -- anywhere anywhere
Chain STATENOTNEW (3 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 20/min
burst 5 LOG level debug tcp-options ip-options prefix "FW STATE NOT NEW: "
DROP all -- anywhere anywhere
Chain STATEOUTPUT (1 references)
target prot opt source destination
STATELESSOUTPUT all -- anywhere anywhere state
INVALID
ACCOUNTINGOUTPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
STATENOTNEW all -- anywhere anywhere ! state NEW
## uif Firewall Configuration
## automatically configured for Debian systems...
## This file has been automatically generated by debconf. It will be overwritten
## the next time you configure firewall without choosing "don't touch".
## Sysconfig definitions
# These entries define the global behaviour of the firewall package. Normally
# they are preset in /etc/default/uif and may be overwritten by this
# section.
#
# syntax: LogLevel : set the kernel loglevel for iptables rules
# LogPrefix: prepend this string to all iptables logs
# LogLimit: set packet limit per time interval (times/interval)
# LogBurst: set packet log burst
# example:
# sysconfig {
# LogLevel debug
# LogPrefix FW
# LogLimit 20/minute
# LogBurst 5
# AccountPrefix ACC_
# }
## Include predefined services
# The include section takes a bunch of files and includes them into this
# configuration file.
#
# syntax: "filename"
include {
"/etc/uif/services"
}
## Services needed for workstation setup
# The service section provides the protocol definitions you're
# using in the rules. You're forced to declare everything you
# need for your setup.
#
# syntax: service_name [tcp([source:range]/[dest:range])]
[udp([source:range]/[dest:range])]
# [protocol_name([source:range][/][dest:range])]
[service_name] ...
# examples: http tcp(/80)
# dns tcp(/53) udp(/53)
# group http dns tcp(/443)
# ipsec esp(/) udp(/500)
#service {
# traceroute udp(32769:65535/33434:33523) icmp(11)
# ping icmp(8)
#}
## Network definitions needed for IPv4+6 workstation setup
# The network definitions are included from two separate files.
# 1. /etc/uif/uif-ipv4-networks.inc
# 2. /etc/uif/uif-ipv6-networks.inc
#
# If you want to setup IPv4 and IPv6 firewalling easily,
# make sure that all network names you use in your ruleset
# in both include files.
#
# Additionally make /etc/uif/uif6.conf a symlink that points to
# /etc/uif/uif.conf.
#
# IPv4 network definitions
#
# If you update from a version of UIF that supported IPv4 only, then
# you probably want to leave the uif.conf file untouched for now and
# move your network definitions block from uif.conf to uif-ipv4-networks.inc
# manually later.
include4 {
"/etc/uif/uif-ipv4-networks.inc"
}
# IPv6 network definitions
#
# Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use
# IPv6 support on your UIF based firewall.
include6 {
"/etc/uif/uif-ipv6-networks.inc"
}
## Interface definitions
# Since all definitions used in the filter section are symbolic,
# you've to specify symbolic names for all your interfaces you're
# going to use.
#
# syntax: interface_name [unix network interface] [interface_name]
# examples: internal eth0
# external ippp0 ipsec0
# allppp ppp+
# group external allppp eth3
interface {
loop lo
}
## Filter definitions
# The filter section defines the rules for in, out, forward, masquerading
# and nat. All rules make use of the symbolic names defined above. This
# section can be used multiple times in one config file. This makes more
# senese when using one of these alias names:
# filter, nat, input, output, forward, masquerade
#
# syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol]
[f=flag_1,..,flag_n]
# out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol]
[f=flag_1,..,flag_n]
# fw[-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol]
[f=flag_1,..,flag_n]
# masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol]
[f=flag_1,..,flag_n]
# nat[-/+] additionally allows [S=from source] [D=to destination]
[P=to port:[range]]
# flags: limit([count/time[,burst]])
# reject([reject type])
# log([name])
# account(name)
# examples:
# masq+ o=extern s=intranet
# nat+ s=intranet p=http D=relayintern P=squid
# in+ s=trusted p=ssh,ping,traceroute,http
# out- s=intranet p=smb f=reject
# fw- d=microsoft f=reject,log(ms-alert)
# fw+ p=myhttp f=account(HTTP)
# Take an attention about the protocol for your accounting rules.
If you
# want to count user http traffice, you may need a "myhttp
tcp(80/)".
filter {
in+ i=loop s=localhost
out+ o=loop d=localhost
# IPv4 rules
#in+ p=ping,traceroute
in+ s=trusted4(4)
# ICMP is a must in IPv6, blocking breaks compliancy
# to RFC 4443 (http://tools.ietf.org/html/rfc4443)
in+ s=all(6)
p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation
#in+ s=trusted6(6)
out+ d=all
in- f=log(input),reject
out- f=log(output),reject
fw- f=log(forward),reject
}
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere
udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere
udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere
tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere
tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere
udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere
udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere
ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state
INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp
parameter-problem
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps
dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
Chain ufw-logging-deny (2 references)
target prot opt source destination
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg
3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min
burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
