On Wed, Feb 25, 2015 at 04:30:34AM +0000, Mike Gabriel wrote: > Control: tag -1 moreinfo > > HI Jeffreay, > ... > thanks for using/testig UIF. > > Can you please send what > > sudo iptables -L > > prints to stdout if you have a default firewall configuration as > described above? ...
Hi Mike, I have attached these three files to this email, 1. Output of iptables -L (iptables-L.uif). 2. The uif.conf in use when 1. was run (uif.conf). 3. Output of iptables -L (iptables-L.ufw), when running ufw for comparison. Note that ufw does not respond to ping from external host, unlike uif. Thanks, -- Jeffrey Sheinberg
Chain INPUT (policy DROP) target prot opt source destination STATEINPUT all -- anywhere anywhere ACCEPT all -- localhost anywhere ACCEPT all -- localhost anywhere ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply 5DROPlog all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination STATEFORWARD all -- anywhere anywhere 7DROPlog all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination STATEOUTPUT all -- anywhere anywhere ACCEPT all -- anywhere localhost ACCEPT all -- anywhere anywhere 6DROPlog all -- anywhere anywhere Chain 5DROPlog (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (input): " MYREJECT all -- anywhere anywhere Chain 6DROPlog (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (output): " MYREJECT all -- anywhere anywhere Chain 7DROPlog (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW REJECT (forward): " MYREJECT all -- anywhere anywhere Chain ACCOUNTINGFORWARD (1 references) target prot opt source destination Chain ACCOUNTINGINPUT (1 references) target prot opt source destination Chain ACCOUNTINGOUTPUT (1 references) target prot opt source destination Chain ACCOUNTINGSTATELESSFORWARD (1 references) target prot opt source destination Chain ACCOUNTINGSTATELESSINPUT (1 references) target prot opt source destination Chain ACCOUNTINGSTATELESSOUTPUT (1 references) target prot opt source destination Chain MYREJECT (3 references) target prot opt source destination REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain STATEFORWARD (1 references) target prot opt source destination STATELESSFORWARD all -- anywhere anywhere state INVALID ACCOUNTINGFORWARD all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED STATENOTNEW all -- anywhere anywhere ! state NEW Chain STATEINPUT (1 references) target prot opt source destination STATELESSINPUT all -- anywhere anywhere state INVALID ACCOUNTINGINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED STATENOTNEW all -- anywhere anywhere ! state NEW Chain STATELESSFORWARD (1 references) target prot opt source destination ACCOUNTINGSTATELESSFORWARD all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: " DROP all -- anywhere anywhere Chain STATELESSINPUT (1 references) target prot opt source destination ACCOUNTINGSTATELESSINPUT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: " DROP all -- anywhere anywhere Chain STATELESSOUTPUT (1 references) target prot opt source destination ACCOUNTINGSTATELESSOUTPUT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW INVALID STATE: " DROP all -- anywhere anywhere Chain STATENOTNEW (3 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level debug tcp-options ip-options prefix "FW STATE NOT NEW: " DROP all -- anywhere anywhere Chain STATEOUTPUT (1 references) target prot opt source destination STATELESSOUTPUT all -- anywhere anywhere state INVALID ACCOUNTINGOUTPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED STATENOTNEW all -- anywhere anywhere ! state NEW
## uif Firewall Configuration ## automatically configured for Debian systems... ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet limit per time interval (times/interval) # LogBurst: set packet log burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" include { "/etc/uif/services" } ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) #service { # traceroute udp(32769:65535/33434:33523) icmp(11) # ping icmp(8) #} ## Network definitions needed for IPv4+6 workstation setup # The network definitions are included from two separate files. # 1. /etc/uif/uif-ipv4-networks.inc # 2. /etc/uif/uif-ipv6-networks.inc # # If you want to setup IPv4 and IPv6 firewalling easily, # make sure that all network names you use in your ruleset # in both include files. # # Additionally make /etc/uif/uif6.conf a symlink that points to # /etc/uif/uif.conf. # # IPv4 network definitions # # If you update from a version of UIF that supported IPv4 only, then # you probably want to leave the uif.conf file untouched for now and # move your network definitions block from uif.conf to uif-ipv4-networks.inc # manually later. include4 { "/etc/uif/uif-ipv4-networks.inc" } # IPv6 network definitions # # Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use # IPv6 support on your UIF based firewall. include6 { "/etc/uif/uif-ipv6-networks.inc" } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost # IPv4 rules #in+ p=ping,traceroute in+ s=trusted4(4) # ICMP is a must in IPv6, blocking breaks compliancy # to RFC 4443 (http://tools.ietf.org/html/rfc4443) in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation #in+ s=trusted6(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject }
Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination Chain ufw-after-logging-input (1 references) target prot opt source destination Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere state INVALID DROP all -- anywhere anywhere state INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem DROP icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination Chain ufw-logging-deny (2 references) target prot opt source destination Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW ACCEPT udp -- anywhere anywhere state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination