* Michael Lazin <microla...@gmail.com> [220506 04:39]: > The UFW firewall package uses iptables at the backend, but it is lacking > syntax to block UDP ports and I think this would be useful. > > I ran the command "UFW default deny incoming UDP" and it wrote to the chain > successfully, but I ran nslookup afterwards and it succeeded, meaning that > it did not block UDP all ports because DNS uses UDP. This may be a bug.
Hi, Michael. First, I have added an appropriate Subject. Doing so initially will help. Second, debian-devel@l.d.o is not an appropriate place to report bugs in specific packages. Use the reportbug command once you have gathered appropriate information for the bug. If you need help determining what information to gather, a user forum, such as debian-us...@lists.debian.org, is a good place to start. If you can't or don't want to do that, go ahead and file a bug with reportbug asking what info is needed. Note that this places more burden on the maintainer, whereas starting at debian-users allows a larger audience to help you. Next, your email does not really give the information needed to show that a bug really exists. You say ufw lacks syntax to block UDP ports, but then you give an example that does so and say it wrote to the chain. You don't say where you ran nslookup, on the host where you set the firewall rules, or on an external host specifying the host with the firewall as the DNS server. Note that a rule to block incoming UDP may be superseded by a previous rule to allow "RELATED,ESTABLISHED" connections. So using nslookup on the host creates a RELATED,ESTABLISHED connection using an outgoing UDP packet, which (depending on your rules) may allow the incoming UDP packets to pass, because the rule to block UDP is later in the chain. You should look at the output from iptables-save to see if UFW actually added the rule you wanted, and use a tool such as tcpdump to see what packets are going which direction when you try the nslookup command. With that info in hand, you can use reportbug to send a bug report to the bug tracking system, which will ensure that the ufw maintainer gets it. Please take this discussion to debian-users or another user forum, and then use reportbug when you have enough info for the maintainer to act on the bug. ...Marvin
