[Touch-packages] [Bug 1882314] Re: Firewall rule in before6.rules for dhcp6 is wrong

Mon, 15 Jun 2020 07:56:28 -0700 

Thank you for filing a bug.

The firewall policy is a combination of the default policy for each of
'incoming', 'outgoing' and 'routed' (forward) along with the policies
shipped in before{,6}.rules, after{,6}.rules and whatever gets added to
user{,6}.rules. Specifically, what is in before{,6}.rules is designed
with default deny for incoming (and forward), default allow for outgoing
and default accept for established connections. Considering that dhcpv6
uses port 546/udp for the client and port 547/udp for the server, the
shipped default policy allows:

* outgoing from this host port 546/udp to any port 547/udp (via default allow 
outgoing; eg, for dhcp request)
* incoming for established connection (via before6.rules RELATED,ESTABLISHED; 
eg, dhcp reply from the server we connected to on port 547/udp)
* incoming from fe80::/10 port 547/udp (via the before6.rules you mentioned; 
eg, for a server responding to the broadcast)

I suspect that you've updated your default policy to deny to perform
egress filtering so you need to add a corresponding 'ufw allow out to
ff02::1:2 port 547 proto udp comment "dhcpv6 solicit"' rule or similar.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882314

Title:
  Firewall rule in before6.rules for dhcp6 is wrong

Status in ufw package in Ubuntu:
  Invalid

Bug description:
  When running DHCPv6, clients are not able get IP address.
  The firewall rule in ip6table is incorrect, and not allowing client requests 
in. The ports need to be swapped and the dst address needs to be removed, as 
it's a broadcast

  The file delivered - /usr/share/ufw/iptables/before6.rules
  which is then copied to - /etc/ufw/before6.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 
-j ACCEPT

  The ports for
  --sport and --dport are swapped
  -d fe80::/10 needs to be removed

  Should be:

  -A ufw6-before-input -p udp -s fe80::/10 --sport 546 --dport 547 -j
  ACCEPT

  Package version found in:
    0.36-0ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882314/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to