[Touch-packages] [Bug 1882484] Re: Firewall rule in before.rules for dhcp is wrong

Mon, 15 Jun 2020 08:01:23 -0700 

Thank you for filing a bug.

The firewall policy is a combination of the default policy for each of
'incoming', 'outgoing' and 'routed' (forward) along with the policies
shipped in before{,6}.rules, after{,6}.rules and whatever gets added to
user{,6}.rules. Specifically, what is in before{,6}.rules is designed
with default deny for incoming (and forward), default allow for outgoing
and default accept for established connections. Considering that dhcp
uses port 68/udp for the client and port 67/udp for the server, the
shipped default policy allows:

* outgoing from this host port 68/udp to any port 67/udp (via default allow 
outgoing; eg, for dhcp request)
* incoming for established connection (via before.rules RELATED,ESTABLISHED; 
eg, dhcp reply from the server we connected to on port 67/udp)
* incoming from port 67/udp (via the before.rules you mentioned; eg, for a 
server responding to the broadcast)

I suspect that you've updated your default policy to deny to perform
egress filtering so you need to add a corresponding 'ufw allow out to
any port 67 proto udp comment "dhcp discover"' rule or similar.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1882484

Title:
  Firewall rule in before.rules for dhcp is wrong

Status in ufw package in Ubuntu:
  Invalid

Bug description:
  The file delivered - /usr/share/ufw/iptables/before.rules
  which is then copied to - /etc/ufw/before.rules

  Delivered by Package:

  # allow dhcp client to work
  -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

  The ports for
  --sport and --dport are swapped

  Should be:

  -A ufw-before-input -p udp --sport 68 --dport 67 -j ACCEPT

  
  Package version found in:
    0.36-0ubuntu0.1

  
  Note: ISC DHCP uses RAW sockets, which bypasses iptables anyway and doesn't 
drop the packets with the incorrect configuration. This has had me stumped for 
the last hour.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1882484/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to