| View previous topic :: View next topic |
| Author |
Message |
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
 Posted: Tue Apr 14, 2020 2:08 am Post subject: UFW does not work |
 |
|
I'm trying to configure the ufw firewall, but I can't seem to, because all the network services are working normally without needing rules (Cups, Bittorrent, Web).
I think I followed the guidelines of the Gentoo Wiki correctly, configured the kernel for IPTABLES, IPSET AND UFW v4 and v6, started the services and enabled UFW. The UFW configuration test was OK. Below some information:
| Code: | # emerge -pv ipset
[ebuild R ] net-firewall/ipset-6.38::gentoo USE="-modules" 0 KiB
# emerge -pv iptables
[ebuild R ] net-firewall/iptables-1.6.1-r3:0/12::gentoo USE="ipv6 (split-usr) -conntrack -netlink -nftables -pcap -static-libs" 607 KiB
# emerge -pv ufw
[ebuild R ] net-firewall/ufw-0.36::gentoo USE="ipv6 -examples" PYTHON_TARGETS="python2_7 python3_6" 0 KiB |
| Code: | # rc-service ipset status
* status: started
# rc-service iptables status
* status: started
# rc-service ip6tables status
* status: started
# rc-service ufw status
* status: started
# rc-service sysklogd status
* status: started |
| Code: | # /usr/share/ufw/check-requirements
Has python: pass (binary: python2.7, version: 2.7.17, py2)
Has iptables: pass
Has ip6tables: pass
Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass
This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass
== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: pass
All tests passed |
| Code: | # ufw status
Estado: ativo |
| Code: | # cat /usr/src/linux/.config | grep "NETFILTER"
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
# CONFIG_NETFILTER_XT_MATCH_U32 is not set |
Anyone with suggestion to solve the problem?
_________________
Workers of the world, unite! |
|
| Back to top |
|
 |
jburns
Veteran
Joined: 18 Jan 2007
Posts: 1227
Location: Massachusetts USA
|
| Posted: Tue Apr 14, 2020 5:14 am Post subject: |
|
|
Example commands to set up firewall | Code: | ufw allow ntp
ufw allow llmnr
ufw allow Bonjour
ufw allow ssh
ufw allow rsync
|
followed by one of
| Code: | ufw reload
ufw enable |
reload reloads firewall
enable reloads firewall and enables firewall on boot
To disable firewall
disable unloads firewall and disables firewall on boot
see man page for more commands and options. |
|
| Back to top |
|
|
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
| Posted: Tue Apr 14, 2020 1:16 pm Post subject: |
|
|
Hello.
I made these settings, first I left the lock as default.
Then I enabled UFW without adding rules to test it.
And yet I have all network operations released without restrictions. I suppose that this configuration would cause UFW to block everything from the network until the creation of a release rule.
_________________
Workers of the world, unite! |
|
| Back to top |
|
|
jburns
Veteran
Joined: 18 Jan 2007
Posts: 1227
Location: Massachusetts USA
|
| Posted: Tue Apr 14, 2020 4:59 pm Post subject: |
|
|
| Did you reboot the computer? |
|
| Back to top |
|
|
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
| Posted: Tue Apr 14, 2020 8:08 pm Post subject: |
|
|
Yes.
_________________
Workers of the world, unite! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Wed Apr 15, 2020 2:13 am Post subject: |
|
|
| Please show the output of iptables-save -c when ufw is activated and not blocking connections you expected to be blocked. |
|
| Back to top |
|
|
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
| Posted: Wed Apr 15, 2020 3:37 am Post subject: |
|
|
I tested with the cups server enabled/running and http navigation. Here is the result:
| Code: | # iptables-save -c
# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020
*nat
:PREROUTING ACCEPT [49:2046]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1683:111717]
:POSTROUTING ACCEPT [1683:111717]
COMMIT
# Completed on Wed Apr 15 00:32:40 2020
# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020
*raw
:PREROUTING ACCEPT [13581:6354259]
:OUTPUT ACCEPT [14814:2170340]
COMMIT
# Completed on Wed Apr 15 00:32:40 2020
# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020
*mangle
:PREROUTING ACCEPT [14189:6540313]
:INPUT ACCEPT [14187:6539677]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15509:2239327]
:POSTROUTING ACCEPT [15512:2239540]
COMMIT
# Completed on Wed Apr 15 00:32:40 2020
# Generated by iptables-save v1.6.1 on Wed Apr 15 00:32:40 2020
*filter
:INPUT DROP [2:72]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[14187:6539677] -A INPUT -j ufw-before-logging-input
[14187:6539677] -A INPUT -j ufw-before-input
[2886:1694616] -A INPUT -j ufw-after-input
[2883:1694403] -A INPUT -j ufw-after-logging-input
[2883:1694403] -A INPUT -j ufw-reject-input
[2883:1694403] -A INPUT -j ufw-track-input
[0:0] -A FORWARD -j ufw-before-logging-forward
[0:0] -A FORWARD -j ufw-before-forward
[0:0] -A FORWARD -j ufw-after-forward
[0:0] -A FORWARD -j ufw-after-logging-forward
[0:0] -A FORWARD -j ufw-reject-forward
[0:0] -A FORWARD -j ufw-track-forward
[15509:2239327] -A OUTPUT -j ufw-before-logging-output
[15509:2239327] -A OUTPUT -j ufw-before-output
[5461:583805] -A OUTPUT -j ufw-after-output
[5461:583805] -A OUTPUT -j ufw-after-logging-output
[5461:583805] -A OUTPUT -j ufw-reject-output
[5461:583805] -A OUTPUT -j ufw-track-output
[0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
[2:142] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[2:72] -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-forward -j ufw-user-forward
[1498:146277] -A ufw-before-input -i lo -j ACCEPT
[156:46341] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
[0:0] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[4:214] -A ufw-before-input -j ufw-not-local
[0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
[4:214] -A ufw-before-input -j ufw-user-input
[1498:146277] -A ufw-before-output -o lo -j ACCEPT
[99:12224] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[78:4946] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
[0:0] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
[0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[2:72] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[2:142] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[2:142] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[6:360] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
[72:4586] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Apr 15 00:32:40 2020 |
_________________
Workers of the world, unite! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Wed Apr 15, 2020 3:51 am Post subject: |
|
|
| How did you test the CUPS server? |
|
| Back to top |
|
|
nubiocicarini
Tux's lil' helper
Joined: 20 Feb 2019
Posts: 80
Location: Brazil
|
| Posted: Wed Apr 15, 2020 4:16 am Post subject: |
|
|
through the browser (http://127.0.0.1:631).
_________________
Workers of the world, unite! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Thu Apr 16, 2020 1:55 am Post subject: |
|
|
That would be allowed by your rule, specifically: | Code: | [14187:6539677] -A INPUT -j ufw-before-input
[1498:146277] -A ufw-before-input -i lo -j ACCEPT |
Try your test from a separate system, since that is how an attacker would operate. |
|
| Back to top |
|
|
|
Networking & Security
