1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • (none)

    From Michael Lazin@21:1/5 to All on Fri May 6 10:40:02 2022
    The UFW firewall package uses iptables at the backend, but it is lacking
    syntax to block UDP ports and I think this would be useful.

    I ran the command "UFW default deny incoming UDP" and it wrote to the chain successfully, but I ran nslookup afterwards and it succeeded, meaning that
    it did not block UDP all ports because DNS uses UDP. This may be a bug.

    Michael Lazin

    .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

    <div dir="ltr"><div>The UFW firewall package uses iptables at the backend, but it is
    lacking syntax to block UDP ports and I think this would be useful.  <br></div><div><br></div><div>I
    ran the command &quot;UFW default deny incoming UDP&quot; and it wrote to the chain successfully, but I ran nslookup afterwards and it succeeded,
    meaning that it did not block UDP all ports because DNS uses UDP.  This
    may be a bug.  <br></div><div><br></div><div><div><div><div dir="ltr"><div dir="ltr">Michael Lazin<br><span style="font-size:16.6px;font-family:serif"></span><div><br></div><div><span style="font-size:16.6px;font-family:serif"></span><span style="font-
    size:16.6px;font-family:serif">.. </span><span style="font-size:16.6px;font-family:serif">τὸ </span><span style="font-size:16.6px;font-family:serif">γὰρ</span><span style="font-size:16.6px;font-family:serif"> αὐτὸ </span><span
    style="font-size:16.6px;font-family:serif">νοεῖν </span><span style="font-size:16.6px;font-family:serif">ἐστίν </span><span style="font-size:16.6px;font-family:serif">τε </span><span style="font-size:16.6px;font-family:serif">καὶ </span>
    <span style="font-size:16.6px;font-family:serif">εἶναι</span><span style="font-size:16.6px;font-family:serif">.</span></div></div></div></div></div></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><
    <span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.
    6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><
    /div></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marvin Renich@21:1/5 to All on Fri May 6 14:40:01 2022
    * Michael Lazin <microlaser@gmail.com> [220506 04:39]:
    The UFW firewall package uses iptables at the backend, but it is lacking syntax to block UDP ports and I think this would be useful.

    I ran the command "UFW default deny incoming UDP" and it wrote to the chain successfully, but I ran nslookup afterwards and it succeeded, meaning that
    it did not block UDP all ports because DNS uses UDP. This may be a bug.

    Hi, Michael.

    First, I have added an appropriate Subject. Doing so initially will
    help.

    Second, debian-devel@l.d.o is not an appropriate place to report bugs in specific packages. Use the reportbug command once you have gathered appropriate information for the bug. If you need help determining what information to gather, a user forum, such as
    debian-users@lists.debian.org, is a good place to start. If you can't
    or don't want to do that, go ahead and file a bug with reportbug asking
    what info is needed. Note that this places more burden on the
    maintainer, whereas starting at debian-users allows a larger audience to
    help you.

    Next, your email does not really give the information needed to show
    that a bug really exists. You say ufw lacks syntax to block UDP ports,
    but then you give an example that does so and say it wrote to the chain.

    You don't say where you ran nslookup, on the host where you set the
    firewall rules, or on an external host specifying the host with the
    firewall as the DNS server. Note that a rule to block incoming UDP may
    be superseded by a previous rule to allow "RELATED,ESTABLISHED"
    connections. So using nslookup on the host creates a
    RELATED,ESTABLISHED connection using an outgoing UDP packet, which
    (depending on your rules) may allow the incoming UDP packets to pass,
    because the rule to block UDP is later in the chain.

    You should look at the output from iptables-save to see if UFW actually
    added the rule you wanted, and use a tool such as tcpdump to see what
    packets are going which direction when you try the nslookup command.
    With that info in hand, you can use reportbug to send a bug report to
    the bug tracking system, which will ensure that the ufw maintainer gets
    it.

    Please take this discussion to debian-users or another user forum, and
    then use reportbug when you have enough info for the maintainer to act
    on the bug.

    ...Marvin

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)