'ufw status verbose' should mention some details of the default ruleset

Bug #1820350 reported by Bastian Kanbach
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Hello,

ufw can be configured with a default profile of DENY all incoming packets. When "ufw status verbose" is called, it seems like indeed all incoming packets would be dropped/denied.

However, there are some exceptions, which are only visible when "iptables -S" is called. Examples for allowed incoming network traffic:

- Incoming datagrams to UDP port 68, when UDP source port is set to 67
- Incoming datagrams to UDP port 5353, sent to 224.0.0.251/32
- Incoming datagrams to UDP port 1900, sent to 239.255.255.250/32
- Incoming ICMP packets of type 3 (Destination Unreachable)
- Incoming ICMP packets of type 11 (Time Exceeded)
- Incoming ICMP packets of type 12 (Parameter Problem)
- Incoming ICMP packets of type 8 (Echo)

What I'm most worried about, is that these exceptions are not visible in the ufw interface, when "ufw status verbose" is called. This is a bit misleading, since users who set a DENY all rule would expect that really all packets are denied.

Users could still query iptables directly to see what's going on, but as I'm aware ufw deals as a user-friendly wrapper with the advantage of not having to deal with iptables, so this can lead to wrong expectations.

In particular, consider the following scenarios:

- Malicious software listens on UDP port 68 (elevated privileges) and receives datagrams with a source port of 67 from another piece of malware, although ufw policy is set to DENY.

- Malicious software listens on UDP port 1900 (non-elevated privileges) and receives datagrams sent to multicast address 239.255.255.250/32 from another piece of malware residing in the same subnet, although ufw policy is set to DENY.

- Malicious software listens on UDP port 5353 (non-elevated privileges) and receives datagrams sent to multicast address 224.0.0.251/32 from another piece of malware residing in the same subnet, although ufw policy is set to DENY.

etc.
...
...

My suggestions (from most to least restrictive):

a) Really block everything when "ufw default DENY" is called. Without any exceptions.
b) If you would like to keep UDP ports 68, 1900 and 5353 and ICMP types in the list, although "ufw default DENY" was called, these exceptions should be displayed in "ufw status"

--------------------------------

In the following you can find the invoked commands and a list of all iptables rules, created by ufw when the policy is set to DENY:

Examples:

~$ ufw --version
ufw 0.35
Copyright 2008-2015 Canonical Ltd.

~$ sudo ufw default DENY
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

Best Regards,
Bastian Kanbach

summary: - ufw still allows incoming packets when policy is set to deny
+ ufw allows certain incoming packets when policy is set to deny
information type: Private Security → Public
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: ufw allows certain incoming packets when policy is set to deny

Thank you for you report. Please note that for usability a default ruleset is put in use by design and documented in the ufw(8) man page. Users are free to fine-tune those defaults for site-specific needs as described in the ufw-framework(8) man page. As a result option 'a' is out of scope. Option 'b' does make sense and is something that can be looked at with 'status verbose' (implementation-wise it might make sense to check if all the defaults are in use and if they are, mention those defaults, and if they are not, mention that custom rules are in effect. I'm not sure yet how this should be represented in the UI.

summary: - ufw allows certain incoming packets when policy is set to deny
+ 'ufw status verbose' should mention some details of the default ruleset
Changed in ufw (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.