Re: blocking UDP with UFW (bug?)

To: Michael Lazin <microlaser@gmail.com>
Cc: debian-devel@lists.debian.org
Subject: Re: blocking UDP with UFW (bug?)
From: Marvin Renich <mrvn@renich.org>
Date: Fri, 6 May 2022 08:38:27 -0400
Message-id: <YnUWw/b7YJOfl+fN@basil.wdw>
Reply-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] CALdcr8fvtQfU1eFgZwObb6DoAM94Z6SUZAeWix61i_oOaiUdRg@mail.gmail.com>
References: <[🔎] CALdcr8fvtQfU1eFgZwObb6DoAM94Z6SUZAeWix61i_oOaiUdRg@mail.gmail.com>

* Michael Lazin <microlaser@gmail.com> [220506 04:39]:
> The UFW firewall package uses iptables at the backend, but it is lacking
> syntax to block UDP ports and I think this would be useful.
> 
> I ran the command "UFW default deny incoming UDP" and it wrote to the chain
> successfully, but I ran nslookup afterwards and it succeeded, meaning that
> it did not block UDP all ports because DNS uses UDP.  This may be a bug.

Hi, Michael.

First, I have added an appropriate Subject.  Doing so initially will
help.

Second, debian-devel@l.d.o is not an appropriate place to report bugs in
specific packages.  Use the reportbug command once you have gathered
appropriate information for the bug.  If you need help determining what
information to gather, a user forum, such as
debian-users@lists.debian.org, is a good place to start.  If you can't
or don't want to do that, go ahead and file a bug with reportbug asking
what info is needed.  Note that this places more burden on the
maintainer, whereas starting at debian-users allows a larger audience to
help you.

Next, your email does not really give the information needed to show
that a bug really exists.  You say ufw lacks syntax to block UDP ports,
but then you give an example that does so and say it wrote to the chain.

You don't say where you ran nslookup, on the host where you set the
firewall rules, or on an external host specifying the host with the
firewall as the DNS server.  Note that a rule to block incoming UDP may
be superseded by a previous rule to allow "RELATED,ESTABLISHED"
connections.  So using nslookup on the host creates a
RELATED,ESTABLISHED connection using an outgoing UDP packet, which
(depending on your rules) may allow the incoming UDP packets to pass,
because the rule to block UDP is later in the chain.

You should look at the output from iptables-save to see if UFW actually
added the rule you wanted, and use a tool such as tcpdump to see what
packets are going which direction when you try the nslookup command.
With that info in hand, you can use reportbug to send a bug report to
the bug tracking system, which will ensure that the ufw maintainer gets
it.

Please take this discussion to debian-users or another user forum, and
then use reportbug when you have enough info for the maintainer to act
on the bug.

...Marvin

Reply to:

References:
- [no subject]
  - From: Michael Lazin <microlaser@gmail.com>

Prev by Date: [no subject]
Next by Date: Bug#1010692: ITP: node-nunjucks -- templating engine with inheritance, asynchronous control, and more
Previous by thread: [no subject]
Next by thread: Bug#1010692: ITP: node-nunjucks -- templating engine with inheritance, asynchronous control, and more
Index(es):
- Date
- Thread