Ubuntu
ufw package

UFW default ICMPv6 before6.rules modification

Bug #299268 reported by Ryan Giobbi on 2008-11-17

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ufw (Ubuntu)	Fix Released	Undecided	Jamie Strandboge

Bug Description

Binary package hint: ufw

In ufw 0.23.2, a minor feature request:

in the before6.rules, restrict NDP messages to hop limit to 255:

-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT

-A ufw6-before-input -p udp --sport 67 --dport 68 -m hl --hl-eq 255 -j ACCEPT

This should limit NDP messages and DHCPv6 to the local network.

Related branches

lp:ubuntu/karmic/ufw

Revision history for this message

Ryan Giobbi (ryan-tgbemail) wrote on 2008-11-18:

#1

RFC 4861 specifies that NDP messages shouldn't be passed through routers.

Also, host (non-router) systems shouldn't need the
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
rule as they send router solicitations, they don't need to receive them.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-12-12:

#2

Thank you for using Ubuntu and taking the time to report a bug. This will be included in the next release of ufw.

Changed in ufw:
assignee:	nobody → jdstrand
status:	New → Triaged

Jamie Strandboge (jdstrand) on 2008-12-13

Changed in ufw:
status:	Triaged → Fix Committed

Revision history for this message

Ryan Giobbi (ryan-tgbemail) wrote on 2008-12-14:

#3

Thanks for the update, a typo in my original report:
-m hl --hl-eq 255 should be -m hl --hl-eq 64

An ip6tables guide that might be useful is here:
http://tools.ietf.org/html/rfc4890#appendix-B

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-12-16: Re: [Bug 299268] Re: UFW default ICMPv6 before6.rules modification

#4

On Sun, 14 Dec 2008, Ryan Giobbi wrote:

> Thanks for the update, a typo in my original report:
> -m hl --hl-eq 255 should be -m hl --hl-eq 64
>
Before committing, I read section 4.2 of http://tools.ietf.org/html/rfc4890
and came to the conclusion that 255 is the correct value for NDP
messages. Also, the hop limit is 64 by default. Can you clarify your
comment?

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-12-21:

#5

This bug was fixed in the package ufw - 0.24

---------------
ufw (0.24) jaunty; urgency=low

  * debian/rules: check for 'nocheck' in DEB_BUILD_OPTIONS
  * debian/postrm: don't fail if iptables or ip6tables fails (LP: #278670)
  * fix typo in error message (LP: #280348)
  * allow case-insensitive matches for application rules (LP: #263757). Based
    on work by Didier Roche
  * add skel-ui for UI example
  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * before6.rules: adjust hop limit to 255 for NDP messages (LP: #299268) per
    RFC 4890 secton 4.2. Thanks to Ryan Giobbi
  * before6.rules: restrict multicast (LP: #304216). Thanks to Ryan Giobbi
  * before.rules: don't use ctstate as it is not supported on all kernels and
    we don't use the extra information anyway (LP: #289906)
  * fix translations for input strings (LP: #302426)
  * update ucf md5sums for before.rules and before6.rules
  * adjust root/destructive tests for when we can't unmount /proc

-- Jamie Strandboge <email address hidden> Fri, 12 Dec 2008 13:43:11 -0500

Changed in ufw:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.