User deny rules should override connection tracking
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Won't Fix
|
Wishlist
|
Unassigned | ||
ufw (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: ufw
AIUI, netfilter matching stops at the first ACCEPT rule. Ufw accepts "established" connections in the before-input ruies:
# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
so this happens before any user rules. But I want to be able to do this:
ufw deny default
ufw allow in from 192.168.0.0/24 # allow ssh etc. from computers on the home network
ufw deny proto tcp in to any 1:1023
and have it deny incoming connections to the priveleged ports _even if the connection tracker thinks they should be allowed_. I believe this could be achieved by moving the ESTABLISHED rule to after-input.
I want to be able to override connection tracking because there's always going to be the possibility that it will get things wrong. In particular, there has been a recent claim that linux-based firewalls can be penetrated simply by visiting a malicious web page. I don't know whether this specific claim applies to Ubuntu, but I shouldn't have to worry about this class of attacks.
<http://
<http://
[I've not marked this bug as a security vulnerability, since fixing it won't improve the default security. Unless of course you decide to provide my rules as a default, but I don't suppose that's very likely].
Thank you for using Ubuntu and taking the time to report a bug. I'll need to look at this more before considering making changes, but I did want to say in the meantime that /etc/ufw/*.rules are there for you as an administrator to adjust as necessary for your site requirements. Feel from to remove those lines from before.rules and adjust after.rules to have:
-A ufw-after-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-after-output -m state --state RELATED,ESTABLISHED -j ACCEPT
For large rulesets, this may affect performance, but I imagine in most ufw setups it won't make any appreciable difference. Thanks again and report back how this works out for you.