diff -Nru ufw-0.34~rc/debian/before6.rules.md5sum ufw-0.34~rc/debian/before6.rules.md5sum --- ufw-0.34~rc/debian/before6.rules.md5sum 2014-02-19 20:46:22.000000000 +0000 +++ ufw-0.34~rc/debian/before6.rules.md5sum 2014-02-28 14:58:47.000000000 +0000 @@ -5,3 +5,4 @@ 328286ed8c23b67cee3e5c1bccae8540 /usr/share/ufw/before6.rules 0ad4a3e3e5fe552ee7f72e6b8e074365 /usr/share/ufw/before6.rules 223263b7a9e98a233cb10ad8d62baa67 /usr/share/ufw/before6.rules +60adbb20185004d2e33cd4ffb4ef607c /usr/share/ufw/before6.rules diff -Nru ufw-0.34~rc/debian/before.rules.md5sum ufw-0.34~rc/debian/before.rules.md5sum --- ufw-0.34~rc/debian/before.rules.md5sum 2014-02-19 20:46:54.000000000 +0000 +++ ufw-0.34~rc/debian/before.rules.md5sum 2014-02-28 14:57:41.000000000 +0000 @@ -5,3 +5,4 @@ e30217e2a69b3da17edaf2b54374fe4f /usr/share/ufw/before.rules 8e482ff92456fcb9ea15ecbd96ea8cf5 /usr/share/ufw/before.rules 56d63ca8194e54030efb54141f42b32c /usr/share/ufw/before.rules +5fee8ec1341cebdd2d20c4946ef3cb5b /usr/share/ufw/before.rules diff -Nru ufw-0.34~rc/debian/changelog ufw-0.34~rc/debian/changelog --- ufw-0.34~rc/debian/changelog 2014-02-20 15:24:05.000000000 +0000 +++ ufw-0.34~rc/debian/changelog 2014-02-28 15:01:14.000000000 +0000 @@ -1,3 +1,20 @@ +ufw (0.34~rc-0ubuntu2) trusty; urgency=medium + + * debian/patches/0002-lp1078665.patch: distinguish between v4 and v6 rules + when both addresses are 'any' (LP: #1078665). This can be dropped with + 0.34 release. + * debian/ufw.postinst: + - drop old reload of policy for upgrades to 0.30.1-2 + - add new ufw[6]-track-forward primary chains on upgrade + * debian/patches/0003-manpage-hook-path.patch: update locations of hook + scripts. This can be dropped with 0.34 release. + * debian/patches/0004-add-safe-icmp-to-forward.patch: update before*.rules + to add safe icmp to ufw-before-forward. This can be dropped with 0.34 + release. + * debian/before[6].rules.md5sum: adjusted for new release + + -- Jamie Strandboge Fri, 28 Feb 2014 08:59:13 -0600 + ufw (0.34~rc-0ubuntu1) trusty; urgency=medium * New upstream pre-release (LP: #1059060, #1065297, #1062521, #1101304, diff -Nru ufw-0.34~rc/debian/patches/0002-lp1078665.patch ufw-0.34~rc/debian/patches/0002-lp1078665.patch --- ufw-0.34~rc/debian/patches/0002-lp1078665.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.34~rc/debian/patches/0002-lp1078665.patch 2014-02-21 00:18:55.000000000 +0000 @@ -0,0 +1,209 @@ +Origin: r853 +Description: distinguish between v4 and v6 rules when both addresses are 'any' +Bug: https://launchpad.net/bugs/1078665 + +Index: ufw-0.34~rc/src/backend_iptables.py +=================================================================== +--- ufw-0.34~rc.orig/src/backend_iptables.py 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/src/backend_iptables.py 2014-02-20 18:18:06.685653427 -0600 +@@ -364,6 +364,11 @@ + if show_proto and r.protocol != "any" and \ + r.dport == r.sport: + location[loc] += "/" + r.protocol ++ elif r.v6 and r.src == "::/0" and r.dst == "::/0" \ ++ and ' (v6)' not in location[loc]: ++ # Add v6 if have port but no addresses so it doesn't look ++ # a duplicate of the v4 rule ++ location[loc] += " (v6)" + + # Reporting the interfaces is different in route rules and + # non-route rules. With route rules, the reporting should be +Index: ufw-0.34~rc/tests/root/bugs/result +=================================================================== +--- ufw-0.34~rc.orig/tests/root/bugs/result 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/tests/root/bugs/result 2014-02-20 18:18:06.685653427 -0600 +@@ -333,10 +333,10 @@ + [ 2] 2 ALLOW IN Anywhere + [ 3] 3 ALLOW IN Anywhere + [ 4] 4 ALLOW IN Anywhere +-[ 5] 1 ALLOW IN Anywhere (v6) +-[ 6] 2 ALLOW IN Anywhere (v6) +-[ 7] 3 ALLOW IN Anywhere (v6) +-[ 8] 4 ALLOW IN Anywhere (v6) ++[ 5] 1 (v6) ALLOW IN Anywhere (v6) ++[ 6] 2 (v6) ALLOW IN Anywhere (v6) ++[ 7] 3 (v6) ALLOW IN Anywhere (v6) ++[ 8] 4 (v6) ALLOW IN Anywhere (v6) + + + +Index: ufw-0.34~rc/tests/root/live_apps/result +=================================================================== +--- ufw-0.34~rc.orig/tests/root/live_apps/result 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/tests/root/live_apps/result 2014-02-20 18:18:06.685653427 -0600 +@@ -84,8 +84,8 @@ + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 +-Apache (v6) ALLOW 88 ++Samba (v6) ALLOW 22 (v6) ++Apache (v6) ALLOW 88 (v6) + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +@@ -120,9 +120,9 @@ + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp +-80/tcp (Apache (v6)) ALLOW IN 88/tcp ++137,138/udp (Samba (v6)) ALLOW IN 22/udp (v6) ++139,445/tcp (Samba (v6)) ALLOW IN 22/tcp (v6) ++80/tcp (Apache (v6)) ALLOW IN 88/tcp (v6) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) + Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) +@@ -459,8 +459,8 @@ + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 +-Apache (v6) ALLOW 88 ++Samba (v6) ALLOW 22 (v6) ++Apache (v6) ALLOW 88 (v6) + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +@@ -495,9 +495,9 @@ + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp +-80/tcp (Apache (v6)) ALLOW IN 88/tcp ++137,138/udp (Samba (v6)) ALLOW IN 22/udp (v6) ++139,445/tcp (Samba (v6)) ALLOW IN 22/tcp (v6) ++80/tcp (Apache (v6)) ALLOW IN 88/tcp (v6) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) + Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) +@@ -538,8 +538,8 @@ + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 +-Apache (v6) ALLOW 88 ++Samba (v6) ALLOW 22 (v6) ++Apache (v6) ALLOW 88 (v6) + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +@@ -574,9 +574,9 @@ + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 138,9999/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-138,9999/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp +-8888/tcp (Apache (v6)) ALLOW IN 88/tcp ++138,9999/udp (Samba (v6)) ALLOW IN 22/udp (v6) ++139,445/tcp (Samba (v6)) ALLOW IN 22/tcp (v6) ++8888/tcp (Apache (v6)) ALLOW IN 88/tcp (v6) + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) + Anywhere (v6) ALLOW IN 2001:db8::/32 138,9999/udp (Samba) +Index: ufw-0.34~rc/tests/root/live/result +=================================================================== +--- ufw-0.34~rc.orig/tests/root/live/result 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/tests/root/live/result 2014-02-20 18:18:06.685653427 -0600 +@@ -104,10 +104,10 @@ + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp + 22/tcp LIMIT Anywhere +-53 ALLOW Anywhere (v6) +-23/tcp ALLOW Anywhere (v6) +-25/tcp ALLOW Anywhere (v6) +-80/tcp DENY Anywhere (v6) ++53 (v6) ALLOW Anywhere (v6) ++23/tcp (v6) ALLOW Anywhere (v6) ++25/tcp (v6) ALLOW Anywhere (v6) ++80/tcp (v6) DENY Anywhere (v6) + 25/tcp DENY 2001:db8::/32 + 2001:db8:3:4:5:6:7:8 DENY 2001:db8::/32 26 + +@@ -476,9 +476,9 @@ + 113 REJECT Anywhere + 114/tcp REJECT Anywhere + 115/udp REJECT Anywhere +-113 REJECT Anywhere (v6) +-114/tcp REJECT Anywhere (v6) +-115/udp REJECT Anywhere (v6) ++113 (v6) REJECT Anywhere (v6) ++114/tcp (v6) REJECT Anywhere (v6) ++115/udp (v6) REJECT Anywhere (v6) + + + +@@ -700,10 +700,10 @@ + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp + [11] 22/tcp LIMIT IN Anywhere +-[12] 53 ALLOW IN Anywhere (v6) +-[13] 23/tcp ALLOW IN Anywhere (v6) +-[14] 25/tcp ALLOW IN Anywhere (v6) +-[15] 80/tcp DENY IN Anywhere (v6) ++[12] 53 (v6) ALLOW IN Anywhere (v6) ++[13] 23/tcp (v6) ALLOW IN Anywhere (v6) ++[14] 25/tcp (v6) ALLOW IN Anywhere (v6) ++[15] 80/tcp (v6) DENY IN Anywhere (v6) + [16] 25/tcp DENY IN 2001:db8::/32 + [17] 2001:db8:3:4:5:6:7:8 DENY IN 2001:db8::/32 26 + +Index: ufw-0.34~rc/tests/root/live_route/result +=================================================================== +--- ufw-0.34~rc.orig/tests/root/live_route/result 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/tests/root/live_route/result 2014-02-20 18:18:06.685653427 -0600 +@@ -93,10 +93,10 @@ + 514/udp DENY FWD 1.2.3.4 + 1.2.3.4 5469/udp ALLOW FWD 1.2.3.5 5469/udp + 22/tcp LIMIT FWD Anywhere +-53 ALLOW FWD Anywhere (v6) +-23/tcp ALLOW FWD Anywhere (v6) +-25/tcp ALLOW FWD Anywhere (v6) +-80/tcp DENY FWD Anywhere (v6) ++53 (v6) ALLOW FWD Anywhere (v6) ++23/tcp (v6) ALLOW FWD Anywhere (v6) ++25/tcp (v6) ALLOW FWD Anywhere (v6) ++80/tcp (v6) DENY FWD Anywhere (v6) + 25/tcp DENY FWD 2001:db8::/32 + 2001:db8:3:4:5:6:7:8 DENY FWD 2001:db8::/32 26 + +@@ -444,9 +444,9 @@ + 113 REJECT FWD Anywhere + 114/tcp REJECT FWD Anywhere + 115/udp REJECT FWD Anywhere +-113 REJECT FWD Anywhere (v6) +-114/tcp REJECT FWD Anywhere (v6) +-115/udp REJECT FWD Anywhere (v6) ++113 (v6) REJECT FWD Anywhere (v6) ++114/tcp (v6) REJECT FWD Anywhere (v6) ++115/udp (v6) REJECT FWD Anywhere (v6) + + + +@@ -668,10 +668,10 @@ + [ 9] 514/udp DENY FWD 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW FWD 1.2.3.5 5469/udp + [11] 22/tcp LIMIT FWD Anywhere +-[12] 53 ALLOW FWD Anywhere (v6) +-[13] 23/tcp ALLOW FWD Anywhere (v6) +-[14] 25/tcp ALLOW FWD Anywhere (v6) +-[15] 80/tcp DENY FWD Anywhere (v6) ++[12] 53 (v6) ALLOW FWD Anywhere (v6) ++[13] 23/tcp (v6) ALLOW FWD Anywhere (v6) ++[14] 25/tcp (v6) ALLOW FWD Anywhere (v6) ++[15] 80/tcp (v6) DENY FWD Anywhere (v6) + [16] 25/tcp DENY FWD 2001:db8::/32 + [17] 2001:db8:3:4:5:6:7:8 DENY FWD 2001:db8::/32 26 + diff -Nru ufw-0.34~rc/debian/patches/0003-manpage-hook-path.patch ufw-0.34~rc/debian/patches/0003-manpage-hook-path.patch --- ufw-0.34~rc/debian/patches/0003-manpage-hook-path.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.34~rc/debian/patches/0003-manpage-hook-path.patch 2014-02-24 15:22:44.000000000 +0000 @@ -0,0 +1,20 @@ +Origin: r855 +Description: doc/ufw-framework.8: update locations of hook scripts + +Index: ufw-0.34~rc/doc/ufw-framework.8 +=================================================================== +--- ufw-0.34~rc.orig/doc/ufw-framework.8 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/doc/ufw-framework.8 2014-02-24 09:22:13.410706850 -0600 +@@ -21,10 +21,10 @@ + #STATE_PREFIX#/ufw\-init + initialization script + .TP +-#CONFIG_PREFIX#/before.init ++#CONFIG_PREFIX#/ufw/before.init + initialization customization script run before ufw is initialized + .TP +-#CONFIG_PREFIX#/after.init ++#CONFIG_PREFIX#/ufw/after.init + initialization customization script run after ufw is initialized + .TP + #CONFIG_PREFIX#/ufw/before[6].rules diff -Nru ufw-0.34~rc/debian/patches/0004-add-safe-icmp-to-forward.patch ufw-0.34~rc/debian/patches/0004-add-safe-icmp-to-forward.patch --- ufw-0.34~rc/debian/patches/0004-add-safe-icmp-to-forward.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.34~rc/debian/patches/0004-add-safe-icmp-to-forward.patch 2014-02-28 14:57:01.000000000 +0000 @@ -0,0 +1,146 @@ +Origin: r856 - 858 +Description: update before*.rules to add safe icmp to ufw-before-forward, + update doc/ufw.8 to describe the defaults, update section on default policy + in README + +Index: ufw-0.34~rc/conf/before6.rules +=================================================================== +--- ufw-0.34~rc.orig/conf/before6.rules 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/conf/before6.rules 2014-02-28 08:55:52.064702418 -0600 +@@ -46,13 +46,20 @@ + -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny + -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP + +-# ok icmp codes ++# ok icmp codes for INPUT + -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT + -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT + -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT + -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT + -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT + ++# ok icmp code for FORWARD ++-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT ++-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT ++-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT ++-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ++-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT ++ + # allow dhcp client to work + -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT + +Index: ufw-0.34~rc/conf/before.rules +=================================================================== +--- ufw-0.34~rc.orig/conf/before.rules 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/conf/before.rules 2014-02-28 08:55:52.064702418 -0600 +@@ -30,13 +30,20 @@ + -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny + -A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +-# ok icmp codes ++# ok icmp codes for INPUT + -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT + -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT + -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT + -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT + -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + ++# ok icmp code for FORWARD ++-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT ++-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT ++-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT ++-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT ++-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT ++ + # allow dhcp client to work + -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +Index: ufw-0.34~rc/doc/ufw.8 +=================================================================== +--- ufw-0.34~rc.orig/doc/ufw.8 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/doc/ufw.8 2014-02-28 08:55:52.064702418 -0600 +@@ -431,7 +431,27 @@ + .PP + On installation, \fBufw\fR is disabled with a default incoming policy of deny, + a default forward policy of deny, and a default outgoing policy of allow, with +-stateful tracking for NEW connections. ++stateful tracking for NEW connections for incoming and forwarded connections. ++In addition to the above, a default ruleset is put in place that does the ++following: ++.TP ++- DROP packets with RH0 headers ++.TP ++- DROP INVALID packets ++.TP ++- ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-problem, and echo-request for IPv4. destination-unreachable, packet-too-big, time-exceeded, parameter-problem, and echo-request for IPv6. ++.TP ++- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT) ++.TP ++- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT) ++.TP ++- ACCEPT DHCP client traffic (INPUT) ++.TP ++- DROP non-local traffic (INPUT) ++.TP ++- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service discovery (INPUT) ++.TP ++- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service discovery (INPUT) + + .PP + Rule ordering is important and the first match wins. Therefore when adding +@@ -439,7 +459,7 @@ + .PP + \fBufw\fR is not intended to provide complete firewall functionality via + its command interface, but instead provides an easy way to add or remove +-simple rules. It is currently mainly used for host\-based firewalls. ++simple rules. + .PP + The status command shows basic information about the state of the firewall, as + well as rules managed via the \fBufw\fR command. It does not show rules from the +@@ -480,8 +500,9 @@ + ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah + .PP + In addition to the command\-line interface, \fBufw\fR also provides a +-framework which allows administrators to take full advantage of netfilter. +-See the \fBufw\-framework\fR manual page for more information. ++framework which allows administrators to modify default behavior as well as ++take full advantage of netfilter. See the \fBufw\-framework\fR manual page for ++more information. + + .SH SEE ALSO + .PP +Index: ufw-0.34~rc/README +=================================================================== +--- ufw-0.34~rc.orig/README 2014-02-20 14:17:17.000000000 -0600 ++++ ufw-0.34~rc/README 2014-02-28 08:55:52.064702418 -0600 +@@ -239,22 +239,19 @@ + - ACCEPT all RELATED and ESTABLISHED on FORWARD (ip forwarding must be enabled + via sysctl for this to be in effect) + - DROP INVALID packets (packets not associated with a known connection) +-- ACCEPT certain icmp packets: ++- ACCEPT certain icmp packets (INPUT and FORWARD): + - destination-unreachable, source-quench, time-exceeded, parameter-problem, + and echo-request for IPv4 +- - neighbor-solicitation, neighbor-advertisement, router-solicitation, +- destination-unreachable, packet-too-big, time-exceeded, parameter-problem, ++ - destination-unreachable, packet-too-big, time-exceeded, parameter-problem, + and echo-request ++- ACCEPT certain icmpv6 packets for stateless autoconfiguration (INPUT): ++ neighbor-solicitation, neighbor-advertisement, router-solicitation + - ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for +- IPv6) for service discovery ++ IPv6) for service discovery (INPUT) + - ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service +- discovery +-- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses +-- DROP non-local, broadcast and multicast traffic +-- ACCEPT DHCP client traffic +-- Silently DROP SMB/CIFS traffic +-- Silently DROP DHCP traffic not associated with host's use of DHCP client +-- Silently DROP BROADCAST (IPv4) traffic ++ discovery (INPUT) ++- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT) ++- ACCEPT DHCP client traffic (INPUT) + - Log all blocked packets not matching the default policy with rate limiting + + If you are using a packaged version of ufw supplied by your distribution, the diff -Nru ufw-0.34~rc/debian/patches/series ufw-0.34~rc/debian/patches/series --- ufw-0.34~rc/debian/patches/series 2014-02-19 20:43:12.000000000 +0000 +++ ufw-0.34~rc/debian/patches/series 2014-02-28 14:55:11.000000000 +0000 @@ -1 +1,4 @@ 0001-optimize-boot.patch +0002-lp1078665.patch +0003-manpage-hook-path.patch +0004-add-safe-icmp-to-forward.patch diff -Nru ufw-0.34~rc/debian/ufw.postinst ufw-0.34~rc/debian/ufw.postinst --- ufw-0.34~rc/debian/ufw.postinst 2014-02-20 14:22:02.000000000 +0000 +++ ufw-0.34~rc/debian/ufw.postinst 2014-02-21 00:14:50.000000000 +0000 @@ -53,6 +53,24 @@ fi } +# If a primary chain is added to upstream, we should add it on upgrade so +# reload works correctly +add_primary_chain() { + chain="$1" + builtin="$2" + ver="$3" + + exe="iptables" + if [ "$ver" = "6" ]; then + exe="ip6tables" + fi + if $exe -L "$chain" -n >/dev/null 2>&1 ; then + return + fi + $exe -N "$chain" || true + $exe -A "$builtin" -j "$chain" || true +} + case "$1" in configure) # these files are required, but don't want to change them if @@ -110,10 +128,10 @@ # try to use iptables, which breaks the installer enable_ufw "$enabled" - # reload the firewall for IPv6 enabled by default - if [ "$enabled" = "true" ] && [ ! -z "$2" ] && dpkg --compare-versions "$2" lt "0.30.1-2" ; then - /lib/ufw/ufw-init stop || true - /lib/ufw/ufw-init start || true + # add new primary chains on upgrade + if [ "$enabled" = "true" ] && [ ! -z "$2" ] && dpkg --compare-versions "$2" lt "0.34~rc-0ubuntu2" ; then + add_primary_chain ufw-track-forward FORWARD + add_primary_chain ufw6-track-forward FORWARD 6 fi ;; triggered)