committing changes in /etc after apt run

Package changes:
-busybox-initramfs 1:1.27.2-2ubuntu3.1 amd64
-busybox-static 1:1.27.2-2ubuntu3.1 amd64
+busybox-initramfs 1:1.27.2-2ubuntu3.2 amd64
+busybox-static 1:1.27.2-2ubuntu3.2 amd64
-gir1.2-polkit-1.0 0.105-20ubuntu0.18.04.4 amd64
+gir1.2-polkit-1.0 0.105-20ubuntu0.18.04.5 amd64
-libpolkit-agent-1-0 0.105-20ubuntu0.18.04.4 amd64
-libpolkit-backend-1-0 0.105-20ubuntu0.18.04.4 amd64
-libpolkit-gobject-1-0 0.105-20ubuntu0.18.04.4 amd64
+libpolkit-agent-1-0 0.105-20ubuntu0.18.04.5 amd64
+libpolkit-backend-1-0 0.105-20ubuntu0.18.04.5 amd64
+libpolkit-gobject-1-0 0.105-20ubuntu0.18.04.5 amd64
-policykit-1 0.105-20ubuntu0.18.04.4 amd64
+policykit-1 0.105-20ubuntu0.18.04.5 amd64
-ufw 0.35-5 all
+ufw 0.36-0ubuntu0.18.04.1 all

diff --git a/default/ufw b/default/ufw
index 665806f3e35e6e91554a11671264eeb5ab5d7d83..83c9ac3e6f1627e3c99e79f4ffb739cee8a9f970 100644 (file)
--- a/default/ufw
+++ b/default/ufw
@@ -41,5 +41,6 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf
 # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
 # nf_conntrack_ftp, nf_nat_ftp: active FTP support
 # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
+# nf_conntrack_sane: sane support
 IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
 

diff --git a/ufw/before.rules b/ufw/before.rules
index 0addd54c6368b6e3f8a085793a7d60c7d37923d5..23b384eb0676383c95f44d8ffc64daa679767959 100644 (file)
--- a/ufw/before.rules
+++ b/ufw/before.rules
@@ -32,14 +32,12 @@
 
 # ok icmp codes for INPUT
 -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
--A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
 -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
 -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
 -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
 
 # ok icmp code for FORWARD
 -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
--A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
 -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
 -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
 -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

diff --git a/ufw/before6.rules b/ufw/before6.rules
index 30e90c7dbd9d49a24ef24609cc6291dfbd044c1e..abebbe74dced61d3bfcf38c7815011b7d483c5f5 100644 (file)
--- a/ufw/before6.rules
+++ b/ufw/before6.rules
@@ -30,6 +30,11 @@
 -A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
+# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
+# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
+# be marked INVALID, so allow here instead.
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
 # drop INVALID packets (logs these in loglevel medium and higher)
 -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
 -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
@@ -39,10 +44,9 @@
 -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
 # codes 0 and 1
 -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-# codes 0-2
+# codes 0-2 (echo-reply needs to be before INVALID, see above)
 -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 -A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
 -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
 -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT