From f4e869748f21a408536eab7903e137fa4dff7a25 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 3 Apr 2019 20:39:11 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: -busybox-initramfs 1:1.27.2-2ubuntu3.1 amd64 -busybox-static 1:1.27.2-2ubuntu3.1 amd64 +busybox-initramfs 1:1.27.2-2ubuntu3.2 amd64 +busybox-static 1:1.27.2-2ubuntu3.2 amd64 -gir1.2-polkit-1.0 0.105-20ubuntu0.18.04.4 amd64 +gir1.2-polkit-1.0 0.105-20ubuntu0.18.04.5 amd64 -libpolkit-agent-1-0 0.105-20ubuntu0.18.04.4 amd64 -libpolkit-backend-1-0 0.105-20ubuntu0.18.04.4 amd64 -libpolkit-gobject-1-0 0.105-20ubuntu0.18.04.4 amd64 +libpolkit-agent-1-0 0.105-20ubuntu0.18.04.5 amd64 +libpolkit-backend-1-0 0.105-20ubuntu0.18.04.5 amd64 +libpolkit-gobject-1-0 0.105-20ubuntu0.18.04.5 amd64 -policykit-1 0.105-20ubuntu0.18.04.4 amd64 +policykit-1 0.105-20ubuntu0.18.04.5 amd64 -ufw 0.35-5 all +ufw 0.36-0ubuntu0.18.04.1 all --- default/ufw | 1 + ufw/before.rules | 2 -- ufw/before6.rules | 8 ++++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/default/ufw b/default/ufw index 665806f..83c9ac3 100644 --- a/default/ufw +++ b/default/ufw @@ -41,5 +41,6 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT # nf_conntrack_ftp, nf_nat_ftp: active FTP support # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +# nf_conntrack_sane: sane support IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" diff --git a/ufw/before.rules b/ufw/before.rules index 0addd54..23b384e 100644 --- a/ufw/before.rules +++ b/ufw/before.rules @@ -32,14 +32,12 @@ # ok icmp codes for INPUT -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT --A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT # ok icmp code for FORWARD -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT --A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT diff --git a/ufw/before6.rules b/ufw/before6.rules index 30e90c7..abebbe7 100644 --- a/ufw/before6.rules +++ b/ufw/before6.rules @@ -30,6 +30,11 @@ -A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890, +# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise +# be marked INVALID, so allow here instead. +-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + # drop INVALID packets (logs these in loglevel medium and higher) -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP @@ -39,10 +44,9 @@ -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT # codes 0 and 1 -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -# codes 0-2 +# codes 0-2 (echo-reply needs to be before INVALID, see above) -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT --A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -- 2.39.5