Results 1 to 8 of 8
hello all,
I've setup ufw rules on my system but noticed that the rule i created to allow traffic from my local network is still dropping some RST and ACK ...
- 08-31-2010 #1Just Joined!
- Join Date
- Sep 2006
- Posts
- 8
[SOLVED] ufw blocking RST and ACK packets when rules should allow it.
hello all,
I've setup ufw rules on my system but noticed that the rule i created to allow traffic from my local network is still dropping some RST and ACK packets.
here's part of the output of dmesg
[43627.361500] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=2210 PROTO=TCP SPT=59521 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43647.118603] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=35357 PROTO=TCP SPT=59461 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43666.856684] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1261 PROTO=TCP SPT=59388 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43686.844727] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=39390 PROTO=TCP SPT=59314 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43706.741870] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=5719 PROTO=TCP SPT=59248 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43726.989422] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=25190 PROTO=TCP SPT=59154 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[43747.003785] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=10602 PROTO=TCP SPT=59062 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[60215.002233] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27623 DF PROTO=TCP SPT=61847 DPT=9000 WINDOW=62804 RES=0x00 ACK URGP=0
[60215.002300] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=5896 DF PROTO=TCP SPT=61847 DPT=9000 WINDOW=65535 RES=0x00 ACK URGP=0
[60215.002360] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6906 DF PROTO=TCP SPT=61847 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[60234.150629] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=39385 DF PROTO=TCP SPT=61847 DPT=9000 WINDOW=65535 RES=0x00 ACK URGP=0
[60255.311089] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47237 DF PROTO=TCP SPT=61847 DPT=9000 WINDOW=65535 RES=0x00 ACK URGP=0
192.168.0.3 is my local computer.
192.168.0.4 in this case is the PS3.
port tcp port 9000 is what is used by twonky media server. The media server itself is working so all other communication is working fine.
Here's the output of my ufw status verbose
# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW IN 192.168.0.0/24
22 ALLOW IN Anywhere
62552 ALLOW IN Anywhere
#
Just to be sure i didn't have any strange iptables rule that i didn't know of I reset both iptables and ufw to default with no rules and reconfigured just the default outgoing and incoming policies and the three rules listed above.
anyone have any ideas why these RST and ACK packers are being blocked?
OJ
- 08-31-2010 #2Linux Newbie
- Join Date
- Jun 2010
- Posts
- 225
Hi,
have you try: sudo ufw allow from 192.168.0.4?
or
sudo ufw allow from 192.168.0.4 to any port 9000?
Regards
- 09-01-2010 #3Just Joined!
- Join Date
- Sep 2006
- Posts
- 8
thanks for the suggestions.
Here is the new ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
9000 ALLOW IN 192.168.0.4
Anywhere ALLOW IN 192.168.0.4
Anywhere ALLOW IN 192.168.0.0/24
22 ALLOW IN Anywhere
62552 ALLOW IN Anywhere
Here are the ufw blocks after inserting rules 1 and 2.
[31452.631240] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41326 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[31452.631304] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=54358 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[31452.652686] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=40991 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[31452.652749] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=36107 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[31452.652806] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44771 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
[31452.652862] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41013 DF PROTO=TCP SPT=56404 DPT=9000 WINDOW=64252 RES=0x00 ACK URGP=0
- 09-01-2010 #4Linux Newbie
- Join Date
- Jun 2010
- Posts
- 225
can try:
ufw allow on wlan0 proto tcp from 192.168.0.4 to any port 9000
and please, could you report:
sudo iptables -L
Regards
- 09-01-2010 #5Just Joined!
- Join Date
- Sep 2006
- Posts
- 8
sorry but the command you suggested comes back with:
# sudo ufw insert 1 allow on wlan0 proto tcp from 192.168.0.4 to any
ERROR: "Invalid token 'on'"
here is the output of my iptables -L
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.0.4 anywhere tcp dpt:9000
ACCEPT udp -- 192.168.0.4 anywhere udp dpt:9000
ACCEPT all -- 192.168.0.4 anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:62552
ACCEPT udp -- anywhere anywhere udp dpt:62552
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
#
- 09-02-2010 #6Linux Newbie
- Join Date
- Jun 2010
- Posts
- 225
Hi,
to see if it is a iptables problem, please could you try?:
iptables -I ufw-before-input -s 192.168.0.4 -d 192.168.0.3 -p tcp --dport 9000 -j ACCEPT
I hope this help
Regards
- 09-02-2010 #7Just Joined!
- Join Date
- Sep 2006
- Posts
- 8
thanks. Adding the iptables rule resolved it.
Is this a bug in ufw or is this DNLA server on the PS3 sending packets a normal program wouldn't send and isn't accepted?
is there any way to add this rule through ufw rather than inputing it directly with iptables?
many thanks for the help so far.
- 09-02-2010 #8Just Joined!
- Join Date
- Sep 2006
- Posts
- 8
I guess the thread can be marked as resolved.
I've transported the rule to allow all my local network to access my computer to the /etc/ufw/before.rules right before the policies to drop INVALID packets as such:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -s 192.168.0.0/24 -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
this has resolved everything. I guess the PS3 Media client isn't as good as expected and is sending packets it shouldn't.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts