ufw

ufw blocks ipsec

Bug #606997 reported by MarkG
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Jamie Strandboge
ufw (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Maverick
Fix Released
Medium
Jamie Strandboge

Bug Description

I've had IPSEC working between the Linux machines on my network for about a year using Firestarter as the firewall. I recently decided that I should probably switch to ufw since Firestarter isn't supported anymore, but since then I've found that IPSEC negotiations are unreliable: today, for example, I could see that one of the machines thought it had negotiated an IPSEC connection to another, but no messages were getting through to the other machine.

Looking at the log files I see lots of messages along the lines of:

Jul 18 01:20:23 nightmare kernel: [ 17.670844] [UFW BLOCK] IN=eth0 OUT= MAC=xxxx SRC=xxxx DST=xxxx LEN=120 TOS=0x00 PREC=0x00 TTL=64 ID=6954 DF PROTO=AH SPI=0xbd5df15

So what I don't understand is:

1. Why ufw is blocking a protocol that it apparently gives you no control over? I can't tell it to allow or block AH or ESP.
2. Why it sometimes blocks the protocol and sometimes doesn't?

ufw --version:
ufw 0.30pre1-0ubuntu2
Copyright 2008-2010 Canonical Ltd.

This is Ubuntu 10.04 with the most recent updates.

Related branches

lp:debian/ufw
Jamie Strandboge (jdstrand)
Changed in ufw:
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the report. I committed a changes to trunk to allow specifying the 'esp' and 'ah' protocols.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: In Progress → Fix Committed
Changed in ufw (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ufw (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Maverick):
importance: Undecided → High
importance: High → Medium
Changed in ufw (Ubuntu Lucid):
importance: Undecided → Medium
Changed in ufw:
importance: Undecided → Medium
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.30.0-1ubuntu1

---------------
ufw (0.30.0-1ubuntu1) maverick; urgency=low

  * src/frontend.py: display unicode error messages properly. Thanks to
    Serguey Basalaev.
    - upstream commit r700
    - LP: #580032
  * src/backend_iptables.py: fix gettext warning
    - upstream commit r701
  * run debconf-updatepo, but adjust debian/po/de.po and debian/po/es.po to
    add correct "Language:" tag
  * profiles/ufw-mailserver: remove Postfix specific language
    - upstream commit r705

ufw (0.30.0-1) unstable; urgency=low

  * New upstream release. Use 0.30.0 as the version even though upstream uses
    0.30 in order to sync to Ubuntu. Fixes:
    - LP: #568877
    - LP: #611982
    - LP: #606997
    - LP: #624199
    - LP: #625340
    - LP: #521359
    - LP: #436608
  * don't flush chains if ufw is not enabled (LP: #581744)
  * debian/postinst: don't source /usr/share/debconf/confmodule when $1 =
    triggered. Fix thanks to Colin Watson. (LP: #618410)
  * debian/control:
    - drop versioned depends on iptables. This helps with backporting now that
      the test suite can handle it
    - updated Standards-Version
  * debian/rules:
    - pass interpreter to run_tests.sh
    - don't install upstream application profiles for now
  * add rsyslog support
  * add debian/source/format
  * debian/before6.rules.md5sum: updated for ucf
 -- Jamie Strandboge <email address hidden> Mon, 30 Aug 2010 13:20:58 -0500

Changed in ufw (Ubuntu Maverick):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
no longer affects: ufw (Ubuntu Lucid)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.