Join Log in
Score:1
avatar Ubuntu

Why is ufw not blocking traffic from 169.254.169.254:179?

jp flag
divB

My ufw is enabled and only permits ssh and wireguard:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
51820/udp                  ALLOW       Anywhere             
22/tcp (v6)                ALLOW       Anywhere (v6)             
51820/udp (v6)             ALLOW       Anywhere (v6)             

#

I also communicate via host 169.254.169.254 on BGP (Port 179). This communication works although I do not allow it. Why??

Is it because 169.254.169.254 is a link local address? (It is interesting that the interface does not have a link local address defined. Communication goes over default gateway. This is the setup on Vultr hosting).

I looked into iptables but I do not see how this packets would be accepted: Chain ufw-not-local has a reference to LOCAL addresses:

# iptables -v -L ufw-not-local
Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  508 30944 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
  125  6739 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere      
#

However, it is a RETURN and not an ACCEPT! ufw-not-local is called by ufw-before-input which would return to INPUT. And INPUT has policy DROP.

EDIT: Full iptables -xvnL output:

Chain INPUT (policy DROP 8 packets, 885 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
       0        0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
     750   227375 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
  362606 147280078 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  362606 147280078 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  333869 128555765 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  333212 128523819 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  333212 128523819 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  333212 128523819 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 216 packets, 10004 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   22278 14578660 ACCEPT     all  --  *      lxcbr0  0.0.0.0/0            0.0.0.0/0           
    4853   256884 ACCEPT     all  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0           
 1080537 59537850 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1080537 59537850 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1079360 59452755 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1079360 59452755 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1079360 59452755 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1079360 59452755 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
  424797 45621305 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  424797 45621305 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  399178 42100854 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  399178 42100854 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  399178 42100854 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  399178 42100854 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
     142    17992 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
      16     1305 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
      16     1305 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
     150    18656 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       1       52 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      11     1232 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
      13     1092 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
     214     9920 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
       0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
       0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
       3      120 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       7      845 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      10      464 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-track-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-logging-deny (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
    pkts      bytes target     prot opt in     out     source               destination         
       3      120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-not-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      12     1125 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
       4      180 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
       0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       5      300 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820      

Chain ufw-user-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
80
0 + 0
ufw
Doug Smythies avatar
gn flag
Doug Smythies
We can not answer without the entire iptables rule set (even though ufw generated rule sets are difficult to follow). Please edit your question adding the output from `sudo iptables -xvnL`
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Border Gateway Protocol (BGP) probably does some redirection and port changes between the involved routers. I don't know the details, nor would they really be Ubuntu related.
0
Reply
jp flag
divB
@DougSmythies Added full output. I don't think BGP does any weird changes here. I see it in tcpdump on port 179. Regardless, it is pretty unexpected that this traffic comes through despite not being explicitely allowed, hence ufw/Ubuntu related.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
I did not realize you have some VM's running via lxcbr0, so we might need to also see `sudo iptables -t nat -xvnL`. Where was tcpdump running? on your local computer or the Vultr hosted computer or the VM? Also for the ufw rules, they are running on your local computer or the Vultr hosted computer? Look for an incoming ACCEPT path via RELATED,ESTABLISHED that you created via the OUTPUT path.
0
Reply
jp flag
divB
@DougSmythies I restarted the machine (which should destroy RELATED,ESTABLISHED) and packets are STILL coming through! I meanwhile discovered that ipip (Ip protocol packets) also come through. So my questions stays: WHY does ufw accept packets without me explicitely accepting them? I went through the iptables rules but my brain explodes. I am not an expert in iptables to figure out where the packet would be accepted. But my confidence in ufw is currently extremely low.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
I don't know how to try to help you without more, and detailed, information.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.