Page 1 of 2

UFW (uncomplicated firewall) blocks VPN and NTP (kcmclock)

Posted: 01 Jun 2015 04:14
by joni1101
Hi
I find that UFW is blocking VPN and kcmclock. I'll start with NTP then VPN (inxi output follows) I found this in var/log/syslog

Code: Select all

May 31 17:10:01 merperthinkpad dbus[928]: [system] Activating service name='org.kde.kcontrol.kcmclock' (using servicehelper)
May 31 17:10:01 merperthinkpad org.kde.kcontrol.kcmclock: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
May 31 17:10:01 merperthinkpad dbus[928]: [system] Successfully activated service 'org.kde.kcontrol.kcmclock'
May 31 17:10:04 merperthinkpad org.kde.kcontrol.kcmclock[928]: 31 May 17:10:04 ntpdate[21237]: the NTP socket is in use, exiting
May 31 17:10:31 merperthinkpad dbus[928]: [system] Activating service name='org.kde.kcontrol.kcmclock' (using servicehelper)
May 31 17:10:31 merperthinkpad org.kde.kcontrol.kcmclock: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
May 31 17:10:31 merperthinkpad dbus[928]: [system] Successfully activated service 'org.kde.kcontrol.kcmclock'
May 31 17:10:35 merperthinkpad org.kde.kcontrol.kcmclock[928]: 31 May 15:10:35 ntpdate[21251]: the NTP socket is in use, exiting 
Does this mean that the UFW is blocking NTP?

Finally, I can't connect to a PPTP vpn unless I first disable the firewall. Do I need a specific port exemption to PPTP? I was under the impression that by default the firewall allows incoming connections if an outbound connection already exists.

I have an exception for my previous vpn provider in IPTABLES - but - that rule does not show up in UFW. I know I can add the same ALLOW to iptables for the new VPN provider -- but I'm trying to understand how this works. Does UFW work with IPTABLES? Does IPTABLES sit at a lower level than UFW?

Code: Select all

System:    Host: merperthinkpad Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4) 
           Desktop: N/A dm: lightdm Distro: SolydXK 1 solydxk 
Machine:   System: LENOVO product: 2306CTO v: ThinkPad X230 serial:xxx 
           Mobo: LENOVO model: 2306CTO v: Win8 STD DPK TPG serial: xxx
           Bios: LENOVO v: G2ETA2WW (2.62 ) date: 09/12/2014
           Chassis: type: 10 serial: R9Z5LV7
CPU:       Dual core Intel Core i5-3230M (-HT-MCP-) cache: 3072 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 10376 
           Clock Speeds: 1: 1240 MHz 2: 1296 MHz 3: 1295 MHz 4: 1221 MHz
Graphics:  Card: Intel 3rd Gen Core processor Graphics Controller
           bus-ID: 00:02.0 chip-ID: 8086:0166
           Display Server: X.org 1.16.4 drivers: intel (unloaded: fbdev,vesa)
           tty size: 94x47 Advanced Data: N/A for root
Audio:     Card Intel 7 Series/C210 Series Family High Definition Audio Controller 
           driver: snd_hda_intel bus-ID: 00:1b.0 chip-ID: 8086:1e20 
           Sound: Advanced Linux Sound Architecture v: k3.16.0-4-amd64
Network:   Card-1: Intel 82579LM Gigabit Network Connection
           driver: e1000e v: 2.3.2-k port: 5080 bus-ID: 00:19.0 chip-ID: 8086:1502
           IF: eth1 state: down mac: 3c:97:0e:a1:12:ae
           Card-2: Intel Centrino Advanced-N 6205 [Taylor Peak]
           driver: iwlwifi v: in-tree: bus-ID: 03:00.0 chip-ID: 8086:0085
           IF: wlan0 state: up mac: 6c:88:14:8e:0c:54
Drives:    HDD Total Size: 480.1GB (23.0% used)
           ID-1: /dev/sda model: Crucial_CT480M50 size: 480.1GB serial: 1350095DFB0D temp: 37C
Partition: ID-1: / size: 145G used: 20G (15%) fs: ext4 dev: /dev/sda5 
Sensors:   System Temperatures: cpu: 53.0C mobo: N/A 
           Fan Speeds (in rpm): cpu: 2997 
Info:      Processes: 232 Uptime: 1 day Memory: 2711.3/7821.5MB 
           Init: systemd v: 215 runlevel: 5 default: 2 Gcc sys: 4.9.2 alt: 4.8 
           Client: Shell (bash 4.3.301 running in sudo) inxi: 2.1.28 

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 01 Jun 2015 05:42
by joni1101
I deleted UFW and installed instead firewalld (default in fedora) and I still get the same problem.
unable to contact time server: north-america.pool.ntp.org
I also tried it with regular pool.ntp.org however - pptp now works.

---
By way of verifying if this is really a bug, does UFW crash when you click ENABLE IPV6 SUPPORT? It did for me, reproducible.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 01 Jun 2015 12:57
by ilu
Does IPTABLES sit at a lower level than UFW?
This. I'm still trying to figure out this firewall stuff for myself, so I don't know much more. But I know UFW is just a (very limited) graphical frontend.

Edit: Kurotsugi you are right of course. GUFW is the graphical frontend for UFW, UFW is the command-line frontend for iptables. So it's 3 layers on top of each other not just 2.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 01 Jun 2015 13:57
by joni1101
Try to uncheck the ' IPV6 support enabled' of UFW in the GUI and then turn off the firewall (uncheck the box in the GUI). Then turn on UFW and re enable IPV6, do you get a crash?

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 01 Jun 2015 13:59
by joni1101
I've confirmed that the NTP error is not caused by firewall. Does anyone else have trouble with NTP on SokydK Jessie?

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 02 Jun 2015 12:51
by kurotsugi
ufw don't have any gui. if you're using gui to control it then probably you're using gufw. gufw (the front-end, which provide gui) might crash but ufw (the back-end, the actual thing works controlling your firewall) still work. if you feel something wrong with the firewall you can check the ufw log files.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 19:42
by Deleted User 2780
I can not connect to my VPN either after updating Jessie from testing to stable.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 20:43
by joni1101
If you were on testing then you were tracking Stretch not Jessie. Changing your sources to point to Jessie would probably break something since Jessie is a downgrade from Stretch. Is VPN the only thing that broke?

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 21:16
by Deleted User 2780
No, You are confuse I had jessing testing Soldyx Home Edition from 2014 (WAY BACK) when Jessie was in testing at that time and I updated to Jessie Stable yesturday.

From:

deb http://home.solydxk.nl/production solydxk main upstream import
deb http://debian.solydxk.nl/production testing main contrib non-free
deb http://debian.solydxk.nl/security testing/updates main contrib non-free
deb http://community.solydxk.nl/production solydxk main

To:

deb http://repository.solydxk.nl/ solydxk main upstream import
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free
deb http://ftp.debian.org/debian/ jessie-backports main contrib non-free

Nothing is broken, just went from testing to stable from 2014 to 2015.

Anyway, I downloaded the new distro from solydx website today and still the same issue.

original post here: http://forums.solydxk.nl/viewtopic.php?f=8&t=5641

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 21:40
by joni1101
Turn off UFW before attempting to connect to the VPN -- once VPN is working, you can turn on the firewall again.

to find UFW go to the launcher and type in Firewall.

You can also set a new rule as an exemption to allow all traffic between you and the VPN server - however - this only works if you only use 1 vpn server. If you're changing vpn servers then you'll need to add a rule for each one.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 21:48
by Deleted User 2780
My ufw is off and it still can't connect to VPN. I only use 1 VPN.

My VPN worked fine when Solydx had Home Edition (Jessie Testing) and Business Edition (Wheezy Stable) but now with the new SolydX (Jessie Stable) I can not connect to my VPN after the update to stable or even from the new ISO.

What port# do VPNs run off?

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 21:56
by joni1101
PPTP runs on 1723
OpenVPN can run on any port.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 22:02
by Deleted User 2780
I am using PPTP so i will try it now.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 22:15
by Deleted User 2780
Thanks, now it connects after turning off ufw for the forth time.After I added the ports to the firewall, i turn the firewall on it disconnects.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 22:36
by Deleted User 2780
Now it does not connect. Seems like it's random. Firewall is off.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 23:02
by joni1101
Amenarch wrote:Now it does not connect. Seems like it's random. Firewall is off.

Code: Select all

  
 grep -i  -P 'vpn|ufw' /var/log/syslog

  
see if the errors in there make sense

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 03 Jun 2015 23:52
by Deleted User 2780
This is what i get:

un 3 18:05:44 w520-linux-server kernel: [ 4323.609392] [UFW BLOCK] IN=wlan2 OUT= MAC=xxxx SRC=17xxx DST=192.168.1.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=26326 PROTO=47

and

Jun 3 18:53:24 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (ConnectInteractive) reply received.
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: starting (3)
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (Connect) reply received.
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: stopped (6)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <info> VPN plugin state change reason: unknown (0)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: (nm-pptp-service:21072): libnm-glib-WARNING **: Disconnect failed: Could not process the request because no VPN connection was active.
Jun 3 18:54:07 w520-linux-server NetworkManager[1069]: (nm-pptp-service:21072): libnm-glib-WARNING **: Disconnect failed: Could not process the request because no VPN connection was active.
Jun 3 18:54:07 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' disappeared
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> Starting VPN service 'pptp'...
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 23420
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' appeared; activating connections
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (ConnectInteractive) reply received.
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: starting (3)
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (Connect) reply received.
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: stopped (6)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <info> VPN plugin state change reason: unknown (0)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 19:42:45 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' disappeared
[/list]

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 04 Jun 2015 05:54
by Arjen Balfoort
I googled and found this as a possible solution: http://askubuntu.com/questions/572497/c ... ernel-3-18

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 04 Jun 2015 14:40
by Deleted User 2780
Thanks Schoelje, it seems to work for now. I will test it for 24 hrs and then report back.

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Posted: 04 Jun 2015 15:13
by Arjen Balfoort
Are you trying the first (changing before.rules) or the second (loading nf_conntrack_pptp) solution?