UFW (uncomplicated firewall) blocks VPN and NTP (kcmclock)

Questions about networking.
In the Original Post please also include the output of inxi -FNzxx
joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

UFW (uncomplicated firewall) blocks VPN and NTP (kcmclock)

Postby joni1101 » 01 Jun 2015 04:14

Hi
I find that UFW is blocking VPN and kcmclock. I'll start with NTP then VPN (inxi output follows) I found this in var/log/syslog

Code: Select all

May 31 17:10:01 merperthinkpad dbus[928]: [system] Activating service name='org.kde.kcontrol.kcmclock' (using servicehelper)
May 31 17:10:01 merperthinkpad org.kde.kcontrol.kcmclock: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
May 31 17:10:01 merperthinkpad dbus[928]: [system] Successfully activated service 'org.kde.kcontrol.kcmclock'
May 31 17:10:04 merperthinkpad org.kde.kcontrol.kcmclock[928]: 31 May 17:10:04 ntpdate[21237]: the NTP socket is in use, exiting
May 31 17:10:31 merperthinkpad dbus[928]: [system] Activating service name='org.kde.kcontrol.kcmclock' (using servicehelper)
May 31 17:10:31 merperthinkpad org.kde.kcontrol.kcmclock: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
May 31 17:10:31 merperthinkpad dbus[928]: [system] Successfully activated service 'org.kde.kcontrol.kcmclock'
May 31 17:10:35 merperthinkpad org.kde.kcontrol.kcmclock[928]: 31 May 15:10:35 ntpdate[21251]: the NTP socket is in use, exiting 
Does this mean that the UFW is blocking NTP?

Finally, I can't connect to a PPTP vpn unless I first disable the firewall. Do I need a specific port exemption to PPTP? I was under the impression that by default the firewall allows incoming connections if an outbound connection already exists.

I have an exception for my previous vpn provider in IPTABLES - but - that rule does not show up in UFW. I know I can add the same ALLOW to iptables for the new VPN provider -- but I'm trying to understand how this works. Does UFW work with IPTABLES? Does IPTABLES sit at a lower level than UFW?

Code: Select all

System:    Host: merperthinkpad Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4) 
           Desktop: N/A dm: lightdm Distro: SolydXK 1 solydxk 
Machine:   System: LENOVO product: 2306CTO v: ThinkPad X230 serial:xxx 
           Mobo: LENOVO model: 2306CTO v: Win8 STD DPK TPG serial: xxx
           Bios: LENOVO v: G2ETA2WW (2.62 ) date: 09/12/2014
           Chassis: type: 10 serial: R9Z5LV7
CPU:       Dual core Intel Core i5-3230M (-HT-MCP-) cache: 3072 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 10376 
           Clock Speeds: 1: 1240 MHz 2: 1296 MHz 3: 1295 MHz 4: 1221 MHz
Graphics:  Card: Intel 3rd Gen Core processor Graphics Controller
           bus-ID: 00:02.0 chip-ID: 8086:0166
           Display Server: X.org 1.16.4 drivers: intel (unloaded: fbdev,vesa)
           tty size: 94x47 Advanced Data: N/A for root
Audio:     Card Intel 7 Series/C210 Series Family High Definition Audio Controller 
           driver: snd_hda_intel bus-ID: 00:1b.0 chip-ID: 8086:1e20 
           Sound: Advanced Linux Sound Architecture v: k3.16.0-4-amd64
Network:   Card-1: Intel 82579LM Gigabit Network Connection
           driver: e1000e v: 2.3.2-k port: 5080 bus-ID: 00:19.0 chip-ID: 8086:1502
           IF: eth1 state: down mac: 3c:97:0e:a1:12:ae
           Card-2: Intel Centrino Advanced-N 6205 [Taylor Peak]
           driver: iwlwifi v: in-tree: bus-ID: 03:00.0 chip-ID: 8086:0085
           IF: wlan0 state: up mac: 6c:88:14:8e:0c:54
Drives:    HDD Total Size: 480.1GB (23.0% used)
           ID-1: /dev/sda model: Crucial_CT480M50 size: 480.1GB serial: 1350095DFB0D temp: 37C
Partition: ID-1: / size: 145G used: 20G (15%) fs: ext4 dev: /dev/sda5 
Sensors:   System Temperatures: cpu: 53.0C mobo: N/A 
           Fan Speeds (in rpm): cpu: 2997 
Info:      Processes: 232 Uptime: 1 day Memory: 2711.3/7821.5MB 
           Init: systemd v: 215 runlevel: 5 default: 2 Gcc sys: 4.9.2 alt: 4.8 
           Client: Shell (bash 4.3.301 running in sudo) inxi: 2.1.28 

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 01 Jun 2015 05:42

I deleted UFW and installed instead firewalld (default in fedora) and I still get the same problem.
unable to contact time server: north-america.pool.ntp.org
I also tried it with regular pool.ntp.org however - pptp now works.

---
By way of verifying if this is really a bug, does UFW crash when you click ENABLE IPV6 SUPPORT? It did for me, reproducible.

User avatar
ilu
Posts: 2539
Joined: 09 Oct 2013 12:45

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby ilu » 01 Jun 2015 12:57

Does IPTABLES sit at a lower level than UFW?
This. I'm still trying to figure out this firewall stuff for myself, so I don't know much more. But I know UFW is just a (very limited) graphical frontend.

Edit: Kurotsugi you are right of course. GUFW is the graphical frontend for UFW, UFW is the command-line frontend for iptables. So it's 3 layers on top of each other not just 2.

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 01 Jun 2015 13:57

Try to uncheck the ' IPV6 support enabled' of UFW in the GUI and then turn off the firewall (uncheck the box in the GUI). Then turn on UFW and re enable IPV6, do you get a crash?

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 01 Jun 2015 13:59

I've confirmed that the NTP error is not caused by firewall. Does anyone else have trouble with NTP on SokydK Jessie?

kurotsugi
Posts: 2240
Joined: 09 Jan 2014 00:17

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby kurotsugi » 02 Jun 2015 12:51

ufw don't have any gui. if you're using gui to control it then probably you're using gufw. gufw (the front-end, which provide gui) might crash but ufw (the back-end, the actual thing works controlling your firewall) still work. if you feel something wrong with the firewall you can check the ufw log files.

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 19:42

I can not connect to my VPN either after updating Jessie from testing to stable.

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 03 Jun 2015 20:43

If you were on testing then you were tracking Stretch not Jessie. Changing your sources to point to Jessie would probably break something since Jessie is a downgrade from Stretch. Is VPN the only thing that broke?

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 21:16

No, You are confuse I had jessing testing Soldyx Home Edition from 2014 (WAY BACK) when Jessie was in testing at that time and I updated to Jessie Stable yesturday.

From:

deb http://home.solydxk.nl/production solydxk main upstream import
deb http://debian.solydxk.nl/production testing main contrib non-free
deb http://debian.solydxk.nl/security testing/updates main contrib non-free
deb http://community.solydxk.nl/production solydxk main

To:

deb http://repository.solydxk.nl/ solydxk main upstream import
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free
deb http://ftp.debian.org/debian/ jessie-backports main contrib non-free

Nothing is broken, just went from testing to stable from 2014 to 2015.

Anyway, I downloaded the new distro from solydx website today and still the same issue.

original post here: http://forums.solydxk.nl/viewtopic.php?f=8&t=5641

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 03 Jun 2015 21:40

Turn off UFW before attempting to connect to the VPN -- once VPN is working, you can turn on the firewall again.

to find UFW go to the launcher and type in Firewall.

You can also set a new rule as an exemption to allow all traffic between you and the VPN server - however - this only works if you only use 1 vpn server. If you're changing vpn servers then you'll need to add a rule for each one.

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 21:48

My ufw is off and it still can't connect to VPN. I only use 1 VPN.

My VPN worked fine when Solydx had Home Edition (Jessie Testing) and Business Edition (Wheezy Stable) but now with the new SolydX (Jessie Stable) I can not connect to my VPN after the update to stable or even from the new ISO.

What port# do VPNs run off?

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 03 Jun 2015 21:56

PPTP runs on 1723
OpenVPN can run on any port.

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 22:02

I am using PPTP so i will try it now.

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 22:15

Thanks, now it connects after turning off ufw for the forth time.After I added the ports to the firewall, i turn the firewall on it disconnects.

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 22:36

Now it does not connect. Seems like it's random. Firewall is off.

joni1101
Posts: 27
Joined: 19 Dec 2014 16:15
Location: Vancouver, Canada
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby joni1101 » 03 Jun 2015 23:02

Amenarch wrote:Now it does not connect. Seems like it's random. Firewall is off.

Code: Select all

  
 grep -i  -P 'vpn|ufw' /var/log/syslog

  
see if the errors in there make sense

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 03 Jun 2015 23:52

This is what i get:

un 3 18:05:44 w520-linux-server kernel: [ 4323.609392] [UFW BLOCK] IN=wlan2 OUT= MAC=xxxx SRC=17xxx DST=192.168.1.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=112 ID=26326 PROTO=47

and

Jun 3 18:53:24 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (ConnectInteractive) reply received.
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: starting (3)
Jun 3 18:53:44 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (Connect) reply received.
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: stopped (6)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <info> VPN plugin state change reason: unknown (0)
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 18:53:47 w520-linux-server NetworkManager[1069]: (nm-pptp-service:21072): libnm-glib-WARNING **: Disconnect failed: Could not process the request because no VPN connection was active.
Jun 3 18:54:07 w520-linux-server NetworkManager[1069]: (nm-pptp-service:21072): libnm-glib-WARNING **: Disconnect failed: Could not process the request because no VPN connection was active.
Jun 3 18:54:07 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' disappeared
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> Starting VPN service 'pptp'...
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 23420
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' appeared; activating connections
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (ConnectInteractive) reply received.
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: starting (3)
Jun 3 19:42:21 w520-linux-server NetworkManager[1069]: <info> VPN connection '24vc' (Connect) reply received.
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> VPN plugin failed: connect-failed (1)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <info> VPN plugin state changed: stopped (6)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <info> VPN plugin state change reason: unknown (0)
Jun 3 19:42:24 w520-linux-server NetworkManager[1069]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 3 19:42:45 w520-linux-server NetworkManager[1069]: <info> VPN service 'pptp' disappeared
[/list]

User avatar
Arjen Balfoort
Site Admin
Posts: 9330
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Arjen Balfoort » 04 Jun 2015 05:54

I googled and found this as a possible solution: http://askubuntu.com/questions/572497/c ... ernel-3-18


SolydXK needs you!
Development | Testing | Translations

Deleted User 2780

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Deleted User 2780 » 04 Jun 2015 14:40

Thanks Schoelje, it seems to work for now. I will test it for 24 hrs and then report back.

User avatar
Arjen Balfoort
Site Admin
Posts: 9330
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: UFW (uncomplicated firewall) blocks VPN and NTP (kcmcloc

Postby Arjen Balfoort » 04 Jun 2015 15:13

Are you trying the first (changing before.rules) or the second (loading nf_conntrack_pptp) solution?


SolydXK needs you!
Development | Testing | Translations


Return to “Networking”

Who is online

Users browsing this forum: No registered users and 0 guests