My system seems to be responsing to probing althought ufw is enabled, how do i stop these "unsolicited packets"?

Tyven · 23 August 2020 04:00

Hello! I have just installed Manjaro XFCE on my computer. Noticed that webpage: GRC | ShieldsUP! — Internet Vulnerability Profiling
is saying that my system is responsing to probing “Unsolicited Packets received”.
I haven’t encountered this ealier, so my question is how do i stop system responsing to this probing? I have ufw enabled and it has its default settings in before.rules file.

cscs · 23 August 2020 04:06

What are your rules?

sudo ufw status verbose

Tyven · 23 August 2020 04:09

Hello!
It says:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

cscs · 23 August 2020 04:14

cat /etc/ufw/before.rules

(PS please use the </> code button to format text. You can see this: How to provide good information)

Tyven · 23 August 2020 04:18

Let’s see if i got that right (close enough ):
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines


    # allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -o lo -j ACCEPT

    # quickly process packets for which we already have a connection
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

    # ok icmp codes for INPUT
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

    # ok icmp code for FORWARD
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j DROP
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j DROP
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j DROP
    -A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

    # allow dhcp client to work
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

    #
    # ufw-not-local
    #
    -A ufw-before-input -j ufw-not-local

    # if LOCAL, RETURN
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

    # if MULTICAST, RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

    # if BROADCAST, RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

    # all other non-local packets are dropped
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP

    # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 224.XXX.XXX.XXX --dport 5353 -j ACCEPT

    # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 239.XXX.XXX.XXX --dport 1900 -j ACCEPT

    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT

cscs · 23 August 2020 04:24

You seem to be missing source-quench, ex:

-A ufw-before-input -p icmp --icmp-type source-quench -j DROP

Actually, these should all be DROP:

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

https://wiki.archlinux.org/index.php/Uncomplicated_Firewall#Disable_remote_ping

Tyven · 23 August 2020 04:38

Thank you for your help! This solved the problem instantly!

I wonder how i didn’t even have that line in my previous system neither But this before.rules was system default, so it was missing the line as default, i think? Though small chance i deleted accidentally the line when put those ‘drop’ rules in the beginning but like said even old system’s before.rules does not seem to have this line so wondering…

cscs · 23 August 2020 04:40

The package is owned by ufw which we get straight from Arch.
I am not sure why its not present but mentioned in the wiki.
(I checked the man page and its mentioned there, so I assume it isnt deprecated either)

In any case happy sailing

Tyven · 23 August 2020 05:15

Ok, thanks for checking! I don’t have much knowledge about firewall things, those rule lines mostly looks hieroglyphical to me

I had previously Lubuntu but if im recalling correctly it didn’t bring up this “Unsolicited Packets” warning although seems there was no this line neither. If there’s some differences somewhere in something i don’t have enough skills and knowledge to start to try/check anything. But the most important thing for me is that i could get my system working how i expected. Thanks again!

Btw, my short time experience with Manjaro is very positive, loving so far this!

system · 26 August 2020 05:15

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.