-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ufw firewall incompatiblity #4
Comments
All these lines refer to the configuration of the Bypass rules, this does not affect the network lock. If Bypass works fine there is nothing to worry about. How do you know network lock isn't working? Can you please post the Output of "sudo iptables -S". Also, please deactivate your gufw Profile (for testing purposes). |
-P INPUT DROP -A ufw-before-input -i lo -j ACCEPT -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -N ufw-track-input when i disconnect from the vpn while firewall option is enables. my browers, chromium/firefox/waterfox are able connect to duckduckgo.com/ip and display my ip. but when ping duckduckgo.com here is my return ping duckduckgo.com |
Thanks, it looks like your ufw rules override qomui's network lock. Please try with ufw disabled, it should work fine then as all rules are applied correctly. |
Alternatively, disable network lock and apply similar settings via ufw. The way qomui's firewall is currently constructed is that it will honor preexisting rules while setting secure defaults - if you are running your own iptables-based firewall it won't be overridden. So if you have explicitly allowed non-vpn traffic before it will be allowed after regardless whether network lock is active or not. I'm thinking about making this optional. |
Did a "ufw disable". everything seems working. Before when i disabled ufw i did it though Gufw doesnt seem to have the same affect. Thank you. |
I never really used ufw but I can assure you that qomui's firewall is very strict blocking any incoming and outgoing connections not going via the vpn interface apart from local networks and loopback. It also blocks ipv6 to prevent leaks. So it should be safe to use on public networks. |
For users that want to continue to firewall with ufw while having a vpn killswitch. follow this guide. |
Recently installed linux lite 4 and installed qomui. networklock(firewall feature) does not working after disconnecting.
2018-06-21 00:44:05,431 - INFO - iptables: activated firewall
2018-06-21 00:44:05,432 - INFO - (Re-)enabled ipv6
2018-06-21 00:44:05,443 - WARNING - iptables: failed to apply ['-t', 'mangle', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'MARK', '--set-mark', '11']
2018-06-21 00:44:05,445 - WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'POSTROUTING', '-m', 'cgroup', '--cgroup', '0x00110011', '-o', 'eth0', '-j', 'MASQUERADE']
2018-06-21 00:44:05,447 - DEBUG - iptables: ['-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT'] already exists
2018-06-21 00:44:05,448 - DEBUG - iptables: ['-D', 'INPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT'] already exists
2018-06-21 00:44:05,451 - WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'tcp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
2018-06-21 00:44:05,454 - WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'udp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
2018-06-21 00:44:05,454 - DEBUG - Could not delete /sys/fs/cgroup/net_cls/bypass_qomui - resource does not exist or is busy
2018-06-21 00:44:05,454 - INFO - Deleted cgroup
2018-06-21 00:44:05,455 - DEBUG - No routing table added - table bypass_qomui already exists
2018-06-21 00:44:05,458 - DEBUG - iptables: applied ['-t', 'mangle', '-A', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'MARK', '--set-mark', '11']
2018-06-21 00:44:05,461 - DEBUG - iptables: applied ['-t', 'nat', '-A', 'POSTROUTING', '-m', 'cgroup', '--cgroup', '0x00110011', '-o', 'eth0', '-j', 'MASQUERADE']
2018-06-21 00:44:05,463 - DEBUG - iptables: applied ['-I', 'OUTPUT', '1', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT']
2018-06-21 00:44:05,466 - DEBUG - iptables: applied ['-I', 'INPUT', '1', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT']
2018-06-21 00:44:05,468 - DEBUG - iptables: applied ['-t', 'nat', '-A', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'tcp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
2018-06-21 00:44:05,471 - DEBUG - iptables: applied ['-t', 'nat', '-A', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'udp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
2018-06-21 00:44:05,476 - INFO - Succesfully create cgroup to bypass OpenVPN tunnel
bypass works fine. i've tried toggling the OS firewall (Gufw) on and off and did not help.
The text was updated successfully, but these errors were encountered: