qomui icon indicating copy to clipboard operation
qomui copied to clipboard

Published 20 hours ago verified publisher icon corrad1nho

Firewall problems

Open ShittyGuy opened this issue 5 years ago • 7 comments

First of all, I’m running Qomui on a pretty new Arch installation installed through the AUR and getting some strange firewall behavior. If I am enabling the firewall and IPv6 protection through the GUI started with sudo both works more or less, but am I still able to ping any server through my terminal and I’m not quite sure if that’s the intended behavior. This is what the GUI log shows after enabling the firewall and IPv6 protection:

INFO - Configuration changes applied successfully
INFO - Disabled ipv6
INFO - Loading default firewall configuration
INFO - ipv6 stack not available
INFO - iptables: flushed existing rules
INFO - ipv6 stack not available
INFO - ipv6 stack not available
INFO - ipv6 stack not available
INFO - iptables: activated firewall
WARNING - iptables: failed to apply ['-t', 'mangle', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'MARK', '--set-mark', '11']
WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'POSTROUTING', '-m', 'cgroup', '--cgroup', '0x00110011', '-o', 'enp3s0', '-j', 'MASQUERADE']
WARNING - iptables: failed to apply ['-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT']
WARNING - iptables: failed to apply ['-D', 'INPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-j', 'ACCEPT']
WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'tcp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
WARNING - iptables: failed to apply ['-t', 'nat', '-D', 'OUTPUT', '-m', 'cgroup', '--cgroup', '0x00110011', '-p', 'udp', '--dport', '53', '-j', 'REDIRECT', '--to-ports', '5354']
INFO - ipv6 stack not available
INFO - Deleted cgroup

The other thing is, that after a reboot and qomui.service enabled the firewall is like half way activated. I can visit Google, YouTube, Have I Been Pwned, IPLeak and Wikipedia (and probably many more) while DuckDuckGo, GitHub, Twitter, Twitch, Amazon… aren’t working. Furthermore, IPv6 is enabled again unless I am disabling in the GUI again. If I’m reenabling the firewall and IPv6 in the GUI again I’m in the same state as stated before. I don't know what could cause the issues, but the only reason I could think of, is that the service calls the CLI application which gives me D-Bus permission errors when I’m trying to enable the firewall or disabling IPv6.

ShittyGuy avatar Feb 07 '19 16:02 ShittyGuy

The output of

sudo iptables -S
sudo ip6tables -S

during each behavior may be useful for analyzing your issues

zanieb avatar Feb 07 '19 18:02 zanieb

If I am enabling the firewall and IPv6 protection through the GUI started with sudo both works more or less, but am I still able to ping any server through my terminal and I’m not quite sure if that’s the intended behavior.

Don't disable ipv6 unless you have a very good reason to do so. The firewall will take care of ipv6 leaks if that's what concerns you. By default, pings are allowed, otherwise latency checks wouldn't be possible. If you don't want that you can remove the respective rules via "Configure firewall". Furthermore, don't launch the gui with sudo: This is neither necessary nor recommended. The only time you'll be asked to authenticate as sudo/root via the gui is when you change the options. This is to prevent a user with normal privileges to change the network security settings.

The other thing is, that after a reboot and qomui.service enabled the firewall is like half way activated. I can visit Google, YouTube, Have I Been Pwned, IPLeak and Wikipedia (and probably many more) while DuckDuckGo, GitHub, Twitter, Twitch, Amazon… aren’t working. Furthermore, IPv6 is enabled again unless I am disabling in the GUI again. If I’m reenabling the firewall and IPv6 in the GUI again I’m in the same state as stated before.

Might those be cached entries? Flush your browser cache to find out. Otherwise, please set logging to debug in Qomui and post the full log. Also it would be helpful if you share the output of the following commands (this will show the active iptables rules and Qomui's current configuration):

sudo iptables -S sudo ip6tables -S cat /usr/share/qomui/config.json

If you have any other active firewall service it might interfere with Qomui.

I don't know what could cause the issues, but the only reason I could think of, is that the service calls the CLI application which gives me D-Bus permission errors when I’m trying to enable the firewall or disabling IPv6.

By design the service doesn't call neither the gui nor the cli. It's the other way around. Can you specify which D-BUS errors you are getting? This shouldn't be the case.

corrad1nho avatar Feb 07 '19 18:02 corrad1nho

Don't disable ipv6 unless you have a very good reason to do so. The firewall will take care of ipv6 leaks if that's what concerns you

For me it still leaks my IPv6 via WebRTC if I haven’t IPv6 disabled, but this could be just for me.

Furthermore, don't launch the gui with sudo: This is neither necessary nor recommended. The only time you'll be asked to authenticate as sudo/root via the gui is when you change the options. This is to prevent a user with normal privileges to change the network security settings.

This is actually not really possible for me, because every time I try to change the config without starting it with sudo I’m getting this error (I’m sure that the password I’ve entered is correct):

==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/python' as the super user
Authenticating as: username
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

Might those be cached entries? Flush your browser cache to find out.

I’ve also thought about it, but I’m always using the private/incognito mode for everything and I’ve tested it in Firefox and with a fresh installation of Brave and Chromium.

Here are the outputs of the commands after startup:

sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 255.255.255.255/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j DROP

sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

And here after reapplying the firewall rule with sudo in the GUI:

sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 255.255.255.255/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j DROP

sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Even though they are the same, I’m able to bypass the firewall (more or less) after startup but not after reapplying the rules in the GUI.

After seeing the output of sudo ip6tables -S I thought that I might be able to get a connection with IPv6 but not with IPv4. That would mean that the "working" sites support IPv6 while the others don’t.

And here is my config:

cat /usr/share/qomui/config.json 
{"alt_dns1": "208.67.222.222", "alt_dns2": "208.67.220.220", "firewall": 1, "autoconnect": 0, "minimize": 0, "ipv6_disable": 1, "alt_dns": 0, "bypass": 0, "ping": 0, "auto_update": 0, "block_lan": 0, "preserve_rules": 0, "fw_gui_only": 0, "log_level": "Info", "PIA_last": "2019-02-07 **:**:**.******"}

By design the service doesn't call neither the gui nor the cli. It's the other way around. Can you specify which D-BUS errors you are getting? This shouldn't be the case.

I am getting these errors trying to disable IPv6 or enabling the firewall (I get the same errors if I’m running it as a normal user):

sudo qomui-cli -e ipv6_disable
Configuration successfully changed
ERROR:dbus.connection:Unable to set arguments () according to signature 'i': <class 'TypeError'>: More items found in D-Bus signature than in Python arguments
Traceback (most recent call last):
  File "/usr/bin/qomui-cli", line 11, in <module>
    load_entry_point('qomui==0.8.2', 'console_scripts', 'qomui-cli')()
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 438, in main
    ex = QomuiCli(args=args)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 52, in __init__
    self.arguments(self.args)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 137, in arguments
    update_conf = self.applyoptions(config)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 378, in applyoptions
    self.qomui_service.load_firewall()
  File "/usr/lib/python3.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python3.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python3.7/site-packages/dbus/connection.py", line 641, in call_blocking
    message.append(signature=signature, *args)
TypeError: More items found in D-Bus signature than in Python arguments


sudo qomui-cli -e firewall
Configuration successfully changed
ERROR:dbus.connection:Unable to set arguments () according to signature 'i': <class 'TypeError'>: More items found in D-Bus signature than in Python arguments
Traceback (most recent call last):
  File "/usr/bin/qomui-cli", line 11, in <module>
    load_entry_point('qomui==0.8.2', 'console_scripts', 'qomui-cli')()
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 438, in main
    ex = QomuiCli(args=args)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 52, in __init__
    self.arguments(self.args)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 137, in arguments
    update_conf = self.applyoptions(config)
  File "/usr/lib/python3.7/site-packages/qomui/qomui_cli.py", line 378, in applyoptions
    self.qomui_service.load_firewall()
  File "/usr/lib/python3.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python3.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python3.7/site-packages/dbus/connection.py", line 641, in call_blocking
    message.append(signature=signature, *args)
TypeError: More items found in D-Bus signature than in Python arguments

I was quite sure that I got some kind of permission errors, but I probably just got it wrong.

ShittyGuy avatar Feb 07 '19 20:02 ShittyGuy

This is actually not really possible for me, because every time I try to change the config without starting it with sudo I’m getting this error (I’m sure that the password I’ve entered is correct):

==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====

Authentication is needed to run `/usr/bin/python' as the super user Authenticating as: username Password: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED ==== Error executing command as another user: Not authorized

This incident has been reported.

Second one with this issue (see discussion in #66). Are you also using Arch/i3 or another DE? Is any graphical polkit agent installed on your system?

sudo ip6tables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT

This is bad! No ip6table rules are applied at all, so the firewall doesn't block ipv6 at all. Is "Disable ipv6" checked or unchecked? Your config suggests that it is disabled but apparently this didn't work and the ipv6 stack is still enabled.

I am getting these errors trying to disable IPv6 or enabling the firewall (I get the same errors if I’m running it as a normal user):

qomui-cli seems to be broken with the latest release, unfortunately. That's why you are getting these errors. Nothing to do with the issues above. I'll address it in the next update.

corrad1nho avatar Feb 07 '19 20:02 corrad1nho

Are you also using Arch/i3 or another DE? Is any graphical polkit agent installed on your system?

I'm on Arch with i3 and I installed a graphical polkit agent and it seems to work.

This is bad! No ip6table rules are applied at all, so the firewall doesn't block ipv6 at all. Is "Disable ipv6" checked or unchecked? Your config suggests that it is disabled but apparently this didn't work and the ipv6 stack is still enabled.

Yes, IPv6 is disabled. After a reboot my ip6tables is empty, but if I open the GUI and change something about the IPv6 settings (like enabling it) and then save the config, the IPv6 rules are getting applied. If I’m disabling IPv6 after that they seem to stay saved.

ShittyGuy avatar Feb 07 '19 21:02 ShittyGuy

I'm on Arch with i3 and I installed a graphical polkit agent and it seems to work.

Config changes via the gui, too?

Yes, IPv6 is disabled. After a reboot my ip6tables is empty, but if I open the GUI and change something about the IPv6 settings (like enabling it) and then save the config, the IPv6 rules are getting applied. If I’m disabling IPv6 after that they seem to stay saved.

If ipv6 is disabled no firewall rules will be set for ipv6, so this is normal. They won't be flushed either after disabling ipv6. But it seems that ipv6 is not properly disabled after a reboot even though qomui-service is active and that is causing leaks. Correct?

corrad1nho avatar Feb 07 '19 22:02 corrad1nho

Config changes via the gui, too?

Yes, everything seems to work fine.

If ipv6 is disabled no firewall rules will be set for ipv6, so this is normal. They won't be flushed either after disabling ipv6. But it seems that ipv6 is not properly disabled after a reboot even though qomui-service is active and that is causing leaks. Correct?

Qomui-service is enabled and these are the different states I’m getting: IPv6 disabled and firewall enabled: After a reboot ip6tables is empty and I can visit the websites that support IPv6. IPLeak shows that the IPv4 check times out and I’m seeing my IPv6 and it gets leaked through WebRTC. After reapplying the rules in the GUI, ip6tables is still empty, but I’m not able to connect to websites like IPLeak etc. If I’m connecting to a VPN I’m not getting any IPv6 leaks and it seems to work as it should.

IPv6 enabled and firewall disabled: After a reboot ip6tables has rules in it and I can’t connect to websites like IPLeak etc. If a VPN connection is established everything works as it should and my IPv6 leaks trough WebRTC. If I reapply the settings in the GUI I’m still getting the same results.

ShittyGuy avatar Feb 08 '19 12:02 ShittyGuy