Ubuntu
ufw package

ufw eating SRV records

Asked by Shirish Agarwal

Binary package hint: ufw

Hi all,
  I have ufw. I have been trying to use pidgin while enabling ufw. I have an account on gmail/xmpp which I have not been able to connect with whenever ufw is enabled.

This is the status of ufw status verbose

shirish@Mugglewille:~$ sudo ufw status verbose
Status: loaded
Logging: on
Default: deny
New profiles: skip

To Action From
-- ------ ----
80/tcp ALLOW Anywhere
80/udp ALLOW Anywhere
48888/tcp ALLOW Anywhere
48888/udp ALLOW Anywhere
5050/tcp ALLOW Anywhere
5050/udp ALLOW Anywhere
6667/tcp ALLOW Anywhere
6667/udp ALLOW Anywhere
5222/tcp ALLOW Anywhere
5222/udp ALLOW Anywhere
5223/tcp ALLOW Anywhere

Attaching a conversation which I had on the #pidgin channel on freenode to troubleshoot the issue.

Please lemme know if any more testing needs to be done.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #277952.

Revision history for this message
Shirish Agarwal (shirishag75) said : 		#1
Revision history for this message
Jamie Strandboge (jdstrand) said : 		#2

Thank you for reporting the bug and helping to make Ubuntu even better. While it seems clear that your firewall is blocking your packets, it is a problem with your firewall policy, and not ufw, the tool to help you implement the policy. This bug is being converted into a question. It sounds like you may need a separate connection tracking module for gmail/xmpp, or simply to accept packets from gmail's xmpp server.

Revision history for this message
Shirish Agarwal (shirishag75) said : 		#3

Hi all,
      I don't know what you mean like

"It sounds like you may need a separate connection tracking module for gmail/xmpp, or simply to accept packets from gmail's xmpp server."

Could you be more simplistic or give a straight answer as to where I'm going wrong. Shouldn't just opening port 5222 and port 5223 have been enough.

Also what is a 'connection tracking module' how or where do I find it?

Revision history for this message
Shirish Agarwal (shirishag75) said : 		#4

Jamie there were some updates yesterday, what it has done is now I'm able to talk and view gmail/xmpp contacts but not IRC

For IRC and other networks it gives a "Waiting for a network connection" status

A workaround I got and which works is first close down pidgin.

Then do a sudo /etc/init.d/Networkmanager stop

Then you get both gmail/jabber/xmpp as well as IRC in one go :)

Revision history for this message
Jamie Strandboge (jdstrand) said : 		#5

Some protocols cannot be handled with simple packet filtering and need help via a kernel module that knows about the protocol. The classic example is ftp.

That said, xmpp should not require this normally, as I use ufw and pidgin and jabber without issue. However, I do not use gmail or SRV. Basically what I am getting at is I am not familiar enough with the protocol to say that gmail/pidgin does not require a connection tracking module which may or may not exist.

ufw does work fine with IRC and dhcp, and your latest comment suggests you are having network problems unrelated to ufw.

I did give advice which assuming your network is working, you can use to make sure that gmail works:
"simply to accept packets from gmail's xmpp server"

Something like:
$ sudo ufw allow from <ip address of gmail server>

If gmail has multiple IP addresses, you'll need to use the above rule on each.

Can you help with this problem?

Provide an answer of your own, or ask Shirish Agarwal for more information if necessary.

To post a message you must log in.