this post was submitted on 09 Sep 2025
19 points (95.2% liked)

Linux

58266 readers
677 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
19
UFW compatibility issues with my VPN (lemmy.dbzer0.com)
submitted 1 week ago by aprehendedmerlin@lemmy.dbzer0.com to c/linux@lemmy.ml
8 comments fedilink hide all child comments
 

Hi all—as title suggests I'm experiencing a compatibility issue between UFW and my vpn (Windscribe if it matters). My UFW defaults are set to deny incoming, allow outgoing, and routed disabled, with no exception rules configured. When I enable Windscribe (I use OpenVPN udp on port 80 if that matters) while UFW is active, Windscribe reports a network configuration error and requests sending debug logs; ignoring the error still allows the VPN to function, but I observe IPv6 and DNS leaks. Disabling UFW removes the error and the leaks. What UFW configuration is causing this behavior, and which specific rules should I add to prevent IPv6 and DNS leaks while keeping UFW enabled?

you are viewing a single comment's thread
view the rest of the comments
[–] aprehendedmerlin@lemmy.dbzer0.com 1 points 1 week ago (1 children)

ok thank you for your time here is the output of ip6tables -L:

Chain INPUT (policy DROP) target prot opt source destination
ufw6-before-logging-input all -- anywhere anywhere
ufw6-before-input all -- anywhere anywhere
ufw6-after-input all -- anywhere anywhere
ufw6-after-logging-input all -- anywhere anywhere
ufw6-reject-input all -- anywhere anywhere
ufw6-track-input all -- anywhere anywhere
windscribe_input all -- anywhere anywhere /* Windscribe client rule */
Chain FORWARD (policy DROP) target prot opt source destination
ufw6-before-logging-forward all -- anywhere anywhere
ufw6-before-forward all -- anywhere anywhere
ufw6-after-forward all -- anywhere anywhere
ufw6-after-logging-forward all -- anywhere anywhere
ufw6-reject-forward all -- anywhere anywhere
ufw6-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
ufw6-before-logging-output all -- anywhere anywhere
ufw6-before-output all -- anywhere anywhere
ufw6-after-output all -- anywhere anywhere
ufw6-after-logging-output all -- anywhere anywhere
ufw6-reject-output all -- anywhere anywhere
ufw6-track-output all -- anywhere anywhere
windscribe_output all -- anywhere anywhere /* Windscribe client rule */
Chain ufw6-after-forward (1 references) target prot opt source destination
Chain ufw6-after-input (1 references) target prot opt source destination
ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw6-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-client ufw6-skip-to-policy-input udp -- anywhere anywhere udp dpt:dhcpv6-server
Chain ufw6-after-logging-forward (1 references) target prot opt source destination
Chain ufw6-after-logging-input (1 references) target prot opt source destination
Chain ufw6-after-logging-output (1 references) target prot opt source destination
Chain ufw6-after-output (1 references) target prot opt source destination
Chain ufw6-before-forward (1 references) target prot opt source destination
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-user-forward all -- anywhere anywhere
Chain ufw6-before-input (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ufw6-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-query ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-report ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-done ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 144 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 145 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 146 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 147 ACCEPT udp -- fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client ACCEPT udp -- anywhere ff02::fb udp dpt:mdns ACCEPT udp -- anywhere ff02::f udp dpt:1900 ufw6-user-input all -- anywhere anywhere
Chain ufw6-before-logging-forward (1 references) target prot opt source destination
Chain ufw6-before-logging-input (1 references) target prot opt source destination
Chain ufw6-before-logging-output (1 references) target prot opt source destination
Chain ufw6-before-output (1 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere rt type:0 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-query ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-report ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmp mld-listener-done ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp -- anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp -- fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ufw6-user-output all -- anywhere anywhere
Chain ufw6-logging-allow (0 references) target prot opt source destination
Chain ufw6-logging-deny (1 references) target prot opt source destination
Chain ufw6-reject-forward (1 references) target prot opt source destination
Chain ufw6-reject-input (1 references) target prot opt source destination
Chain ufw6-reject-output (1 references) target prot opt source destination
Chain ufw6-skip-to-policy-forward (0 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw6-skip-to-policy-input (6 references) target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw6-skip-to-policy-output (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw6-track-forward (1 references) target prot opt source destination
Chain ufw6-track-input (1 references) target prot opt source destination
Chain ufw6-track-output (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw6-user-forward (1 references) target prot opt source destination
Chain ufw6-user-input (1 references) target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22000 /* 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:22000 / 'dapp_syncthing' / ACCEPT udp -- anywhere anywhere udp dpt:21027 / 'dapp_syncthing' */ ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:10387 ACCEPT udp -- anywhere anywhere udp dpt:10387
Chain ufw6-user-limit (0 references) target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references) target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw6-user-logging-forward (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-logging-input (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-logging-output (0 references) target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw6-user-output (1 references) target prot opt source destination
Chain windscribe_input (1 references) target prot opt source destination
ACCEPT all -- ip6-localhost anywhere /* Windscribe client rule / DROP all -- anywhere anywhere / Windscribe client rule */
Chain windscribe_output (1 references) target prot opt source destination
ACCEPT all -- anywhere ip6-localhost /* Windscribe client rule / DROP all -- anywhere anywhere / Windscribe client rule */
[–] drspod@lemmy.ml 1 points 1 week ago (1 children)

Sorry to be a doofus, but could you paste the output of iptables-save and ip6tables-save instead? The default iptables output actually just leaves out important information like which interface the rule applies to.

I think the best thing to do would be to see if you can get support from Windscribe and find out whether it's a known issue or a bug that needs fixing.

[–] aprehendedmerlin@lemmy.dbzer0.com 1 points 1 week ago

I did they said it just how their app is made and I should disable ufw