Following Whonix instructions I set up a firewall on my Ubuntu host by just enabling gufw in its default configuration: deny incoming, allow outgoing. Simple enough. Today I issued the command: sudo iptables -L, to have a manual look at my firewall rules, this is the output for the chain INPUT:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – 255.255.255.255 anywhere
ACCEPT all – 192.168.0.0/16 192.168.0.0/16
ACCEPT all – 10.0.0.0/8 10.0.0.0/8
ACCEPT all – 172.16.0.0/12 172.16.0.0/12
ACCEPT icmp – anywhere anywhere icmp echo-request
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
DROP all – anywhere anywhere
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere
As you can see the default policy is DROP, which is good and as expected by setting ufw’s default (deny incoming). But then look at the rules for INPUT. As I understand the rules goes from specific to general. So if the default is to drop input, you put some specific rules in place to allow the incoming traffic you do want. Now what is the first “specific” rule on input:
ACCEPT all – anywhere anywhere
meaning: yes, accept all traffic coming from anywhere going to anywhere and do so for all protocols. So while my ufw policy is dead simple: drop all incoming traffic, that policy is defeated by the very first rule that comes before that: allow everything incoming.
I asked the same question on https://askubuntu.com/questions/1206557/dont-understand-my-firewall-settings. Thus far I got this comment: “A default install of Ubuntu Desktop has no exploitable open ports”. I thought “default install”, and I was thinking of my VPN connection and my Whonix guest system. I issued the command sudo netstat -lntup, which gave me this output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1219/tor
tcp 0 0 127.0.0.1:3100 0.0.0.0:* LISTEN 5283/openvpn
tcp 0 0 127.0.0.1:42685 0.0.0.0:* LISTEN 3194/mono
tcp 0 0 10.0.2.2:53 0.0.0.0:* LISTEN 1721/dnsmasq
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1484/dnsmasq
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1138/systemd-resolv
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 6357/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 6357/cupsd
udp 0 0 10.0.2.2:53 0.0.0.0:* 1721/dnsmasq
udp 0 0 192.168.122.1:53 0.0.0.0:* 1484/dnsmasq
udp 0 0 127.0.0.53:53 0.0.0.0:* 1138/systemd-resolv
udp 0 0 0.0.0.0:67 0.0.0.0:* 1484/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 1142/dhclient
udp 0 0 0.0.0.0:631 0.0.0.0:* 6358/cups-browsed
udp 0 0 0.0.0.0:41794 0.0.0.0:* 820/avahi-daemon: r
udp 0 0 0.0.0.0:58320 0.0.0.0:* 5283/openvpn
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6741/chrome --type=
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6741/chrome --type=
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6703/chrome
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6703/chrome
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6741/chrome --type=
udp 0 0 0.0.0.0:5353 0.0.0.0:* 820/avahi-daemon: r
udp6 0 0 :::50178 :::* 820/avahi-daemon: r
udp6 0 0 :::5353 :::* 820/avahi-daemon: r
Now the first listening process is tor, the second openvpn. And we have dnsmaq en cups. Now first off I don’t understand the Whonix instruction to deny all incoming, if we have a tor process listening (if that tor process comes from Whonix). Second: is there a relation between these listeners and my firewall rules. But still first rule: ‘accept all anywhere’… would be too broadly defined.
I did a fresh install of Ubuntu just a couple of weeks back, and I never played with my firewall settings (except by enabling gufw in its default config) as I never understand much of networking.
Can you shed some light here?