Issues with UFW (Uncomplicated FireWall)

[tuqueque]

Hi... First of all, let me say that I'm not an expert on firewalls or these type of things by any means, so bear with me if I say something stupid.

A few years ago I started doing some tests with UFW in my Manjaro system and noticed that every time I rebooted my system, the rules I set with UFW, got lost/overwritten somehow. After doing some googling, somewhere I saw the recommendation of disabling the iptables services ("sudo systemctl disable iptables" and "sudo systemctl disable ip6tables") so UFW could work without being overruled... and indeed that solved the problem! I've been using that very same Manjaro install for several years now.

Today I'm trying Opensnitch and I see that my Internet connectivity stops when I start the opensnitchd service. Initially, I thought it was some conflict with dnscrypt-proxy, which I'm also running on my system, but after doing some more testing, it seems to be that Opensnitch apparently expects iptables to be running/enabled.

When I run "systemctl status opensnitchd", I get:

Docs: https://github.com/gustavo-iniguez-goya/opensnitch/wiki
    Process: 133739 ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules (code=exited, status=0/SUCCESS)
   Main PID: 133740 (opensnitchd)
      Tasks: 12 (limit: 9527)
     Memory: 39.9M
     CGroup: /system.slice/opensnitchd.service
             └─133740 /usr/bin/opensnitchd -log-file /var/log/opensnitchd.log -rules-path /etc/opensnitchd/rules -ui-socket unix:///tmp/osui.sock

jul 27 20:53:42 rob systemd[1]: Starting OpenSnitch is a GNU/Linux port of the Little Snitch application firewall....
jul 27 20:53:42 rob systemd[1]: Started OpenSnitch is a GNU/Linux port of the Little Snitch application firewall..
jul 27 20:53:42 rob opensnitchd[133740]: ERROR: path=/usr/bin/iptables args=[-D INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: No chain/target/match by that name.
jul 27 20:53:42 rob opensnitchd[133740]: '
jul 27 20:53:42 rob opensnitchd[133740]: ERROR: path=/usr/bin/iptables args=[-D OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass] err=exit status 1 out='iptables: No chain/target/match by that name.
jul 27 20:53:42 rob opensnitchd[133740]: '
jul 27 20:53:42 rob opensnitchd[133740]: ERROR: path=/usr/bin/iptables args=[-D OUTPUT -m mark --mark 101285 -j DROP] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).
jul 27 20:53:42 rob opensnitchd[133740]: '

If my newbie assumptions are correct, is there a way for Opensnitch to work with UFW instead of iptables?... I would really like to keep using UFW on my system.

[gustavo-iniguez-goya]

hey tuqueque! thank you for reporting it. I'm also using ufw with no problems so far. ufw is just a front-end for iptables, so it might be another problem.

First things first, have you tried to disable ufw and see if opensnitch works?

On the other hand, could you post the output of the following commands while Internet connectivity stops working?

uname -r
dmesg | grep -A 15 "Call Trace"
iptables -t mangle -L OUTPUT
iptables -C OUTPUT -m mark --mark 0x18ba5 -j DROP
iptables -C INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

There has been a bug on recent kernels+hardening parameters that caused opensnitch to stop working, so it could also be it. More Info in the wiki

Also, uncheck the "play" button so the status changes to "Status: running/disabled" . That will disable the interception:

Lastly, I don't know what default action do you have configured, but set it to Allow, and check the connectivity again.

[Ph0rk0z]

Weird, I've been running UFW along with OS this whole time. I never set any rules, just had it block incoming connections. The error messages look familiar and I didn't know they would erase UFW rules.

[gustavo-iniguez-goya]

If you refer to these errors when starting up the daemon: jul 27 20:53:42 rob opensnitchd[133740]: ERROR: path=/usr/bin/iptables args=[-D OUTPUT -m mark --mark 101285 -j DROP] err=exit status 1 out='iptables: Bad rule (does a matching rule exist in that chain?).

they do not delete existing rules. We only erase the rules we add, there's no way to delete other rules by error (unless there's already a rule with exactly the same parameters).

[Ph0rk0z]

even better then if it's just complaining about ufw created rules

[tuqueque]

Hey, I'm so sorry for taking this long to give feedback... It's been a hectic month of work... Anyway...

Today I tested OpenSnitch and it's working flawlessly!... I think it had to do with me using now a newer kernel (5.8 RC5 for Manjaro)... Before I was using 5.6 and maybe that's the one that caused OpenSnitch to not work properly.

Anyway, thank you very much for maintaining this fantastic program!