diff options
Diffstat (limited to 'meta-networking')
168 files changed, 29194 insertions, 337 deletions
diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb index d4a62bd92d..4cb85f8151 100644 --- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb +++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb @@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel" HOMEPAGE = "https://github.com/mguentner/cannelloni" LICENSE = "GPLv2" -SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \ +SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \ file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \ file://0002-include-missing-stdexcept-for-runtime_error.patch \ " diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb index 2820f9fa6d..e9c2056180 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88" SRCREV = "4b440a339979852d5a51fb11a822952712231c23" PV = "1.12+git${SRCPV}" -SRC_URI = "git://github.com/civetweb/civetweb.git \ +SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ " diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb index 90051a319a..f856655904 100644 --- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb +++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3" SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525" -SRC_URI = "git://github.com/tomaszmrugalski/dibbler \ +SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \ file://dibbler_fix_getSize_crash.patch \ file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \ " diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb index 2c39c4c443..1ea0cb16d3 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb @@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+" LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" -SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \ +SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ file://freeradius-enble-user-in-conf.patch \ diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb index 5b27cfe155..c1a8146119 100644 --- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb +++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9" -SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1" +SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https" SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904" UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb index 8444f0b739..66a7aaa6b2 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755" SECTION = "libs/networking" -SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https" +SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master" SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb index 77be27ffaa..6d035f4039 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb @@ -8,7 +8,7 @@ SECTION = "libs/networking" SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9" -SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x" +SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb index 9f123c70fb..d91fc752e2 100644 --- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb +++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb @@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b" PV = "0.98+git${SRCPV}" SRC_URI = " \ - git://github.com/CanonicalLtd/netplan.git \ + git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \ " DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb index 33a2b7c0ce..a28372dd1f 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb @@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \ file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \ file://musl/0004-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77" +SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6" S = "${WORKDIR}/NetworkManager-${PV}" EXTRA_OECONF = " \ + --disable-firewalld-zone \ --disable-ifcfg-rh \ --disable-more-warnings \ --with-iptables=${sbindir}/iptables \ diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb index 597c1920cf..144afb4843 100644 --- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb +++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb @@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad" SRC_URI = " \ - git://git.infradead.org/users/dwmw2/openconnect.git \ + git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \ file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \ " SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a" diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb index e3134e41fc..a75b43e062 100644 --- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb +++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab DEPENDS = "libubox" -SRC_URI = "git://git.openwrt.org/project/relayd.git \ +SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \ file://0001-rtnl_flush-Error-on-failed-write.patch \ " diff --git a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch deleted file mode 100644 index e724c04bcd..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch +++ /dev/null @@ -1,59 +0,0 @@ -From f9d9ba6cd06aca053c747c399ba700db80b1623c Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Tue, 9 Jun 2020 11:52:50 +1000 -Subject: [PATCH 1/3] util: Simplify input validation - -It appears that snprintf(3) is being used for input validation. -However, this seems like overkill because it causes szPath to be -copied an extra time. The mostly likely protections being sought -here, according to https://cwe.mitre.org/data/definitions/20.html, -look to be DoS attacks involving CPU and memory usage. A simpler -check that uses strnlen(3) can mitigate against both of these and is -simpler. - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> -(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/f9d9ba6cd06aca053c747c399ba700db80b1623c] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index c0ee5c32c30..dec91772d9e 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - struct passwd pwd = {0}; - struct passwd *pwdbuf = NULL; - char buf[NSS_BUFLEN_PASSWD] = {0}; -+ size_t len; - int rc; - - rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); - if (rc != 0 || pwdbuf == NULL ) { -- int len_written; - const char *szPath = getenv("HOME"); - if (szPath == NULL) { - return NULL; - } -- len_written = snprintf(buf, sizeof(buf), "%s", szPath); -- if (len_written >= sizeof(buf) || len_written < 0) { -- /* Output was truncated or an error. */ -+ len = strnlen(szPath, PATH_MAX); -+ if (len >= PATH_MAX) { - return NULL; - } -- return talloc_strdup(mem_ctx, buf); -+ return talloc_strdup(mem_ctx, szPath); - } - - return talloc_strdup(mem_ctx, pwd.pw_dir); --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch deleted file mode 100644 index dcd79044ae..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 57bd719af1f138f44f71b2078995452582da0da6 Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Fri, 5 Jun 2020 21:52:23 +1000 -Subject: [PATCH 2/3] util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWD - -NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use -sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX. - -Use a dynamically allocated buffer instead of trying to cram all of -the logic into the declarations. This will come in useful later -anyway. - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> -(cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/57bd719af1f138f44f71b2078995452582da0da6] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index dec91772d9e..9bc6df37e5d 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -68,24 +68,41 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - { - struct passwd pwd = {0}; - struct passwd *pwdbuf = NULL; -- char buf[NSS_BUFLEN_PASSWD] = {0}; -+ char *buf = NULL; -+ char *out = NULL; -+ long int initlen; - size_t len; - int rc; - -- rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); -+ initlen = sysconf(_SC_GETPW_R_SIZE_MAX); -+ if (initlen == -1) { -+ len = 1024; -+ } else { -+ len = (size_t)initlen; -+ } -+ buf = talloc_size(mem_ctx, len); -+ if (buf == NULL) { -+ return NULL; -+ } -+ -+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); - if (rc != 0 || pwdbuf == NULL ) { - const char *szPath = getenv("HOME"); - if (szPath == NULL) { -- return NULL; -+ goto done; - } - len = strnlen(szPath, PATH_MAX); - if (len >= PATH_MAX) { - return NULL; - } -- return talloc_strdup(mem_ctx, szPath); -+ out = talloc_strdup(mem_ctx, szPath); -+ goto done; - } - -- return talloc_strdup(mem_ctx, pwd.pw_dir); -+ out = talloc_strdup(mem_ctx, pwd.pw_dir); -+done: -+ TALLOC_FREE(buf); -+ return out; - } - - char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d) --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch deleted file mode 100644 index 53a3f67814..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 016e08ca07f86af9e0131a908a2df116bcb9a48e Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Fri, 5 Jun 2020 22:05:42 +1000 -Subject: [PATCH 3/3] util: Reallocate larger buffer if getpwuid_r() returns - ERANGE - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> - -Autobuild-User(master): Martin Schwenke <martins@samba.org> -Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184 - -(cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/016e08ca07f86af9e0131a908a2df116bcb9a48e] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index 9bc6df37e5d..72cc0aab8de 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -86,6 +86,19 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - } - - rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); -+ while (rc == ERANGE) { -+ size_t newlen = 2 * len; -+ if (newlen < len) { -+ /* Overflow */ -+ goto done; -+ } -+ len = newlen; -+ buf = talloc_realloc_size(mem_ctx, buf, len); -+ if (buf == NULL) { -+ goto done; -+ } -+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); -+ } - if (rc != 0 || pwdbuf == NULL ) { - const char *szPath = getenv("HOME"); - if (szPath == NULL) { --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch new file mode 100644 index 0000000000..ff1225db07 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch @@ -0,0 +1,142 @@ +From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001 +From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +Date: Fri, 11 Dec 2020 11:32:44 +0900 +Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test. + +s3: smbd: Ensure change notifies can't get set unless the + directory handle is open for SEC_DIR_LIST. + +CVE-2020-14318 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 + +Signed-off-by: Jeremy Allison <jra@samba.org> + +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + source3/smbd/notify.c | 8 ++++ + source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++- + 2 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c +index 44c0b09..d23c03b 100644 +--- a/source3/smbd/notify.c ++++ b/source3/smbd/notify.c +@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter, + char fullpath[len+1]; + NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; + ++ /* ++ * Setting a changenotify needs READ/LIST access ++ * on the directory handle. ++ */ ++ if (!(fsp->access_mask & SEC_DIR_LIST)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ + if (fsp->notify != NULL) { + DEBUG(1, ("change_notify_create: fsp->notify != NULL, " + "fname = %s\n", fsp->fsp_name->base_name)); +diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c +index ebb4f8a..a5c9b94 100644 +--- a/source4/torture/smb2/notify.c ++++ b/source4/torture/smb2/notify.c +@@ -2569,6 +2569,83 @@ done: + return ok; + } + ++/* ++ Test asking for a change notify on a handle without permissions. ++*/ ++ ++#define BASEDIR_HPERM BASEDIR "_HPERM" ++ ++static bool torture_smb2_notify_handle_permissions( ++ struct torture_context *torture, ++ struct smb2_tree *tree) ++{ ++ bool ret = true; ++ NTSTATUS status; ++ union smb_notify notify; ++ union smb_open io; ++ struct smb2_handle h1 = {{0}}; ++ struct smb2_request *req; ++ ++ smb2_deltree(tree, BASEDIR_HPERM); ++ smb2_util_rmdir(tree, BASEDIR_HPERM); ++ ++ torture_comment(torture, ++ "TESTING CHANGE NOTIFY " ++ "ON A HANDLE WITHOUT PERMISSIONS\n"); ++ ++ /* ++ get a handle on the directory ++ */ ++ ZERO_STRUCT(io.smb2); ++ io.generic.level = RAW_OPEN_SMB2; ++ io.smb2.in.create_flags = 0; ++ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; ++ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; ++ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; ++ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE; ++ io.smb2.in.alloc_size = 0; ++ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; ++ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; ++ io.smb2.in.security_flags = 0; ++ io.smb2.in.fname = BASEDIR_HPERM; ++ ++ status = smb2_create(tree, torture, &io.smb2); ++ CHECK_STATUS(status, NT_STATUS_OK); ++ h1 = io.smb2.out.file.handle; ++ ++ /* ask for a change notify, ++ on file or directory name changes */ ++ ZERO_STRUCT(notify.smb2); ++ notify.smb2.level = RAW_NOTIFY_SMB2; ++ notify.smb2.in.buffer_size = 1000; ++ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; ++ notify.smb2.in.file.handle = h1; ++ notify.smb2.in.recursive = true; ++ ++ req = smb2_notify_send(tree, ¬ify.smb2); ++ torture_assert_goto(torture, ++ req != NULL, ++ ret, ++ done, ++ "smb2_notify_send failed\n"); ++ ++ /* ++ * Cancel it, we don't really want to wait. ++ */ ++ smb2_cancel(req); ++ status = smb2_notify_recv(req, torture, ¬ify.smb2); ++ /* Handle h1 doesn't have permissions for ChangeNotify. */ ++ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); ++ ++done: ++ if (!smb2_util_handle_empty(h1)) { ++ smb2_util_close(tree, h1); ++ } ++ smb2_deltree(tree, BASEDIR_HPERM); ++ return ret; ++} ++ + /* + basic testing of SMB2 change notify + */ +@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) + torture_smb2_notify_rmdir3); + torture_suite_add_2smb2_test(suite, "rmdir4", + torture_smb2_notify_rmdir4); +- ++ torture_suite_add_1smb2_test(suite, ++ "handle-permissions", ++ torture_smb2_notify_handle_permissions); ++ + suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); + + return suite; +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch new file mode 100644 index 0000000000..3341b80a38 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch @@ -0,0 +1,112 @@ +From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001 +From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +Date: Fri, 11 Dec 2020 14:34:31 +0900 +Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with + NULL. do not crash when additional data not found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found by Francis Brosnan Blázquez <francis@aspl.es>. +Based on patches from Francis Brosnan Blázquez <francis@aspl.es> +and Jeremy Allison <jra@samba.org> + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 + +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> +Reviewed-by: Jeremy Allison <jra@samba.org> + +Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> +Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 + +(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) +(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e + +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + .../rpc_server/dnsserver/dcerpc_dnsserver.c | 31 ++++++++++--------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +index 910de9a1..618c7096 100644 +--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + TALLOC_CTX *tmp_ctx; + char *name; + const char * const attrs[] = { "name", "dnsRecord", NULL }; +- struct ldb_result *res; +- struct DNS_RPC_RECORDS_ARRAY *recs; ++ struct ldb_result *res = NULL; ++ struct DNS_RPC_RECORDS_ARRAY *recs = NULL; + char **add_names = NULL; +- char *rname; ++ char *rname = NULL; + const char *preference_name = NULL; + int add_count = 0; + int i, ret, len; + WERROR status; +- struct dns_tree *tree, *base, *node; ++ struct dns_tree *tree = NULL; ++ struct dns_tree *base = NULL; ++ struct dns_tree *node = NULL; + + tmp_ctx = talloc_new(mem_ctx); + W_ERROR_HAVE_NO_MEMORY(tmp_ctx); +@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + } + } + +- talloc_free(res); +- talloc_free(tree); +- talloc_free(name); ++ TALLOC_FREE(res); ++ TALLOC_FREE(tree); ++ TALLOC_FREE(name); + + /* Add any additional records */ + if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { + for (i=0; i<add_count; i++) { +- struct dnsserver_zone *z2; +- ++ struct dnsserver_zone *z2 = NULL; ++ struct ldb_message *msg = NULL; + /* Search all the available zones for additional name */ + for (z2 = dsstate->zones; z2; z2 = z2->next) { + char *encoded_name; +@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + LDB_SCOPE_ONELEVEL, attrs, + "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", + encoded_name); +- talloc_free(name); ++ TALLOC_FREE(name); + if (ret != LDB_SUCCESS) { + continue; + } + if (res->count == 1) { ++ msg = res->msgs[0]; + break; + } else { +- talloc_free(res); ++ TALLOC_FREE(res); + continue; + } + } +@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + } + status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, + select_flag, rname, +- res->msgs[0], 0, recs, ++ msg, 0, recs, + NULL, NULL); +- talloc_free(rname); +- talloc_free(res); ++ TALLOC_FREE(rname); ++ TALLOC_FREE(res); + } + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch new file mode 100644 index 0000000000..0d1cbe5ad4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch @@ -0,0 +1,93 @@ +From 3f62a590b02bf4c888a995017e2575d3b2ec6ac9 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://www.samba.org/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch] +CVE: CVE-2023-42669 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc..c6642b7 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + <para>Specifies which DCE/RPC endpoint servers should be run.</para> + </description> + +-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> ++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> + <value type="example">rpcecho</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4c3dfff..db4ae5e 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index a7a6c4c..ffa4b95 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -773,7 +773,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 0db44e9..b052d42 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -877,7 +877,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 510335a..a95e070 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -36,7 +36,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index 3ae5afbe95..3b8da2b1cb 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb @@ -28,9 +28,9 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \ file://0001-Add-options-to-configure-the-use-of-libbsd.patch \ file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ - file://0001-util-Simplify-input-validation.patch \ - file://0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch \ - file://0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch \ + file://CVE-2020-14318.patch \ + file://CVE-2020-14383.patch \ + file://CVE-2023-42669.patch \ " SRC_URI_append_libc-musl = " \ file://samba-pam.patch \ @@ -39,12 +39,16 @@ SRC_URI_append_libc-musl = " \ file://0001-samba-fix-musl-lib-without-innetgr.patch \ " -SRC_URI[md5sum] = "f69cac9ba5035ee60257520a209a0a83" -SRC_URI[sha256sum] = "03dc9758e7bfa2faf7cdeb45b4d40997e2ee16a41e71996aa666bc069e70ba3e" +SRC_URI[md5sum] = "f006a3d1876113e4a049015969d20fe6" +SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddffc7c2c" UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz" inherit systemd waf-samba cpan-base perlnative update-rc.d + +# CVE-2011-2411 is valnerble only on HP NonStop Servers. +CVE_CHECK_WHITELIST += "CVE-2011-2411" + # remove default added RDEPENDS on perl RDEPENDS_${PN}_remove = "perl" diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch new file mode 100644 index 0000000000..9c268599ff --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch @@ -0,0 +1,36 @@ + * check-requirements now gives iptables output on failure. Patch thanks to + S. Nizio. + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 9a6d8beb4cb1d1646c7d2a19e4aea9898f4571bb + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +--- check-requirements.orig 2012-12-03 16:37:20.214274095 +0100 ++++ ufw-0.33/tests/check-requirements 2012-12-03 16:40:16.298728133 +0100 +@@ -29,14 +29,19 @@ + runtime="yes" + shift 1 + fi +- if $@ >/dev/null 2>&1 ; then ++ local output ret=0 ++ # make sure to always return success below because of set -e ++ output=$( "$@" 2>&1 ) || ret=$? ++ if [ $ret -eq 0 ]; then + echo pass + else + if [ "$runtime" = "yes" ]; then + echo "FAIL (no runtime support)" ++ echo "error was: $output" + error_runtime="yes" + else + echo FAIL ++ echo "error was: $output" + error="yes" + fi + fi diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch new file mode 100644 index 0000000000..7a97773de0 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch @@ -0,0 +1,14903 @@ +use conntrack instead of state module. Patch based on work by S. Nizio. + +https://bugs.launchpad.net/ufw/+bug/1065297 + +The patch was imported from git://git.launchpad.net/ufw +commit id 2a24ab2c46a1370d230d380a7b794ac3f8296799 + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/README b/README +index 0cc2b2f..fead7c0 100644 +--- a/README ++++ b/README +@@ -24,13 +24,14 @@ Linux kernel configured with the following modules (not exhaustive): + limit + multiport + recent +- state +- +-* python2.5 is no longer supported +-** Systems with iptables below 1.4 will not have IPv6 application rule support. +- ufw will give a warning when users try to use this functionality, but ufw +- will otherwise work fine. ufw is known to work with iptables 1.3.8 in this +- degraded mode. ++ conntrack*** ++ ++* python2.5 is no longer supported ++** Systems with iptables below 1.4 will not have IPv6 application rule ++ support. ufw will give a warning when users try to use this functionality, ++ but ufw will otherwise work fine. ufw is known to work with iptables 1.3.8 ++ in this degraded mode. ++*** As of 0.34, the 'conntrack' modules is used instead of 'state' + + ufw has been widely tested on Linux 2.6.24 and higher kernels. You may also + use the check-requirements script in the tests/ directory to see if your +diff --git a/conf/before.rules b/conf/before.rules +index bc11f36..9917b87 100644 +--- a/conf/before.rules ++++ b/conf/before.rules +@@ -22,12 +22,12 @@ + -A ufw-before-output -o lo -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw-before-input -m state --state INVALID -j ufw-logging-deny +--A ufw-before-input -m state --state INVALID -j DROP ++-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny ++-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +diff --git a/conf/before6.rules b/conf/before6.rules +index fb1a8f1..8b7e4ff 100644 +--- a/conf/before6.rules ++++ b/conf/before6.rules +@@ -34,16 +34,16 @@ + -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # for multicast ping replies from link-local addresses (these don't have an + # associated connection and would otherwise be marked INVALID) + -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny +--A ufw6-before-input -m state --state INVALID -j DROP ++-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny ++-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index d9e3d5a..76403d6 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + .TP + Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section: +@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT + +- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\ +- \-\-state NEW \-j ACCEPT ++ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \\ ++ \-m conntrack \-\-ctstate NEW \-j ACCEPT + +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + + \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT +diff --git a/locales/po/ufw.pot b/locales/po/ufw.pot +index fc56838..dc4b8e9 100644 +--- a/locales/po/ufw.pot ++++ b/locales/po/ufw.pot +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2012-08-12 10:55-0500\n" ++"POT-Creation-Date: 2012-12-03 14:33-0600\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" + "Language-Team: LANGUAGE <LL@li.org>\n" +@@ -21,7 +21,7 @@ msgstr "" + msgid ": Need at least python 2.6)\n" + msgstr "" + +-#: src/ufw:109 src/frontend.py:575 src/frontend.py:877 ++#: src/ufw:109 src/frontend.py:577 src/frontend.py:879 + msgid "Aborted" + msgstr "" + +@@ -103,7 +103,7 @@ msgstr "" + msgid "New profiles:" + msgstr "" + +-#: src/backend_iptables.py:88 src/backend.py:322 ++#: src/backend_iptables.py:88 src/backend.py:339 + #, python-format + msgid "Unsupported policy '%s'" + msgstr "" +@@ -130,44 +130,44 @@ msgstr "" + msgid "Checking raw ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:250 ++#: src/backend_iptables.py:253 + msgid "Checking iptables\n" + msgstr "" + +-#: src/backend_iptables.py:252 ++#: src/backend_iptables.py:255 + msgid "Checking ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:255 src/backend_iptables.py:495 ++#: src/backend_iptables.py:258 src/backend_iptables.py:501 + msgid "problem running" + msgstr "" + +-#: src/backend_iptables.py:261 ++#: src/backend_iptables.py:264 + msgid "Status: inactive" + msgstr "" + +-#: src/backend_iptables.py:397 ++#: src/backend_iptables.py:400 + msgid "To" + msgstr "" + +-#: src/backend_iptables.py:398 ++#: src/backend_iptables.py:401 + msgid "From" + msgstr "" + +-#: src/backend_iptables.py:399 ++#: src/backend_iptables.py:402 + msgid "Action" + msgstr "" + +-#: src/backend_iptables.py:415 ++#: src/backend_iptables.py:418 + msgid "\n" + msgstr "" + +-#: src/backend_iptables.py:423 ++#: src/backend_iptables.py:426 + #, python-format + msgid "Default: %(in)s (incoming), %(out)s (outgoing)" + msgstr "" + +-#: src/backend_iptables.py:427 ++#: src/backend_iptables.py:430 + #, python-format + msgid "" + "Status: active\n" +@@ -176,174 +176,174 @@ msgid "" + "%(app)s%(status)s" + msgstr "" + +-#: src/backend_iptables.py:431 ++#: src/backend_iptables.py:434 + #, python-format + msgid "Status: active%s" + msgstr "" + +-#: src/backend_iptables.py:436 src/backend_iptables.py:446 ++#: src/backend_iptables.py:439 src/backend_iptables.py:449 + msgid "running ufw-init" + msgstr "" + +-#: src/backend_iptables.py:440 src/backend_iptables.py:450 ++#: src/backend_iptables.py:443 src/backend_iptables.py:453 + #, python-format + msgid "" + "problem running ufw-init\n" + "%s" + msgstr "" + +-#: src/backend_iptables.py:459 ++#: src/backend_iptables.py:462 + msgid "Could not set LOGLEVEL" + msgstr "" + +-#: src/backend_iptables.py:465 ++#: src/backend_iptables.py:468 + msgid "Could not load logging rules" + msgstr "" + +-#: src/backend_iptables.py:617 src/backend.py:229 ++#: src/backend_iptables.py:623 src/backend.py:246 + #, python-format + msgid "Couldn't open '%s' for reading" + msgstr "" + +-#: src/backend_iptables.py:626 ++#: src/backend_iptables.py:632 + #, python-format + msgid "Skipping malformed tuple (bad length): %s" + msgstr "" + +-#: src/backend_iptables.py:657 ++#: src/backend_iptables.py:663 + #, python-format + msgid "Skipping malformed tuple: %s" + msgstr "" + +-#: src/backend_iptables.py:679 src/backend.py:260 ++#: src/backend_iptables.py:685 src/backend.py:277 + #, python-format + msgid "'%s' is not writable" + msgstr "" + +-#: src/backend_iptables.py:837 ++#: src/backend_iptables.py:850 + msgid "Adding IPv6 rule failed: IPv6 not enabled" + msgstr "" + +-#: src/backend_iptables.py:841 ++#: src/backend_iptables.py:854 + #, python-format + msgid "Skipping unsupported IPv6 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:845 ++#: src/backend_iptables.py:858 + #, python-format + msgid "Skipping unsupported IPv4 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:848 ++#: src/backend_iptables.py:861 + msgid "Must specify 'tcp' or 'udp' with multiple ports" + msgstr "" + +-#: src/backend_iptables.py:860 ++#: src/backend_iptables.py:873 + msgid "Skipping IPv6 application rule. Need at least iptables 1.4" + msgstr "" + +-#: src/backend_iptables.py:865 ++#: src/backend_iptables.py:878 + #, python-format + msgid "Invalid position '%d'" + msgstr "" + +-#: src/backend_iptables.py:869 ++#: src/backend_iptables.py:882 + msgid "Cannot specify insert and delete" + msgstr "" + +-#: src/backend_iptables.py:872 ++#: src/backend_iptables.py:885 + #, python-format + msgid "Cannot insert rule at position '%d'" + msgstr "" + +-#: src/backend_iptables.py:930 ++#: src/backend_iptables.py:943 + msgid "Skipping inserting existing rule" + msgstr "" + +-#: src/backend_iptables.py:941 src/frontend.py:386 ++#: src/backend_iptables.py:954 src/frontend.py:388 + msgid "Could not delete non-existent rule" + msgstr "" + +-#: src/backend_iptables.py:946 ++#: src/backend_iptables.py:959 + msgid "Skipping adding existing rule" + msgstr "" + +-#: src/backend_iptables.py:962 ++#: src/backend_iptables.py:975 + msgid "Couldn't update rules file" + msgstr "" + +-#: src/backend_iptables.py:967 ++#: src/backend_iptables.py:980 + msgid "Rules updated" + msgstr "" + +-#: src/backend_iptables.py:969 ++#: src/backend_iptables.py:982 + msgid "Rules updated (v6)" + msgstr "" + +-#: src/backend_iptables.py:977 ++#: src/backend_iptables.py:990 + msgid "Rule inserted" + msgstr "" + +-#: src/backend_iptables.py:979 ++#: src/backend_iptables.py:992 + msgid "Rule updated" + msgstr "" + +-#: src/backend_iptables.py:989 ++#: src/backend_iptables.py:1002 + msgid " (skipped reloading firewall)" + msgstr "" + +-#: src/backend_iptables.py:992 ++#: src/backend_iptables.py:1005 + msgid "Rule deleted" + msgstr "" + +-#: src/backend_iptables.py:995 ++#: src/backend_iptables.py:1008 + msgid "Rule added" + msgstr "" + +-#: src/backend_iptables.py:1010 src/backend_iptables.py:1098 ++#: src/backend_iptables.py:1023 src/backend_iptables.py:1114 + msgid "Could not update running firewall" + msgstr "" + +-#: src/backend_iptables.py:1065 ++#: src/backend_iptables.py:1078 + #, python-format + msgid "Could not perform '%s'" + msgstr "" + +-#: src/backend_iptables.py:1089 ++#: src/backend_iptables.py:1105 + msgid "Couldn't update rules file for logging" + msgstr "" + +-#: src/backend_iptables.py:1147 src/backend.py:578 ++#: src/backend_iptables.py:1163 src/backend.py:595 + #, python-format + msgid "Invalid log level '%s'" + msgstr "" + +-#: src/backend_iptables.py:1244 ++#: src/backend_iptables.py:1260 + #, python-format + msgid "Could not find '%s'. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1256 ++#: src/backend_iptables.py:1272 + #, python-format + msgid "'%s' already exists. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1262 ++#: src/backend_iptables.py:1278 + #, python-format + msgid "Backing up '%(old)s' to '%(new)s'\n" + msgstr "" + +-#: src/backend_iptables.py:1278 src/backend.py:185 ++#: src/backend_iptables.py:1294 src/backend.py:202 + #, python-format + msgid "Couldn't stat '%s'" + msgstr "" + +-#: src/backend_iptables.py:1283 ++#: src/backend_iptables.py:1299 + #, python-format + msgid "WARN: '%s' is world writable" + msgstr "" + +-#: src/backend_iptables.py:1285 ++#: src/backend_iptables.py:1301 + #, python-format + msgid "WARN: '%s' is world readable" + msgstr "" +@@ -352,102 +352,102 @@ msgstr "" + msgid "Couldn't determine iptables version" + msgstr "" + +-#: src/backend.py:138 ++#: src/backend.py:155 + msgid "Checks disabled" + msgstr "" + +-#: src/backend.py:144 ++#: src/backend.py:161 + msgid "ERROR: this script should not be SUID" + msgstr "" + +-#: src/backend.py:147 ++#: src/backend.py:164 + msgid "ERROR: this script should not be SGID" + msgstr "" + +-#: src/backend.py:152 ++#: src/backend.py:169 + msgid "You need to be root to run this script" + msgstr "" + +-#: src/backend.py:162 ++#: src/backend.py:179 + #, python-format + msgid "'%s' does not exist" + msgstr "" + +-#: src/backend.py:191 ++#: src/backend.py:208 + #, python-format + msgid "uid is %(uid)s but '%(path)s' is owned by %(st_uid)s" + msgstr "" + +-#: src/backend.py:198 ++#: src/backend.py:215 + #, python-format + msgid "%s is world writable!" + msgstr "" + +-#: src/backend.py:202 ++#: src/backend.py:219 + #, python-format + msgid "%s is group writable!" + msgstr "" + +-#: src/backend.py:218 ++#: src/backend.py:235 + #, python-format + msgid "'%(f)s' file '%(name)s' does not exist" + msgstr "" + +-#: src/backend.py:243 ++#: src/backend.py:260 + #, python-format + msgid "Missing policy for '%s'" + msgstr "" + +-#: src/backend.py:247 ++#: src/backend.py:264 + #, python-format + msgid "Invalid policy '%(policy)s' for '%(chain)s'" + msgstr "" + +-#: src/backend.py:254 ++#: src/backend.py:271 + msgid "Invalid option" + msgstr "" + +-#: src/backend.py:325 ++#: src/backend.py:342 + #, python-format + msgid "Default application policy changed to '%s'" + msgstr "" + +-#: src/backend.py:407 ++#: src/backend.py:424 + msgid "No rules found for application profile" + msgstr "" + +-#: src/backend.py:466 ++#: src/backend.py:483 + #, python-format + msgid "Rules updated for profile '%s'" + msgstr "" + +-#: src/backend.py:472 ++#: src/backend.py:489 + msgid "Couldn't update application rules" + msgstr "" + +-#: src/backend.py:494 ++#: src/backend.py:511 + #, python-format + msgid "Found multiple matches for '%s'. Please use exact profile name" + msgstr "" + +-#: src/backend.py:496 ++#: src/backend.py:513 + #, python-format + msgid "Could not find a profile matching '%s'" + msgstr "" + +-#: src/backend.py:562 ++#: src/backend.py:579 + msgid "Logging: " + msgstr "" + +-#: src/backend.py:566 ++#: src/backend.py:583 + msgid "unknown" + msgstr "" + +-#: src/backend.py:596 ++#: src/backend.py:613 + msgid "Logging disabled" + msgstr "" + +-#: src/backend.py:598 ++#: src/backend.py:615 + msgid "Logging enabled" + msgstr "" + +@@ -526,6 +526,7 @@ msgid "" + " %(limit)-31s add limit %(rule)s\n" + " %(delete)-31s delete %(urule)s\n" + " %(insert)-31s insert %(urule)s at %(number)s\n" ++" %(reload)-31s reload firewall\n" + " %(reset)-31s reset firewall\n" + " %(status)-31s show firewall status\n" + " %(statusnum)-31s show firewall status as numbered list of %(rules)s\n" +@@ -540,87 +541,87 @@ msgid "" + " %(appdefault)-31s set default application policy\n" + msgstr "" + +-#: src/frontend.py:160 ++#: src/frontend.py:162 + msgid "n" + msgstr "" + +-#: src/frontend.py:161 ++#: src/frontend.py:163 + msgid "y" + msgstr "" + +-#: src/frontend.py:162 ++#: src/frontend.py:164 + msgid "yes" + msgstr "" + +-#: src/frontend.py:207 ++#: src/frontend.py:209 + msgid "Firewall is active and enabled on system startup" + msgstr "" + +-#: src/frontend.py:214 ++#: src/frontend.py:216 + msgid "Firewall stopped and disabled on system startup" + msgstr "" + +-#: src/frontend.py:265 ++#: src/frontend.py:267 + msgid "Could not get listening status" + msgstr "" + +-#: src/frontend.py:326 ++#: src/frontend.py:328 + msgid "Added user rules (see 'ufw status' for running firewall):" + msgstr "" + +-#: src/frontend.py:329 ++#: src/frontend.py:331 + msgid "" + "\n" + "(None)" + msgstr "" + +-#: src/frontend.py:381 src/frontend.py:479 src/frontend.py:489 ++#: src/frontend.py:383 src/frontend.py:481 src/frontend.py:491 + #, python-format + msgid "Invalid IP version '%s'" + msgstr "" + +-#: src/frontend.py:412 ++#: src/frontend.py:414 + msgid "Invalid position '" + msgstr "" + +-#: src/frontend.py:486 ++#: src/frontend.py:488 + msgid "IPv6 support not enabled" + msgstr "" + +-#: src/frontend.py:497 ++#: src/frontend.py:499 + msgid "Rule changed after normalization" + msgstr "" + +-#: src/frontend.py:521 ++#: src/frontend.py:523 + #, python-format + msgid "Could not back out rule '%s'" + msgstr "" + +-#: src/frontend.py:525 ++#: src/frontend.py:527 + msgid "" + "\n" + "Error applying application rules." + msgstr "" + +-#: src/frontend.py:527 ++#: src/frontend.py:529 + msgid " Some rules could not be unapplied." + msgstr "" + +-#: src/frontend.py:529 ++#: src/frontend.py:531 + msgid " Attempted rules successfully unapplied." + msgstr "" + +-#: src/frontend.py:540 ++#: src/frontend.py:542 + #, python-format + msgid "Could not find rule '%s'" + msgstr "" + +-#: src/frontend.py:545 src/frontend.py:550 ++#: src/frontend.py:547 src/frontend.py:552 + #, python-format + msgid "Could not find rule '%d'" + msgstr "" + +-#: src/frontend.py:562 ++#: src/frontend.py:564 + #, python-format + msgid "" + "Deleting:\n" +@@ -628,93 +629,93 @@ msgid "" + "Proceed with operation (%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:593 ++#: src/frontend.py:595 + msgid "Unsupported default policy" + msgstr "" + +-#: src/frontend.py:622 src/frontend.py:767 ++#: src/frontend.py:624 src/frontend.py:769 + msgid "Firewall reloaded" + msgstr "" + +-#: src/frontend.py:624 ++#: src/frontend.py:626 + msgid "Firewall not enabled (skipping reload)" + msgstr "" + +-#: src/frontend.py:641 src/frontend.py:655 src/frontend.py:692 ++#: src/frontend.py:643 src/frontend.py:657 src/frontend.py:694 + msgid "Invalid profile name" + msgstr "" + +-#: src/frontend.py:660 src/frontend.py:842 ++#: src/frontend.py:662 src/frontend.py:844 + #, python-format + msgid "Unsupported action '%s'" + msgstr "" + +-#: src/frontend.py:679 ++#: src/frontend.py:681 + msgid "Available applications:" + msgstr "" + +-#: src/frontend.py:700 ++#: src/frontend.py:702 + #, python-format + msgid "Could not find profile '%s'" + msgstr "" + +-#: src/frontend.py:705 ++#: src/frontend.py:707 + msgid "Invalid profile" + msgstr "" + +-#: src/frontend.py:708 ++#: src/frontend.py:710 + #, python-format + msgid "Profile: %s\n" + msgstr "" + +-#: src/frontend.py:709 ++#: src/frontend.py:711 + #, python-format + msgid "Title: %s\n" + msgstr "" + +-#: src/frontend.py:712 ++#: src/frontend.py:714 + #, python-format + msgid "" + "Description: %s\n" + "\n" + msgstr "" + +-#: src/frontend.py:718 ++#: src/frontend.py:720 + msgid "Ports:" + msgstr "" + +-#: src/frontend.py:720 ++#: src/frontend.py:722 + msgid "Port:" + msgstr "" + +-#: src/frontend.py:769 ++#: src/frontend.py:771 + msgid "Skipped reloading firewall" + msgstr "" + +-#: src/frontend.py:779 ++#: src/frontend.py:781 + msgid "Cannot specify 'all' with '--add-new'" + msgstr "" + +-#: src/frontend.py:794 ++#: src/frontend.py:796 + #, python-format + msgid "Unknown policy '%s'" + msgstr "" + +-#: src/frontend.py:851 ++#: src/frontend.py:853 + #, python-format + msgid "" + "Command may disrupt existing ssh connections. Proceed with operation " + "(%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:864 ++#: src/frontend.py:866 + #, python-format + msgid "" + "Resetting all rules to installed defaults. Proceed with operation (%(yes)s|" + "%(no)s)? " + msgstr "" + +-#: src/frontend.py:868 ++#: src/frontend.py:870 + #, python-format + msgid "" + "Resetting all rules to installed defaults. This may disrupt existing ssh " +diff --git a/setup.py b/setup.py +index 6fb3751..1685401 100644 +--- a/setup.py ++++ b/setup.py +@@ -35,7 +35,7 @@ import sys + import shutil + import subprocess + +-ufw_version = '0.33' ++ufw_version = '0.34' + + def cmd(command): + '''Try to execute the given command.''' +diff --git a/src/backend_iptables.py b/src/backend_iptables.py +index 76d8515..478e35c 100644 +--- a/src/backend_iptables.py ++++ b/src/backend_iptables.py +@@ -564,7 +564,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \ + policy) + if not pat_logall.search(s): +- lstr = '-m state --state NEW ' + lstr ++ lstr = '-m conntrack --ctstate NEW ' + lstr + snippets[i] = pat_log.sub(r'\1-j \2\4', s) + snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \ + '-user-logging-' + suffix, s)) +@@ -580,9 +580,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + pat_limit = re.compile(r' -j LIMIT') + for i, s in enumerate(snippets): + if pat_limit.search(s): +- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \ ++ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \ + s) +- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \ ++ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \ + ' --update --seconds 30 --hitcount 6' + \ + ' -j ' + prefix + '-user-limit', s) + tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s) +@@ -1212,12 +1212,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + prefix = "[UFW BLOCK] " + if self.loglevels[level] < self.loglevels["medium"]: + # only log INVALID in medium and higher +- rules_t.append([c, ['-I', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-I', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'RETURN'] + largs, '']) + else: +- rules_t.append([c, ['-A', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-A', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'LOG', \ + '--log-prefix', \ + "[UFW AUDIT INVALID] "] + \ +@@ -1236,7 +1236,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + + # loglevel medium logs all new packets with limit + if self.loglevels[level] < self.loglevels["high"]: +- largs = ['-m', 'state', '--state', 'NEW'] + limit_args ++ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args + + prefix = "[UFW AUDIT] " + for c in self.chains['before']: +diff --git a/src/ufw-init-functions b/src/ufw-init-functions +index f4783e7..c5e0319 100755 +--- a/src/ufw-init-functions ++++ b/src/ufw-init-functions +@@ -251,15 +251,15 @@ ufw_start() { + # add tracking policy + if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + + if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + +diff --git a/src/util.py b/src/util.py +index fe9cd5c..bf0a6f6 100644 +--- a/src/util.py ++++ b/src/util.py +@@ -737,12 +737,12 @@ def get_netfilter_capabilities(exe="/sbin/iptables"): + # the stuff we know isn't supported everywhere but we want to support. + + # recent-set +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--set']): + caps.append('recent-set') + + # recent-update +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--update', \ + '--seconds', '30', \ + '--hitcount', '6']): +diff --git a/tests/bugs/rules/result b/tests/bugs/rules/result +index af2879a..396ff4c 100644 +--- a/tests/bugs/rules/result ++++ b/tests/bugs/rules/result +@@ -28,7 +28,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -73,7 +73,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/check-requirements b/tests/check-requirements +index 613a3c8..ffbe9fc 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -172,24 +172,24 @@ for i in "" 6; do + done + + echo -n "hashlimit: " +- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT ++ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT + + echo -n "limit: " + runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + for j in NEW RELATED ESTABLISHED INVALID; do + echo -n "state ($j): " +- runcmd $exe -A $c -m state --state $j ++ runcmd $exe -A $c -m conntrack --ctstate $j + done + + echo -n "state (new, recent set): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --set ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set + + echo -n "state (new, recent update): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT + + echo -n "state (new, limit): " +- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT ++ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + echo -n "interface (input): " + runcmd $exe -A $c -i eth0 -j ACCEPT +diff --git a/tests/good/apps/result b/tests/good/apps/result +index c6988b0..8b477c2 100644 +--- a/tests/good/apps/result ++++ b/tests/good/apps/result +@@ -717,7 +717,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -760,7 +760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -803,7 +803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -847,7 +847,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -890,7 +890,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -931,7 +931,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -974,7 +974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1017,7 +1017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1060,7 +1060,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1146,7 +1146,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1189,7 +1189,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1232,7 +1232,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1276,7 +1276,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1319,7 +1319,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1403,7 +1403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1446,7 +1446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1489,7 +1489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1532,7 +1532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1568,8 +1568,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -1577,7 +1577,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1613,8 +1613,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -1622,7 +1622,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1658,8 +1658,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -1667,7 +1667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1703,11 +1703,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -1715,7 +1715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1751,8 +1751,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1760,7 +1760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1791,13 +1791,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1805,7 +1805,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,8 +1841,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -1850,7 +1850,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1886,8 +1886,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -1895,7 +1895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1931,8 +1931,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -1940,7 +1940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1976,8 +1976,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080:8089 0.0.0.0/0 any 0.0.0.0/0 Custom%20Web%20App2 - in +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' + -A ufw-user-input -p tcp -m multiport --dports 8080:8089 -j ufw-user-limit-accept -m comment --comment 'dapp_Custom%20Web%20App2' + + ### END RULES ### +@@ -1985,7 +1985,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2029,7 +2029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2072,7 +2072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2159,7 +2159,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2202,7 +2202,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2243,7 +2243,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2286,7 +2286,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2329,7 +2329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2372,7 +2372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2415,7 +2415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2458,7 +2458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2501,7 +2501,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2545,7 +2545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2588,7 +2588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2629,7 +2629,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2672,7 +2672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2715,7 +2715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2758,7 +2758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2801,7 +2801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2844,7 +2844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2887,7 +2887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2931,7 +2931,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2974,7 +2974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3015,7 +3015,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3058,7 +3058,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3101,7 +3101,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3144,7 +3144,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3187,7 +3187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3230,7 +3230,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3273,7 +3273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3317,7 +3317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3360,7 +3360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3401,7 +3401,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3444,7 +3444,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3487,7 +3487,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3530,7 +3530,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3573,7 +3573,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3616,7 +3616,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3659,7 +3659,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3700,7 +3700,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3743,7 +3743,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3784,7 +3784,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3827,7 +3827,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3913,7 +3913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3956,7 +3956,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3997,7 +3997,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4040,7 +4040,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4081,7 +4081,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4167,7 +4167,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4208,7 +4208,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4251,7 +4251,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4294,7 +4294,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4337,7 +4337,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4378,7 +4378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4421,7 +4421,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4462,7 +4462,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4505,7 +4505,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4548,7 +4548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4591,7 +4591,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4634,7 +4634,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4675,7 +4675,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4718,7 +4718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4759,7 +4759,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4802,7 +4802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4845,7 +4845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4886,7 +4886,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,7 +4929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4972,7 +4972,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5015,7 +5015,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5059,7 +5059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5102,7 +5102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5143,7 +5143,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5186,7 +5186,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5229,7 +5229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5272,7 +5272,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5315,7 +5315,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5358,7 +5358,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5401,7 +5401,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5488,7 +5488,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5572,7 +5572,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5615,7 +5615,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5658,7 +5658,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5701,7 +5701,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5744,7 +5744,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5787,7 +5787,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5874,7 +5874,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5915,7 +5915,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5958,7 +5958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6001,7 +6001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6044,7 +6044,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6087,7 +6087,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6130,7 +6130,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6173,7 +6173,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6217,7 +6217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6260,7 +6260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6301,7 +6301,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6344,7 +6344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6387,7 +6387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6430,7 +6430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6473,7 +6473,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6516,7 +6516,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6559,7 +6559,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6600,7 +6600,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6643,7 +6643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6684,7 +6684,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6727,7 +6727,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6770,7 +6770,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6813,7 +6813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6856,7 +6856,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6897,7 +6897,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6981,7 +6981,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7024,7 +7024,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7067,7 +7067,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7108,7 +7108,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7151,7 +7151,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7194,7 +7194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7237,7 +7237,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7278,7 +7278,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7321,7 +7321,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7362,7 +7362,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7405,7 +7405,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7448,7 +7448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7491,7 +7491,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7534,7 +7534,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7575,7 +7575,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7618,7 +7618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7659,7 +7659,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7702,7 +7702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7745,7 +7745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7786,7 +7786,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7822,8 +7822,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.0/16 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -7831,7 +7831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7867,8 +7867,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -7876,7 +7876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7912,8 +7912,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -7921,7 +7921,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7957,11 +7957,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 192.168.0.0/16 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -7969,7 +7969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8005,8 +8005,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8014,7 +8014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8045,13 +8045,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8059,7 +8059,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8095,8 +8095,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.0/16 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8104,7 +8104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8140,8 +8140,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8149,7 +8149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8185,8 +8185,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8194,7 +8194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8230,8 +8230,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -8239,7 +8239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8275,8 +8275,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -8284,7 +8284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8320,8 +8320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -8329,7 +8329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8365,11 +8365,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -8377,7 +8377,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8413,8 +8413,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8422,7 +8422,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8453,13 +8453,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8467,7 +8467,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8503,8 +8503,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8512,7 +8512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8548,8 +8548,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8557,7 +8557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8593,8 +8593,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8602,7 +8602,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8638,8 +8638,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.0/16 - Apache in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -8647,7 +8647,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8683,8 +8683,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 192.168.0.0/16 - Apache%20Secure in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -8692,7 +8692,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8728,8 +8728,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 192.168.0.0/16 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -8737,7 +8737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8773,11 +8773,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 192.168.0.0/16 - Bind9 in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -8785,7 +8785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8821,8 +8821,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8830,7 +8830,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8861,13 +8861,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 192.168.0.0/16 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8875,7 +8875,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8911,8 +8911,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 192.168.0.0/16 - OpenNTPD in +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -8920,7 +8920,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8956,8 +8956,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -8965,7 +8965,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9001,8 +9001,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9010,7 +9010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9046,8 +9046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9055,7 +9055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9091,8 +9091,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 0.0.0.0/0 - Apache%20Secure in +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -9100,7 +9100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9136,8 +9136,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 0.0.0.0/0 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -9145,7 +9145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9181,11 +9181,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 0.0.0.0/0 - Bind9 in +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -9193,7 +9193,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9229,8 +9229,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9238,7 +9238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9269,13 +9269,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9283,7 +9283,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9319,8 +9319,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9364,8 +9364,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -9373,7 +9373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9409,8 +9409,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9418,7 +9418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9454,8 +9454,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 192.168.0.2 80 192.168.0.1 - Apache in +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9463,7 +9463,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9499,8 +9499,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 192.168.0.2 123 192.168.0.1 - OpenNTPD in +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9508,7 +9508,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9544,8 +9544,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9553,7 +9553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9584,13 +9584,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 192.168.0.2 139,445 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9598,7 +9598,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9634,8 +9634,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9643,7 +9643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9674,13 +9674,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 192.168.0.2 139,445 192.168.0.1 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9688,7 +9688,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9724,8 +9724,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.2 80 192.168.0.1 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -9733,7 +9733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9769,8 +9769,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 8080 192.168.0.2 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -9778,7 +9778,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9814,8 +9814,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.1 10123 192.168.0.2 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -9823,7 +9823,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9859,8 +9859,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9868,7 +9868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9899,13 +9899,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9913,7 +9913,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9949,8 +9949,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -9958,7 +9958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9989,13 +9989,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10003,7 +10003,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10039,8 +10039,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 80,443 192.168.0.2 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10048,7 +10048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10084,8 +10084,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10093,7 +10093,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10124,13 +10124,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10138,7 +10138,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10174,8 +10174,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --dport 8080 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -10183,7 +10183,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10219,8 +10219,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --dport 10123 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -10228,7 +10228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10264,8 +10264,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10273,7 +10273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10304,13 +10304,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 0.0.0.0/0 139,445 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10318,7 +10318,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10354,8 +10354,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10363,7 +10363,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10394,13 +10394,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10408,7 +10408,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10444,8 +10444,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 80 0.0.0.0/0 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -10453,7 +10453,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,8 +10489,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 8080 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -10498,7 +10498,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10534,8 +10534,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 10123 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -10543,7 +10543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10579,8 +10579,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10588,7 +10588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10619,13 +10619,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10633,7 +10633,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10669,8 +10669,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10678,7 +10678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10709,13 +10709,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10723,7 +10723,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10759,8 +10759,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 80,443 0.0.0.0/0 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10768,7 +10768,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10804,8 +10804,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10813,7 +10813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10844,13 +10844,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 139,445 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10858,7 +10858,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10902,7 +10902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10945,7 +10945,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10994,7 +10994,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11042,7 +11042,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11083,7 +11083,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11140,7 +11140,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11181,7 +11181,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11252,7 +11252,7 @@ TESTING INSERT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11299,7 +11299,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11389,7 +11389,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11445,7 +11445,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11508,7 +11508,7 @@ TESTING APPLICATION INTEGRATION (interfaces) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11552,7 +11552,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11614,7 +11614,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11658,7 +11658,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11698,33 +11698,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -11732,7 +11732,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11776,7 +11776,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11838,7 +11838,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11882,7 +11882,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11942,7 +11942,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11986,7 +11986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12048,7 +12048,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12092,7 +12092,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12154,7 +12154,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12198,7 +12198,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12238,33 +12238,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -12272,7 +12272,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12316,7 +12316,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12378,7 +12378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12422,7 +12422,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12482,7 +12482,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12526,7 +12526,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/good/logging/result b/tests/good/logging/result +index 6714e12..4b23f9a 100644 +--- a/tests/good/logging/result ++++ b/tests/good/logging/result +@@ -102,69 +102,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j ACCEPT + + ### tuple ### allow_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j ACCEPT + + ### tuple ### allow_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j ACCEPT -m comment --comment 'dapp_Apache' + + ### tuple ### allow_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ACCEPT + + ### tuple ### allow_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### allow_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -175,12 +175,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -245,12 +245,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -383,12 +383,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -453,12 +453,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -518,69 +518,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j DROP + + ### tuple ### deny_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j DROP + + ### tuple ### deny_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j DROP +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j DROP -m comment --comment 'dapp_Apache' + + ### tuple ### deny_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j DROP + + ### tuple ### deny_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### deny_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -591,12 +591,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -661,12 +661,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -799,12 +799,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -869,12 +869,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -934,95 +934,95 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1031,12 +1031,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1101,12 +1101,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1169,92 +1169,92 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all tcp 25 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 69 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p udp --dport 69 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log-all any 443 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in + -A ufw-user-logging-input -p tcp --dport 80 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log-all tcp 25 10.0.0.1 25 192.168.0.1 in + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1263,12 +1263,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1333,12 +1333,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1398,69 +1398,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j REJECT + + ### tuple ### reject_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Apache' + + ### tuple ### reject_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j REJECT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### reject_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -1471,12 +1471,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1541,12 +1541,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1679,12 +1679,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1749,12 +1749,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1797,13 +1797,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1820,12 +1820,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1867,19 +1867,19 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log-all tcp 23 10.0.0.1 any 192.168.0.1 in +@@ -1894,12 +1894,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1946,12 +1946,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2006,13 +2006,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2024,13 +2024,13 @@ contents of user*.rules: + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j DROP + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2047,12 +2047,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2163,7 +2163,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2211,12 +2211,12 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2262,7 +2262,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m limit --limit 3/min --limit-burst 10 +@@ -2313,7 +2313,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +@@ -2364,7 +2364,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +diff --git a/tests/good/rules/result b/tests/good/rules/result +index 7c1570a..e4b918c 100644 +--- a/tests/good/rules/result ++++ b/tests/good/rules/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -72,7 +72,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -115,7 +115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -158,7 +158,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -201,7 +201,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -244,7 +244,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -284,7 +284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -320,8 +320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -329,7 +329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -373,7 +373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -416,7 +416,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -459,7 +459,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -502,7 +502,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -545,7 +545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -588,7 +588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -631,7 +631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -676,7 +676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -719,7 +719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -763,7 +763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -806,7 +806,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -889,7 +889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -929,7 +929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -969,7 +969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1052,7 +1052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1095,7 +1095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1135,7 +1135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1178,7 +1178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1218,7 +1218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1261,7 +1261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1301,7 +1301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1345,7 +1345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1385,7 +1385,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1428,7 +1428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1468,7 +1468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1511,7 +1511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1551,7 +1551,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1595,7 +1595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1635,7 +1635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1678,7 +1678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1718,7 +1718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1761,7 +1761,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1801,7 +1801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1885,7 +1885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1929,7 +1929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1969,7 +1969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2013,7 +2013,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2053,7 +2053,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2137,7 +2137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2181,7 +2181,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2221,7 +2221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2264,7 +2264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2304,7 +2304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2347,7 +2347,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2387,7 +2387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2430,7 +2430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2470,7 +2470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2513,7 +2513,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2553,7 +2553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2596,7 +2596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2636,7 +2636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2679,7 +2679,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2719,7 +2719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2762,7 +2762,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2802,7 +2802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2845,7 +2845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2885,7 +2885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2928,7 +2928,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2968,7 +2968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3011,7 +3011,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3051,7 +3051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3094,7 +3094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3177,7 +3177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3217,7 +3217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3260,7 +3260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3300,7 +3300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3344,7 +3344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3384,7 +3384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3428,7 +3428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3468,7 +3468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3512,7 +3512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3552,7 +3552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3596,7 +3596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3636,7 +3636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3680,7 +3680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3720,7 +3720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3803,7 +3803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3846,7 +3846,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3886,7 +3886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3929,7 +3929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3969,7 +3969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4012,7 +4012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4052,7 +4052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4095,7 +4095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4135,7 +4135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4178,7 +4178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4218,7 +4218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4301,7 +4301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4344,7 +4344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4427,7 +4427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4467,7 +4467,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4510,7 +4510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4550,7 +4550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4586,8 +4586,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4595,7 +4595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4635,7 +4635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4671,8 +4671,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4720,7 +4720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4756,8 +4756,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4765,7 +4765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4805,7 +4805,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4841,11 +4841,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4893,7 +4893,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,11 +4929,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4941,7 +4941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4981,7 +4981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5017,11 +5017,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5029,7 +5029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5069,7 +5069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5105,11 +5105,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5117,7 +5117,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5157,7 +5157,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5193,11 +5193,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5205,7 +5205,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5245,7 +5245,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5281,8 +5281,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5290,7 +5290,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5330,7 +5330,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5366,8 +5366,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5375,7 +5375,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5415,7 +5415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5451,8 +5451,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5460,7 +5460,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5500,7 +5500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5536,8 +5536,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5545,7 +5545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5585,7 +5585,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5621,8 +5621,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5630,7 +5630,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5670,7 +5670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5706,8 +5706,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5715,7 +5715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5755,7 +5755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5791,8 +5791,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5800,7 +5800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5840,7 +5840,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5876,8 +5876,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5885,7 +5885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5961,8 +5961,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5970,7 +5970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6010,7 +6010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6046,8 +6046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -6055,7 +6055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6095,7 +6095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6139,7 +6139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6179,7 +6179,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6222,7 +6222,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6262,7 +6262,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6305,7 +6305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6345,7 +6345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6388,7 +6388,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6428,7 +6428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6471,7 +6471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6511,7 +6511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6554,7 +6554,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6594,7 +6594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6637,7 +6637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6677,7 +6677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6720,7 +6720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6760,7 +6760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6803,7 +6803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6843,7 +6843,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6886,7 +6886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6926,7 +6926,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6970,7 +6970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7010,7 +7010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7054,7 +7054,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7138,7 +7138,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7178,7 +7178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7221,7 +7221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7261,7 +7261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7304,7 +7304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7344,7 +7344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7387,7 +7387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7427,7 +7427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7470,7 +7470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7510,7 +7510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7553,7 +7553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7593,7 +7593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7636,7 +7636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7676,7 +7676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7719,7 +7719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7759,7 +7759,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7802,7 +7802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7842,7 +7842,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7885,7 +7885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7925,7 +7925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7968,7 +7968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8008,7 +8008,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8051,7 +8051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8091,7 +8091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8134,7 +8134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8174,7 +8174,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8217,7 +8217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8257,7 +8257,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8300,7 +8300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8340,7 +8340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8383,7 +8383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8423,7 +8423,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8466,7 +8466,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8506,7 +8506,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8550,7 +8550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8594,7 +8594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8637,7 +8637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8680,7 +8680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8724,7 +8724,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8767,7 +8767,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8810,7 +8810,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8854,7 +8854,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8898,7 +8898,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8941,7 +8941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8984,7 +8984,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9027,7 +9027,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9070,7 +9070,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9113,7 +9113,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9156,7 +9156,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9199,7 +9199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9242,7 +9242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9285,7 +9285,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9371,7 +9371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9414,7 +9414,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9457,7 +9457,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9500,7 +9500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9543,7 +9543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9586,7 +9586,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9629,7 +9629,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9672,7 +9672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9715,7 +9715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9758,7 +9758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9801,7 +9801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9844,7 +9844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9887,7 +9887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9930,7 +9930,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9973,7 +9973,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10016,7 +10016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10059,7 +10059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10102,7 +10102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10145,7 +10145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10188,7 +10188,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10231,7 +10231,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10274,7 +10274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10317,7 +10317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10360,7 +10360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10403,7 +10403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10446,7 +10446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,7 +10489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10532,7 +10532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10575,7 +10575,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10618,7 +10618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10661,7 +10661,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10704,7 +10704,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10747,7 +10747,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10790,7 +10790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10833,7 +10833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10876,7 +10876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10919,7 +10919,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10962,7 +10962,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11005,7 +11005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11048,7 +11048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11091,7 +11091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11134,7 +11134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11177,7 +11177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11220,7 +11220,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11263,7 +11263,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11306,7 +11306,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11349,7 +11349,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11392,7 +11392,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11435,7 +11435,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11478,7 +11478,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11521,7 +11521,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11564,7 +11564,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11607,7 +11607,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11650,7 +11650,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11693,7 +11693,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11736,7 +11736,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11779,7 +11779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11815,8 +11815,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11824,7 +11824,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11860,8 +11860,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11869,7 +11869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11905,8 +11905,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11914,7 +11914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11950,8 +11950,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11959,7 +11959,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11995,8 +11995,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12004,7 +12004,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12040,8 +12040,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12049,7 +12049,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12085,8 +12085,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12094,7 +12094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12130,8 +12130,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12139,7 +12139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12175,8 +12175,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12184,7 +12184,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12220,8 +12220,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12229,7 +12229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12273,7 +12273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12317,7 +12317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12357,7 +12357,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12400,7 +12400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12440,7 +12440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12484,7 +12484,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12527,7 +12527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12570,7 +12570,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12613,7 +12613,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12656,7 +12656,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12706,11 +12706,11 @@ Insert + ### RULES ### + + ### tuple ### allow_log any 9998 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 9998 -j RETURN + -A ufw-user-input -p tcp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 9998 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 9998 -j RETURN + -A ufw-user-input -p udp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 9998 -j ACCEPT +@@ -12735,7 +12735,7 @@ Insert + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12785,7 +12785,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12908,7 +12908,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12982,7 +12982,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13100,7 +13100,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13174,7 +13174,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13244,83 +13244,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -13328,7 +13328,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13402,7 +13402,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13520,7 +13520,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13594,7 +13594,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13638,7 +13638,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13676,7 +13676,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13794,7 +13794,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13868,7 +13868,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13986,7 +13986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14060,7 +14060,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14130,83 +14130,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -14214,7 +14214,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14288,7 +14288,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14406,7 +14406,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14480,7 +14480,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14524,7 +14524,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14562,7 +14562,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14603,7 +14603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14646,7 +14646,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14690,7 +14690,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14733,7 +14733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14776,7 +14776,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14819,7 +14819,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result b/tests/ipv6/logging/result +index dd9c077..afd72dd 100644 +--- a/tests/ipv6/logging/result ++++ b/tests/ipv6/logging/result +@@ -26,23 +26,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -52,7 +52,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -81,23 +81,23 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -107,7 +107,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -143,7 +143,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -176,7 +176,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -209,7 +209,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -238,7 +238,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -248,7 +248,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -281,7 +281,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -314,7 +314,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -372,7 +372,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -427,7 +427,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -463,7 +463,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -496,7 +496,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -529,7 +529,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -601,7 +601,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -634,7 +634,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -666,23 +666,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -692,7 +692,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -721,23 +721,23 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -747,7 +747,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -783,7 +783,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -816,7 +816,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -878,7 +878,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -888,7 +888,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -921,7 +921,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -954,7 +954,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1067,7 +1067,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1169,7 +1169,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1208,7 +1208,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1241,7 +1241,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1274,7 +1274,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1306,33 +1306,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1340,7 +1340,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1373,7 +1373,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1409,7 +1409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1442,7 +1442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1508,7 +1508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1541,7 +1541,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,30 +1609,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1640,7 +1640,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1673,7 +1673,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1742,7 +1742,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1775,7 +1775,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1808,7 +1808,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,7 +1841,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1874,7 +1874,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1906,23 +1906,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1932,7 +1932,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1961,23 +1961,23 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1987,7 +1987,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2023,7 +2023,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2056,7 +2056,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2089,7 +2089,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2118,7 +2118,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -2128,7 +2128,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2161,7 +2161,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2194,7 +2194,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2252,7 +2252,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2307,7 +2307,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2343,7 +2343,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2376,7 +2376,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2409,7 +2409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2448,7 +2448,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2481,7 +2481,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2547,13 +2547,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2563,7 +2563,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2592,13 +2592,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2614,7 +2614,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2646,13 +2646,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2662,7 +2662,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2691,13 +2691,13 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2713,7 +2713,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2749,7 +2749,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2782,7 +2782,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2827,13 +2827,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -2843,7 +2843,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2872,13 +2872,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2890,13 +2890,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2912,7 +2912,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result.1.3 b/tests/ipv6/logging/result.1.3 +index 5b0c26d..036b49e 100644 +--- a/tests/ipv6/logging/result.1.3 ++++ b/tests/ipv6/logging/result.1.3 +@@ -15,23 +15,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -48,11 +48,11 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT +@@ -111,7 +111,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -303,23 +303,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -336,11 +336,11 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP +@@ -399,7 +399,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -591,33 +591,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -730,30 +730,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -863,23 +863,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -896,11 +896,11 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT +@@ -959,7 +959,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1152,13 +1152,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1198,13 +1198,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -1285,13 +1285,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -1308,13 +1308,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -1326,13 +1326,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +diff --git a/tests/ipv6/rules6/result b/tests/ipv6/rules6/result +index 4e6a197..4fd299c 100644 +--- a/tests/ipv6/rules6/result ++++ b/tests/ipv6/rules6/result +@@ -26,7 +26,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -62,7 +62,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -94,7 +94,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -129,7 +129,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -161,7 +161,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -196,7 +196,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -228,7 +228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -264,7 +264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -296,7 +296,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -332,7 +332,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -364,7 +364,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -432,7 +432,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -468,7 +468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -500,7 +500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -536,7 +536,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -603,7 +603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -635,7 +635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -670,7 +670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -702,7 +702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -737,7 +737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -769,7 +769,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -804,7 +804,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -836,7 +836,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -903,7 +903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -938,7 +938,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -970,7 +970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1005,7 +1005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1037,7 +1037,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1072,7 +1072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1104,7 +1104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1206,7 +1206,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1238,7 +1238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1273,7 +1273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1305,7 +1305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1340,7 +1340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1372,7 +1372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1408,7 +1408,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1440,7 +1440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1507,7 +1507,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1542,7 +1542,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,7 +1609,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1641,7 +1641,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1677,7 +1677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1745,7 +1745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1777,7 +1777,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1813,7 +1813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1881,7 +1881,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1913,7 +1913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1949,7 +1949,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1981,7 +1981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2016,7 +2016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2048,7 +2048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2083,7 +2083,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2150,7 +2150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2182,7 +2182,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2217,7 +2217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2249,7 +2249,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2284,7 +2284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2316,7 +2316,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2351,7 +2351,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2383,7 +2383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2418,7 +2418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2450,7 +2450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2485,7 +2485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2517,7 +2517,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2552,7 +2552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2584,7 +2584,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2619,7 +2619,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2651,7 +2651,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2686,7 +2686,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2718,7 +2718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2753,7 +2753,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2785,7 +2785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2821,7 +2821,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2853,7 +2853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3099,7 +3099,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3169,7 +3169,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3204,7 +3204,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3239,7 +3239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3274,7 +3274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3309,7 +3309,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3345,7 +3345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3380,7 +3380,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3415,7 +3415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3450,7 +3450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3485,7 +3485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3520,7 +3520,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3555,7 +3555,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3590,7 +3590,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3625,7 +3625,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3660,7 +3660,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3695,7 +3695,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3730,7 +3730,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3765,7 +3765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3800,7 +3800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3835,7 +3835,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3905,7 +3905,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3975,7 +3975,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4010,7 +4010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4045,7 +4045,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4080,7 +4080,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4115,7 +4115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4150,7 +4150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4187,7 +4187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4223,7 +4223,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4297,7 +4297,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4335,7 +4335,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4371,7 +4371,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4409,7 +4409,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4445,7 +4445,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4483,7 +4483,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4519,7 +4519,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4557,7 +4557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4593,7 +4593,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4631,7 +4631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4667,7 +4667,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4705,7 +4705,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4741,7 +4741,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4779,7 +4779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4815,7 +4815,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4889,7 +4889,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4927,7 +4927,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4963,7 +4963,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5001,7 +5001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5037,7 +5037,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5075,7 +5075,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5111,7 +5111,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5149,7 +5149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5185,7 +5185,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5223,7 +5223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5259,7 +5259,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5297,7 +5297,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5333,7 +5333,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5371,7 +5371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5407,7 +5407,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5481,7 +5481,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5519,7 +5519,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5555,7 +5555,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5593,7 +5593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5629,7 +5629,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5667,7 +5667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5703,7 +5703,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5741,7 +5741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5777,7 +5777,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5815,7 +5815,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5851,7 +5851,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5889,7 +5889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5999,7 +5999,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6034,7 +6034,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6069,7 +6069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6104,7 +6104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/rules64/result b/tests/ipv6/rules64/result +index 8703253..cc2d397 100644 +--- a/tests/ipv6/rules64/result ++++ b/tests/ipv6/rules64/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -66,7 +66,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -104,7 +104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -140,7 +140,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -178,7 +178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -214,7 +214,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -252,7 +252,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -288,7 +288,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -326,7 +326,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -404,7 +404,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -440,7 +440,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -475,7 +475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -508,7 +508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -539,8 +539,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -548,7 +548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -593,7 +593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -630,7 +630,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -668,7 +668,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -704,7 +704,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -742,7 +742,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -785,7 +785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -828,7 +828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -914,7 +914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -958,7 +958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -994,7 +994,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1029,7 +1029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1062,7 +1062,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1100,7 +1100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1204,7 +1204,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1242,7 +1242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1278,7 +1278,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1313,7 +1313,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1346,7 +1346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1384,7 +1384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1420,7 +1420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1455,7 +1455,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1488,7 +1488,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1564,7 +1564,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1599,7 +1599,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1632,7 +1632,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1670,7 +1670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1706,7 +1706,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1741,7 +1741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1774,7 +1774,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1812,7 +1812,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1848,7 +1848,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1883,7 +1883,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1916,7 +1916,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1955,7 +1955,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1991,7 +1991,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2026,7 +2026,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2059,7 +2059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2133,7 +2133,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2168,7 +2168,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2201,7 +2201,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2240,7 +2240,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2277,7 +2277,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2312,7 +2312,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2345,7 +2345,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2384,7 +2384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2428,7 +2428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2471,7 +2471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2558,7 +2558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2601,7 +2601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2644,7 +2644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2685,7 +2685,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2720,7 +2720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2755,7 +2755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2790,7 +2790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2825,7 +2825,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2860,7 +2860,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2895,7 +2895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3472,7 +3472,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3515,7 +3515,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3558,7 +3558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3601,7 +3601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3644,7 +3644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3687,7 +3687,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3728,7 +3728,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3798,7 +3798,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3833,7 +3833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3868,7 +3868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3903,7 +3903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3976,7 +3976,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4014,7 +4014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4050,7 +4050,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4088,7 +4088,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4162,7 +4162,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4198,7 +4198,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4236,7 +4236,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4272,7 +4272,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4310,7 +4310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4346,7 +4346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4420,7 +4420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4458,7 +4458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4494,7 +4494,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4532,7 +4532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4568,7 +4568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4606,7 +4606,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4642,7 +4642,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4716,7 +4716,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4754,7 +4754,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4790,7 +4790,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4828,7 +4828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4864,7 +4864,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4902,7 +4902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4938,7 +4938,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4976,7 +4976,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5012,7 +5012,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5050,7 +5050,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5086,7 +5086,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5117,8 +5117,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5126,7 +5126,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5163,8 +5163,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5172,7 +5172,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5209,8 +5209,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5218,7 +5218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5255,8 +5255,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5264,7 +5264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5301,8 +5301,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5310,7 +5310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5347,8 +5347,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5356,7 +5356,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5393,8 +5393,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5402,7 +5402,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5439,8 +5439,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5448,7 +5448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5493,7 +5493,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5568,7 +5568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5604,7 +5604,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5639,7 +5639,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5672,7 +5672,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5710,7 +5710,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5750,7 +5750,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5794,7 +5794,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5869,7 +5869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5905,7 +5905,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5943,7 +5943,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5979,7 +5979,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6017,7 +6017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6053,7 +6053,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6091,7 +6091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6127,7 +6127,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6164,7 +6164,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6199,7 +6199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6234,7 +6234,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6295,7 +6295,7 @@ ipv4 rule in ipv4 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6336,7 +6336,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6380,7 +6380,7 @@ ipv6 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6425,7 +6425,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6487,7 +6487,7 @@ ipv4 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6532,7 +6532,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6572,11 +6572,11 @@ COMMIT + -A ufw-user-input -p udp -d 127.0.0.1 --dport 23 -j ACCEPT + + ### tuple ### allow_log any 8888 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw-user-input -p tcp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw-user-input -p udp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 8888 -j ACCEPT +@@ -6586,7 +6586,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6619,11 +6619,11 @@ COMMIT + -A ufw6-user-input -p udp -d ::1 --dport 24 -j ACCEPT + + ### tuple ### allow_log any 8888 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw6-user-input -p tcp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw6-user-input -p udp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 8888 -j ACCEPT +@@ -6637,7 +6637,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6681,7 +6681,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6714,7 +6714,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6768,7 +6768,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6810,7 +6810,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6854,7 +6854,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6887,7 +6887,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6982,7 +6982,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7026,7 +7026,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7059,7 +7059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7137,7 +7137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7180,7 +7180,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7223,7 +7223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7264,7 +7264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7299,7 +7299,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7334,7 +7334,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7369,7 +7369,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7406,7 +7406,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7442,7 +7442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7480,7 +7480,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7516,7 +7516,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index e7ee4da..34bee1a 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -34,7 +34,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/live/result b/tests/root/live/result +index 78148f4..7b183c5 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -145,8 +145,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -368,8 +368,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -1057,8 +1057,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1072,8 +1072,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1082,11 +1082,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1109,7 +1109,7 @@ Status: active + -A ufw6-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - in_eth0 +@@ -1312,8 +1312,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1327,8 +1327,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1337,11 +1337,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +@@ -1364,7 +1364,7 @@ Status: active + -A ufw6-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - out_eth0 +@@ -1556,8 +1556,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1571,8 +1571,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1581,11 +1581,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1777,8 +1777,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1792,8 +1792,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1802,11 +1802,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index c0aa6e2..cb97ffb 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -1235,7 +1235,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1318,7 +1318,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1444,7 +1444,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1543,7 +1543,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1647,7 +1647,7 @@ Rule inserted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1696,7 +1696,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1755,7 +1755,7 @@ Rule deleted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1788,7 +1788,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1889,7 +1889,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1932,7 +1932,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2005,7 +2005,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2038,7 +2038,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2173,23 +2173,23 @@ Samba on eth0 LIMIT 10.0.0.1 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 225: delete limit in on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +@@ -2447,23 +2447,23 @@ Samba LIMIT OUT 10.0.0.1 on eth0 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 259: delete limit out on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +diff --git a/tests/root/logging/result b/tests/root/logging/result +index bbcc434..583ec46 100644 +--- a/tests/root/logging/result ++++ b/tests/root/logging/result +@@ -35,23 +35,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -61,7 +61,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -90,29 +90,29 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -122,7 +122,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -167,7 +167,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -200,7 +200,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -261,7 +261,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -322,7 +322,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -435,23 +435,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -461,7 +461,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -490,29 +490,29 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -522,7 +522,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -567,7 +567,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -600,7 +600,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -661,7 +661,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -722,7 +722,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -767,7 +767,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -800,7 +800,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -835,33 +835,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -869,7 +869,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -902,7 +902,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -947,7 +947,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -980,7 +980,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1018,30 +1018,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1049,7 +1049,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1082,7 +1082,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1127,7 +1127,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1160,7 +1160,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1195,23 +1195,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1221,7 +1221,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1250,29 +1250,29 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1282,7 +1282,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1327,7 +1327,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1421,7 +1421,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1482,7 +1482,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1560,7 +1560,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1590,7 +1590,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1623,7 +1623,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 3a493da..320a728 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -234,8 +234,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -255,8 +255,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -276,8 +276,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -297,8 +297,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -322,8 +322,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -350,8 +350,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -381,8 +381,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -415,8 +415,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -452,8 +452,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -1173,8 +1173,8 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1189,8 +1189,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1205,8 +1205,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1221,11 +1221,11 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 151: delete limit from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1237,11 +1237,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 153: delete limit to 10.0.0.1 port 25 + WARN: Checks disabled + Rules updated +@@ -1253,11 +1253,11 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 155: delete limit to 10.0.0.1 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1269,11 +1269,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 157: delete limit to 10.0.0.1 port 25 from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1285,11 +1285,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 159: delete limit to 10.0.0.1 port 25 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1301,8 +1301,8 @@ Rules updated + + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 161: delete limit from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1314,8 +1314,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 163: delete limit to 10.0.0.1 port 25 proto udp + WARN: Checks disabled + Rules updated +@@ -1327,8 +1327,8 @@ Rules updated + + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 165: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1340,8 +1340,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 167: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1353,8 +1353,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 169: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1366,8 +1366,8 @@ Rules updated + + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 171: delete limit from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1379,8 +1379,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 173: delete limit to 10.0.0.1 port 25 proto tcp + WARN: Checks disabled + Rules updated +@@ -1392,8 +1392,8 @@ Rules updated + + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 175: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1405,8 +1405,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 177: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1418,8 +1418,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 179: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index dc76378..74fcd86 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1670,8 +1670,8 @@ Rules updated + + + ### tuple ### limit ah any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 249: delete limit to 10.0.0.1 proto ah + WARN: Checks disabled + Rules updated +diff --git a/tests/root_kern/limit6/result b/tests/root_kern/limit6/result +index 008d993..7a3a1ad 100644 +--- a/tests/root_kern/limit6/result ++++ b/tests/root_kern/limit6/result +@@ -40,27 +40,27 @@ Anywhere (v6) LIMIT 24/udp + + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit udp any 0.0.0.0/0 24 0.0.0.0/0 in +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit any 23 0.0.0.0/0 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### limit tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit udp any ::/0 24 ::/0 in +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit any 23 ::/0 any ::/0 in_eth1 +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + TESTING ARGS (delete allow/deny to/from) + 6: delete limit 22/tcp + WARN: Checks disabled diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch new file mode 100644 index 0000000000..4184e33f41 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch @@ -0,0 +1,93 @@ +support ./setup.py build (LP: #819600) + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 10dc74cdc0948e4038d2921e7428cbf2896df98c + +Removed ChangeLog patch due to backport status of this patch. +Modified for statement to match the one in 0.33 setup.py + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/setup.py b/setup.py +index 730c568..4e1ec9a 100644 +--- a/setup.py ++++ b/setup.py +@@ -64,37 +64,44 @@ class Install(_install, object): + real_sharedir = os.path.join(real_prefix, 'share', 'ufw') + + # Update the modules' paths +- for file in [ 'common.py', 'util.py' ]: +- print("Updating " + file) +- subprocess.call(["sed", +- "-i", +- "s%#CONFIG_PREFIX#%" + real_confdir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#STATE_PREFIX#%" + real_statedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#PREFIX#%" + real_prefix + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#IPTABLES_DIR#%" + iptables_dir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#SHARE_DIR#%" + real_sharedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i.jjm", +- "s%/sbin/iptables%" + iptables_exe + "%g", +- os.path.join('staging', file)]) ++ for fn in [ 'common.py', 'util.py' ]: ++ # 'staging' is used with just 'install' but build_lib is used when ++ # using 'build'. We could probably override 'def build()' but this ++ # at least works ++ for d in [os.path.join(self.build_lib, "ufw"), 'staging']: ++ f = os.path.join(d, fn) ++ if not os.path.exists(f): ++ continue ++ print("Updating " + f) ++ subprocess.call(["sed", ++ "-i", ++ "s%#CONFIG_PREFIX#%" + real_confdir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#STATE_PREFIX#%" + real_statedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#PREFIX#%" + real_prefix + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#IPTABLES_DIR#%" + iptables_dir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#SHARE_DIR#%" + real_sharedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i.jjm", ++ "s%/sbin/iptables%" + iptables_exe + "%g", ++ f]) + + # Now byte-compile everything + super(Install, self).run() diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch new file mode 100644 index 0000000000..5f9e68df82 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch @@ -0,0 +1,2895 @@ +adjust runtime tests to use daytime/port 13 instead of ssh/port 22 everywhere + +and adjust to use daytime/port 13 instead of http/port 80 and https/port 443 in +good/logging and ipv6/bad_args6 (Closes: 849628) + +Patch from git://git.launchpad.net/ufw +Commit f1ecc2475f8612f1ea87bd43a088d39009145dd8 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Removed code not present (tests/live_route). +Omitted result output that did not seem to change. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index 34bee1a..d1fab59 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -94,7 +94,7 @@ Could not delete non-existent rule + + + iptables -L -n: +-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ ++ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ + + Chain ufw-user-limit (0 references) + 10: delete allow Apache +@@ -254,7 +254,7 @@ WARN: Checks disabled + Status: active + + +-37: delete allow 22 ++37: delete allow 13 + WARN: Checks disabled + Could not delete non-existent rule + Could not delete non-existent rule (v6) +@@ -266,7 +266,7 @@ Could not delete non-existent rule + Could not delete non-existent rule (v6) + + +-39: delete allow to 127.0.0.1 port 22 ++39: delete allow to 127.0.0.1 port 13 + WARN: Checks disabled + Could not delete non-existent rule + +@@ -276,7 +276,7 @@ WARN: Checks disabled + Could not delete non-existent rule + + +-41: delete allow to ::1 port 22 ++41: delete allow to ::1 port 13 + WARN: Checks disabled + Could not delete non-existent rule (v6) + +diff --git a/tests/root/bugs/runtest.sh b/tests/root/bugs/runtest.sh +index 0c4db9b..4bd68d7 100755 +--- a/tests/root/bugs/runtest.sh ++++ b/tests/root/bugs/runtest.sh +@@ -93,11 +93,11 @@ sed -i "s/IPV6=.*/IPV6=yes/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable + do_cmd "0" status +-do_cmd "0" delete allow 22 ++do_cmd "0" delete allow 13 + do_cmd "0" delete allow Apache +-do_cmd "0" delete allow to 127.0.0.1 port 22 ++do_cmd "0" delete allow to 127.0.0.1 port 13 + do_cmd "0" delete allow to 127.0.0.1 app Apache +-do_cmd "0" delete allow to ::1 port 22 ++do_cmd "0" delete allow to ::1 port 13 + do_cmd "0" delete allow to ::1 app Apache + do_cmd "0" status + +diff --git a/tests/root/live/result b/tests/root/live/result +index 7b183c5..e862327 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -71,7 +71,7 @@ WARN: Checks disabled + Rule added + + +-14: limit 22/tcp ++14: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -103,7 +103,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + 53 ALLOW Anywhere (v6) + 23/tcp ALLOW Anywhere (v6) + 25/tcp ALLOW Anywhere (v6) +@@ -144,9 +144,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -221,7 +221,7 @@ WARN: Checks disabled + Rule deleted + + +-28: delete limit 22/tcp ++28: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -311,7 +311,7 @@ WARN: Checks disabled + Rule added + + +-46: limit 22/tcp ++46: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -332,7 +332,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + + + +@@ -367,9 +367,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -421,7 +421,7 @@ WARN: Checks disabled + Rule deleted + + +-58: delete limit 22/tcp ++58: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -667,7 +667,7 @@ WARN: Checks disabled + Rule added + + +-99: limit 22/tcp ++99: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -699,7 +699,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + [12] 53 ALLOW IN Anywhere (v6) + [13] 23/tcp ALLOW IN Anywhere (v6) + [14] 25/tcp ALLOW IN Anywhere (v6) +@@ -763,7 +763,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete limit 22/tcp ++113: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -841,7 +841,7 @@ WARN: Checks disabled + Rule added + + +-129: limit 22/tcp ++129: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -862,7 +862,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + + + +@@ -916,7 +916,7 @@ WARN: Checks disabled + Rule deleted + + +-141: delete limit 22/tcp ++141: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -943,7 +943,7 @@ Rule added (v6) + 146: deny in on eth1:1 + + +-147: reject in on eth1 to 192.168.0.1 port 22 ++147: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -958,7 +958,7 @@ WARN: Checks disabled + Rule added + + +-150: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++150: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -968,7 +968,7 @@ WARN: Checks disabled + Rule added + + +-152: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++152: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1002,12 +1002,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1031,12 +1031,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1052,9 +1052,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1063,17 +1063,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1124,7 +1124,7 @@ Rule deleted + Rule deleted (v6) + + +-161: delete reject in on eth1 to 192.168.0.1 port 22 ++161: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + Rule deleted + + +-164: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++164: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1149,7 +1149,7 @@ WARN: Checks disabled + Rule deleted + + +-166: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++166: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1198,7 +1198,7 @@ Rule added (v6) + 175: deny out on eth1:1 + + +-176: reject out on eth1 to 192.168.0.1 port 22 ++176: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1213,7 +1213,7 @@ WARN: Checks disabled + Rule added + + +-179: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++179: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1223,7 +1223,7 @@ WARN: Checks disabled + Rule added + + +-181: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++181: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1257,12 +1257,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1286,12 +1286,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1307,9 +1307,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1318,17 +1318,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1379,7 +1379,7 @@ Rule deleted + Rule deleted (v6) + + +-190: delete reject out on eth1 to 192.168.0.1 port 22 ++190: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1394,7 +1394,7 @@ WARN: Checks disabled + Rule deleted + + +-193: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++193: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1404,7 +1404,7 @@ WARN: Checks disabled + Rule deleted + + +-195: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++195: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1452,7 +1452,7 @@ Rule added + 204: deny in on eth1:1 + + +-205: reject in on eth1 to 192.168.0.1 port 22 ++205: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1467,7 +1467,7 @@ WARN: Checks disabled + Rule added + + +-208: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++208: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1477,7 +1477,7 @@ WARN: Checks disabled + Rule added + + +-210: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++210: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1509,12 +1509,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1534,12 +1534,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1551,9 +1551,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1562,17 +1562,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1603,7 +1603,7 @@ WARN: Checks disabled + Rule deleted + + +-219: delete reject in on eth1 to 192.168.0.1 port 22 ++219: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1618,7 +1618,7 @@ WARN: Checks disabled + Rule deleted + + +-222: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++222: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1628,7 +1628,7 @@ WARN: Checks disabled + Rule deleted + + +-224: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++224: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1673,7 +1673,7 @@ Rule added + 233: deny out on eth1:1 + + +-234: reject out on eth1 to 192.168.0.1 port 22 ++234: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1688,7 +1688,7 @@ WARN: Checks disabled + Rule added + + +-237: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++237: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1698,7 +1698,7 @@ WARN: Checks disabled + Rule added + + +-239: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++239: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1730,12 +1730,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1755,12 +1755,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1772,9 +1772,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1783,17 +1783,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1824,7 +1824,7 @@ WARN: Checks disabled + Rule deleted + + +-248: delete reject out on eth1 to 192.168.0.1 port 22 ++248: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1839,7 +1839,7 @@ WARN: Checks disabled + Rule deleted + + +-251: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++251: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1849,7 +1849,7 @@ WARN: Checks disabled + Rule deleted + + +-253: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++253: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -2591,7 +2591,7 @@ Verify secondary chains + 494: disable + + +-495: allow 22/tcp ++495: allow 13/tcp + + + 496: enable +@@ -2675,7 +2675,7 @@ Verify secondary chains + 522: enable + + +-523: delete allow 22/tcp ++523: delete allow 13/tcp + + + Reset test +@@ -3033,7 +3033,7 @@ Setting IPV6 to yes + 588: enable + + +-589: limit 22/tcp ++589: limit 13/tcp + + + 590: allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3045,12 +3045,12 @@ Setting IPV6 to yes + 592: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + ufw allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + + +-593: delete limit 22/tcp ++593: delete limit 13/tcp + + + 594: delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3072,7 +3072,7 @@ Setting IPV6 to no + 598: enable + + +-599: limit 22/tcp ++599: limit 13/tcp + + + 600: deny Samba +@@ -3081,11 +3081,11 @@ Setting IPV6 to no + 601: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + + +-602: delete limit 22/tcp ++602: delete limit 13/tcp + + + 603: delete deny Samba +diff --git a/tests/root/live/runtest.sh b/tests/root/live/runtest.sh +index 3dd4e35..228e3e6 100755 +--- a/tests/root/live/runtest.sh ++++ b/tests/root/live/runtest.sh +@@ -43,7 +43,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -63,7 +63,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -132,7 +132,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -149,7 +149,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -168,12 +168,12 @@ do + + do_cmd "0" allow $i on eth1 + do_cmd "1" null deny $i on eth1:1 +- do_cmd "0" reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" allow $i on eth0 log + do_cmd "0" allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -189,12 +189,12 @@ do + + # delete what we added + do_cmd "0" delete allow $i on eth1 +- do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" delete limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" delete allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" delete reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" delete allow $i on eth0 log + do_cmd "0" delete allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -312,7 +312,7 @@ do_cmd "0" nostats disable + echo "'Resource temporarily unavailable' test" >> $TESTTMP/result + do_cmd "0" nostats disable + $TESTSTATE/ufw-init flush-all >/dev/null +-do_cmd "0" nostats allow 22/tcp ++do_cmd "0" nostats allow 13/tcp + do_cmd "0" nostats enable + $TESTSTATE/ufw-init stop >/dev/null + for i in `seq 1 25`; do +@@ -327,7 +327,7 @@ for i in `seq 1 25`; do + let count=count+1 + done + do_cmd "0" nostats enable +-do_cmd "0" nostats delete allow 22/tcp ++do_cmd "0" nostats delete allow 13/tcp + + echo "Reset test" >> $TESTTMP/result + do_cmd "0" nostats enable +@@ -445,13 +445,13 @@ do + sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- do_cmd "0" nostats limit 22/tcp ++ do_cmd "0" nostats limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi + do_cmd "0" nostats deny Samba + do_cmd "0" show added +- do_cmd "0" nostats delete limit 22/tcp ++ do_cmd "0" nostats delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index cb97ffb..1d9338e 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -31,7 +31,7 @@ Rule added + Rule added (v6) + + +-6: allow to any app Samba from any port 22 ++6: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -58,7 +58,7 @@ WARN: Checks disabled + Rule added (v6) + + +-11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -78,18 +78,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -110,8 +110,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -120,8 +120,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -129,8 +129,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -159,7 +159,7 @@ Rule deleted + Rule deleted (v6) + + +-19: delete allow to any app Samba from any port 22 ++19: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -186,7 +186,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -228,7 +228,7 @@ WARN: Checks disabled + Rule added + + +-33: allow to any app Samba from any port 22 ++33: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -253,7 +253,7 @@ WARN: Checks disabled + Rule added + + +-38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -273,12 +273,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -299,8 +299,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -308,8 +308,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -334,7 +334,7 @@ WARN: Checks disabled + Rule deleted + + +-46: delete allow to any app Samba from any port 22 ++46: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -359,7 +359,7 @@ WARN: Checks disabled + Rule deleted + + +-51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -406,7 +406,7 @@ Rule added + Rule added (v6) + + +-60: allow to any app Samba from any port 22 ++60: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -433,7 +433,7 @@ WARN: Checks disabled + Rule added (v6) + + +-65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -453,18 +453,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -485,8 +485,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -495,8 +495,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -504,8 +504,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -532,18 +532,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -564,8 +564,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 8888/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 138,9999/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -574,8 +574,8 @@ Anywhere (v6) ALLOW IN 138,9999/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 138,9999/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-138,9999/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++138,9999/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 8888/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -583,8 +583,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 138,9999/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 8888/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -613,7 +613,7 @@ Rule deleted + Rule deleted (v6) + + +-77: delete allow to any app Samba from any port 22 ++77: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -640,7 +640,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -682,7 +682,7 @@ WARN: Checks disabled + Rule added + + +-91: allow to any app Samba from any port 22 ++91: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -707,7 +707,7 @@ WARN: Checks disabled + Rule added + + +-96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -727,12 +727,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -753,8 +753,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -762,8 +762,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -790,12 +790,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -816,8 +816,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -825,8 +825,8 @@ Anywhere ALLOW IN 192.168.2.0/24 138,9999/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 8888/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -851,7 +851,7 @@ WARN: Checks disabled + Rule deleted + + +-108: delete allow to any app Samba from any port 22 ++108: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -876,7 +876,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1356,7 +1356,7 @@ WARN: Checks disabled + Rule added + + +-164: allow 22 ++164: allow 13 + WARN: Checks disabled + Rule added + +@@ -1435,9 +1435,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1488,7 +1488,7 @@ WARN: Checks disabled + Rule deleted + + +-173: delete allow 22 ++173: delete allow 13 + WARN: Checks disabled + Rule deleted + +@@ -1799,7 +1799,7 @@ Rule added + Rule added (v6) + + +-192: allow 22 ++192: allow 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -1880,9 +1880,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1923,9 +1923,9 @@ COMMIT + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1949,7 +1949,7 @@ Rule deleted + Rule deleted (v6) + + +-201: delete allow 22 ++201: delete allow 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -2606,7 +2606,7 @@ Setting IPV6 to yes + 278: allow Samba + + +-279: allow 22/tcp ++279: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2621,8 +2621,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + ### tuple ### allow udp any ::/0 137,138 ::/0 - Samba in + -A ufw6-user-input -p udp -m multiport --sports 137,138 -j ACCEPT -m comment --comment 'sapp_Samba' +@@ -2636,8 +2636,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT + + 280: --force delete 6 + +@@ -2706,7 +2706,7 @@ Setting IPV6 to no + 289: allow Samba + + +-290: allow 22/tcp ++290: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2721,8 +2721,8 @@ Setting IPV6 to no + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + 291: --force delete 3 + +diff --git a/tests/root/live_apps/runtest.sh b/tests/root/live_apps/runtest.sh +index 04bbde3..5feb86c 100755 +--- a/tests/root/live_apps/runtest.sh ++++ b/tests/root/live_apps/runtest.sh +@@ -51,7 +51,7 @@ do + do_cmd "0" allow to $loc app Samba + do_cmd "0" allow from $loc app Samba + do_cmd "0" allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" allow to $loc app Samba from $loc port 22 ++ do_cmd "0" allow to $loc app Samba from $loc port 13 + do_cmd "0" allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -78,7 +78,7 @@ do + do_cmd "0" delete allow to $loc app Samba + do_cmd "0" delete allow from $loc app Samba + do_cmd "0" delete allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" delete allow to $loc app Samba from $loc port 22 ++ do_cmd "0" delete allow to $loc app Samba from $loc port 13 + do_cmd "0" delete allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -188,7 +188,7 @@ for ipv6 in no yes ; do + cat $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow Samba +- do_cmd "0" allow 22 ++ do_cmd "0" allow 13 + do_cmd "0" insert 2 allow from any to any app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to any app Samba +@@ -209,7 +209,7 @@ for ipv6 in no yes ; do + } + + do_cmd "0" delete allow Samba +- do_cmd "0" delete allow 22 ++ do_cmd "0" delete allow 13 + do_cmd "0" delete allow from any to any app Samba + do_cmd "0" delete allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" delete allow from 192.168.0.1 to any app Samba +@@ -258,7 +258,7 @@ do + + do_cmd "0" nostats allow from any app Samba + do_cmd "0" nostats allow Samba +- do_cmd "0" nostats allow 22/tcp ++ do_cmd "0" nostats allow 13/tcp + + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + if [ "$ipv6" = "yes" ]; then +@@ -267,16 +267,16 @@ do + + if [ "$ipv6" = "yes" ]; then + do_cmd "0" null --force delete 6 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user6.rules || { +- echo "Failed: Found port '22' in user6.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user6.rules || { ++ echo "Failed: Found port '13' in user6.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + fi + + do_cmd "0" null --force delete 3 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user.rules || { +- echo "Failed: Found port '22' in user.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user.rules || { ++ echo "Failed: Found port '13' in user.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 320a728..752b6f2 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -215,7 +215,7 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-26: limit 22/tcp ++26: limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -233,9 +233,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -254,9 +254,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -275,9 +275,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -296,9 +296,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -321,9 +321,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -349,9 +349,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -380,9 +380,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -414,9 +414,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -451,9 +451,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -483,7 +483,7 @@ WARN: Checks disabled + Rules updated + + +-37: delete limit 22/tcp ++37: delete limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -659,41 +659,41 @@ WARN: Checks disabled + Rules updated + + +-66: allow ssh ++66: allow daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT +-67: delete allow ssh ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT ++67: delete allow daytime + WARN: Checks disabled + Rules updated + + +-68: allow ssh/tcp ++68: allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + +-69: delete allow ssh/tcp ++69: delete allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-70: allow ssh/udp ++70: allow daytime/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + +-71: delete allow ssh/udp ++71: delete allow daytime/udp + WARN: Checks disabled + Rules updated + +@@ -1679,28 +1679,28 @@ WARN: Checks disabled + Rules updated + + +-219: allow to any port smtp from any port ssh ++219: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-220: delete allow to any port smtp from any port ssh ++220: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-221: allow to any port ssh from any port smtp ++221: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-222: delete allow to any port ssh from any port smtp ++222: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + +@@ -1744,28 +1744,28 @@ WARN: Checks disabled + Rules updated + + +-229: allow to any port tftp from any port ssh ++229: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-230: delete allow to any port tftp from any port ssh ++230: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-231: allow to any port ssh from any port tftp ++231: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-232: delete allow to any port ssh from any port tftp ++232: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + +@@ -1796,41 +1796,41 @@ WARN: Checks disabled + Rules updated + + +-237: allow to any port ssh from any port 23 ++237: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-238: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++238: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-239: allow to any port 23 from any port ssh ++239: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-240: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++240: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-241: allow to any port ssh from any port domain ++241: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-242: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++242: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + +@@ -1848,28 +1848,28 @@ WARN: Checks disabled + Rules updated + + +-245: allow to any port smtp from any port ssh proto tcp ++245: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-246: delete allow to any port smtp from any port ssh proto tcp ++246: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-247: allow to any port ssh from any port smtp proto tcp ++247: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-248: delete allow to any port ssh from any port smtp proto tcp ++248: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + +@@ -1913,28 +1913,28 @@ WARN: Checks disabled + Rules updated + + +-255: allow to any port tftp from any port ssh proto udp ++255: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-256: delete allow to any port tftp from any port ssh proto udp ++256: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-257: allow to any port ssh from any port tftp proto udp ++257: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-258: delete allow to any port ssh from any port tftp proto udp ++258: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + +@@ -1965,80 +1965,80 @@ WARN: Checks disabled + Rules updated + + +-263: allow to any port ssh from any port 23 proto tcp ++263: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-264: delete allow to any port ssh from any port 23 proto tcp ++264: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-265: allow to any port 23 from any port ssh proto tcp ++265: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-266: delete allow to any port 23 from any port ssh proto tcp ++266: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-267: allow to any port ssh from any port domain proto tcp ++267: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-268: delete allow to any port ssh from any port domain proto tcp ++268: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-269: allow to any port ssh from any port 23 proto udp ++269: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-270: delete allow to any port ssh from any port 23 proto udp ++270: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-271: allow to any port 23 from any port ssh proto udp ++271: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-272: delete allow to any port 23 from any port ssh proto udp ++272: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-273: allow to any port ssh from any port domain proto udp ++273: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-274: delete allow to any port ssh from any port domain proto udp ++274: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + +@@ -2196,41 +2196,41 @@ WARN: Checks disabled + Rules updated + + +-297: allow to 192.168.0.1 port 80:83,22 proto tcp ++297: allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22,80:83 192.168.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 22,80:83 -d 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13,80:83 192.168.0.1 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp -m multiport --dports 13,80:83 -d 192.168.0.1 -j ACCEPT + +-298: delete allow to 192.168.0.1 port 80:83,22 proto tcp ++298: delete allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 192.168.0.2 35:39 192.168.0.1 in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13 192.168.0.2 35:39 192.168.0.1 in ++-A ufw-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT + +-300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-301: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++301: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-302: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++302: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + +@@ -2274,15 +2274,15 @@ WARN: Checks disabled + Rules updated + + +-309: deny 23,21,15:19,22/udp ++309: deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### deny udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j DROP ++### tuple ### deny udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j DROP + +-310: delete deny 23,21,15:19,22/udp ++310: delete deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + +diff --git a/tests/root/valid/runtest.sh b/tests/root/valid/runtest.sh +index aa03d99..feeacba 100755 +--- a/tests/root/valid/runtest.sh ++++ b/tests/root/valid/runtest.sh +@@ -76,7 +76,7 @@ do_cmd "0" deny to any port 80 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" limit 22/tcp ++do_cmd "0" limit 13/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny 53 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -97,7 +97,7 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" delete allow 25/tcp + do_cmd "0" delete deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp +-do_cmd "0" delete limit 22/tcp ++do_cmd "0" delete limit 13/tcp + do_cmd "0" delete deny 53 + do_cmd "0" delete allow 80/tcp + do_cmd "0" delete allow from 10.0.0.0/8 +@@ -160,19 +160,19 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow tftp/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh ++do_cmd "0" allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh ++do_cmd "0" delete allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/tcp ++do_cmd "0" allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/tcp ++do_cmd "0" delete allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/udp ++do_cmd "0" allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/udp ++do_cmd "0" delete allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + +@@ -250,13 +250,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -270,13 +270,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -286,30 +286,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -323,13 +323,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -339,29 +339,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -413,17 +413,17 @@ do_cmd "0" allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow 34,35/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -437,9 +437,9 @@ do_cmd "0" deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" deny 23,21,15:19,22/udp ++do_cmd "0" deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete deny 23,21,15:19,22/udp ++do_cmd "0" delete deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + cleanup +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index 74fcd86..f568a2f 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1049,31 +1049,31 @@ Rules updated + Rules updated (v6) + + +-164: allow to any port smtp from any port ssh ++164: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-165: delete allow to any port smtp from any port ssh ++165: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-166: allow to any port ssh from any port smtp ++166: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-167: delete allow to any port ssh from any port smtp ++167: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1124,31 +1124,31 @@ Rules updated + Rules updated (v6) + + +-174: allow to any port tftp from any port ssh ++174: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-175: delete allow to any port tftp from any port ssh ++175: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-176: allow to any port ssh from any port tftp ++176: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-177: delete allow to any port ssh from any port tftp ++177: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1184,46 +1184,46 @@ Rules updated + Rules updated (v6) + + +-182: allow to any port ssh from any port 23 ++182: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-183: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++183: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-184: allow to any port 23 from any port ssh ++184: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-185: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++185: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-186: allow to any port ssh from any port domain ++186: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-187: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++187: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1244,31 +1244,31 @@ Rules updated + Rules updated (v6) + + +-190: allow to any port smtp from any port ssh proto tcp ++190: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-191: delete allow to any port smtp from any port ssh proto tcp ++191: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-192: allow to any port ssh from any port smtp proto tcp ++192: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-193: delete allow to any port ssh from any port smtp proto tcp ++193: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1319,31 +1319,31 @@ Rules updated + Rules updated (v6) + + +-200: allow to any port tftp from any port ssh proto udp ++200: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-201: delete allow to any port tftp from any port ssh proto udp ++201: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-202: allow to any port ssh from any port tftp proto udp ++202: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-203: delete allow to any port ssh from any port tftp proto udp ++203: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1379,91 +1379,91 @@ Rules updated + Rules updated (v6) + + +-208: allow to any port ssh from any port 23 proto tcp ++208: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-209: delete allow to any port ssh from any port 23 proto tcp ++209: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-210: allow to any port 23 from any port ssh proto tcp ++210: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-211: delete allow to any port 23 from any port ssh proto tcp ++211: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-212: allow to any port ssh from any port domain proto tcp ++212: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-213: delete allow to any port ssh from any port domain proto tcp ++213: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-214: allow to any port ssh from any port 23 proto udp ++214: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-215: delete allow to any port ssh from any port 23 proto udp ++215: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-216: allow to any port 23 from any port ssh proto udp ++216: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-217: delete allow to any port 23 from any port ssh proto udp ++217: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-218: allow to any port ssh from any port domain proto udp ++218: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-219: delete allow to any port ssh from any port domain proto udp ++219: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1575,63 +1575,63 @@ WARN: Checks disabled + Rules updated (v6) + + +-236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in +--A ufw6-user-input -p tcp -m multiport --dports 22,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in ++-A ufw6-user-input -p tcp -m multiport --dports 13,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in +--A ufw6-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in ++-A ufw6-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-240: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++240: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 24:26 ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 24:26 ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-241: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++241: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-242: allow 23,21,15:19,22/udp ++242: allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 any ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 any ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-243: delete allow 23,21,15:19,22/udp ++243: delete allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +diff --git a/tests/root/valid6/runtest.sh b/tests/root/valid6/runtest.sh +index 1695dd1..d08e6f3 100755 +--- a/tests/root/valid6/runtest.sh ++++ b/tests/root/valid6/runtest.sh +@@ -154,13 +154,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -174,13 +174,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -190,30 +190,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -227,13 +227,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -243,29 +243,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -303,24 +303,24 @@ do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow 23,21,15:19,22/udp ++do_cmd "0" allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow 23,21,15:19,22/udp ++do_cmd "0" delete allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch new file mode 100644 index 0000000000..f9c387a451 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch @@ -0,0 +1,106 @@ +empty our IPT_MODULES and update documentation + +empty out IPT_MODULES and update documentation regarding modern use of +connection tracking modules. + +Patch from git://git.launchpad.net/ufw +Commit aefb842b73726c245157096fb8992c3e82833147 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Merged patch so they applied to 0.33 with missing code. Unit tests are not +in this version. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + + +diff --git a/conf/ufw.defaults b/conf/ufw.defaults +index 330ad88..b3eba8f 100644 +--- a/conf/ufw.defaults ++++ b/conf/ufw.defaults +@@ -34,12 +34,13 @@ MANAGE_BUILTINS=no + # only enable if using iptables backend + IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf + +-# Extra connection tracking modules to load. Complete list can be found in +-# net/netfilter/Kconfig of your kernel source. Some common modules: ++# Extra connection tracking modules to load. IPT_MODULES should typically be ++# empty for new installations and modules added only as needed. See ++# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can ++# be found in net/netfilter/Kconfig of your kernel source. Some common modules: + # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support + # nf_conntrack_netbios_ns: NetBIOS (samba) client support + # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT + # nf_conntrack_ftp, nf_nat_ftp: active FTP support + # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" +- ++IPT_MODULES="" + +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index eef28e1..97dc8c5 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -115,5 +115,10 @@ IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are: + nf_conntrack_tftp + nf_nat_tftp ++.PP ++Unconditional loading of connection tracking modules (nf_conntrack_*) in this ++manner is deprecated. \fBufw\fR continues to support the functionality but new ++configuration should only contain the specific modules required for the site. ++For more information, see CONNECTION HELPERS. + + .SH "KERNEL PARAMETERS" + .PP +@@ 240,5 +245,50 @@ Add the necessary \fBufw\fR rules: + # ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp + ++.SH "CONNECTION HELPERS" ++.PP ++Various protocols require the use of netfilter connection tracking helpers to ++group related packets into RELATED flows to make rulesets clearer and more ++precise. For example, with a couple of kernel modules and a couple of rules, a ++ruleset could simply allow a connection to FTP port 21, then the kernel would ++examine the traffic and mark the other FTP data packets as RELATED to the ++initial connection. ++.PP ++When the helpers were first introduced, one could only configure the modules as ++part of module load (eg, if your FTP server listened on a different port than ++21, you'd have to load the nf_conntrack_ftp module specifying the correct ++port). Over time it was understood that unconditionally using connection ++helpers could lead to abuse, in part because some protocols allow user ++specified data that would allow traversing the firewall in undesired ways. As ++of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for ++a given port and all IP addresses) is disabled (the old behavior can be ++restored by setting net/netfilter/nf_conntrack_helper=1 in ++#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT ++target to associate traffic with a particular helper and then set RELATED rules ++to use the helper. This allows sites to tailor the use of helpers and help ++avoid abuse. ++.PP ++In general, to use helpers securely, the following needs to happen: ++.IP 1. ++net/netfilter/nf_conntrack_helper should be set to 0 (default) ++.IP 2. ++create a rule for the start of a connection (eg for FTP, port 21) ++.IP 3. ++create a helper rule to associate the helper with this connection ++.IP 4. ++create a helper rule to associate a RELATED flow with this connection ++.IP 5. ++if needed, add the corresponding nf_conntrack_* module to IPT_MODULES ++.IP 6. ++optionally add the corresponding nf_nat_* module to IPT_MODULES ++.PP ++In general it is desirable to make connection helper rules as specific as ++possible and ensure anti\-spoofing is correctly setup for your site to avoid ++security issues in your ruleset. For more information, see ANTI\-SPOOFING, ++above, and <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. ++.PP ++Currently helper rules must be managed in via the RULES FILES. A future version ++of \fBufw\fR will introduce syntax for working with helper rules. ++ + .SH SEE ALSO + .PP + \fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5) diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch new file mode 100644 index 0000000000..ea48c83b84 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch @@ -0,0 +1,33 @@ +tests/check-requirements: simplify and support python 3.8 + +Written by: Jamie Strandboge <jamie@ubuntu.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id e30f8bc2aeb317d152e74a270a8e1336de06cee6 + +Upstream-Status: Backport + +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/check-requirements b/tests/check-requirements +index e873703..82fab08 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -45,7 +45,7 @@ runcmd() { + # check python + found_python="no" + echo -n "Has python: " +-for exe in python2.7 python2.6 python2.5 python3.2 python; do ++for exe in python3 python2 python; do + if ! which $exe >/dev/null 2>&1; then + continue + fi +@@ -54,7 +54,7 @@ for exe in python2.7 python2.6 python2.5 python3.2 python; do + echo "pass (binary: $exe, version: $v, py2)" + found_python="yes" + break +- elif echo "$v" | grep -q "^3.[2]"; then ++ elif echo "$v" | grep -q "^3.[2-8]"; then + echo "pass (binary: $exe, version: $v, py3)" + found_python="yes" + break diff --git a/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch new file mode 100644 index 0000000000..e1fcf0ca56 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch @@ -0,0 +1,33 @@ +Add code to detect openembedded python interpreter + +OE does not use /usr/bin/env as part of the interpreter, Instead, it's a +full path in sys.executable. + +Upstream-Status: Inappropriate (Embedded) +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> +--- + setup.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/setup.py b/setup.py +index 75c1105..3f9a5e0 100644 +--- a/setup.py ++++ b/setup.py +@@ -128,6 +128,14 @@ class Install(_install, object): + "-i.jjm", + "1s%^#.*python.*%#! " + sys.executable + "%g", + 'staging/ufw']) ++ elif '/python' in sys.executable and \ ++ os.path.basename(sys.executable) in ['python', 'python3']: ++ print("Detected full path " + sys.executable + ". substituting " + os.path.basename(sys.executable)) ++ subprocess.call(["sed", ++ "-i.jjm", ++ "1s%python$%" ++ + os.path.basename(sys.executable) + "%g", ++ 'staging/ufw']) + + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) +-- +2.7.4 + diff --git a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb index 42fc262589..856270cd5c 100644 --- a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb +++ b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb @@ -16,6 +16,13 @@ SRC_URI = " \ file://0003-fix-typeerror-on-error.patch \ file://0004-lp1039729.patch \ file://0005-lp1191197.patch \ + file://0006-check-requirements-get-error.patch \ + file://0007-use-conntrack-instead-of-state-module.patch \ + file://0008-support-.-setup.py-build-LP-819600.patch \ + file://0009-adjust-runtime-tests-to-use-daytime-port.patch \ + file://0010-empty-out-IPT_MODULES-and-update-documentation.patch \ + file://0011-tests-check-requirements--simplify-and-support-python-3.8.patch \ + file://Add-code-to-detect-openembedded-python-interpreter.patch \ " UPSTREAM_CHECK_URI = "https://launchpad.net/ufw" @@ -25,6 +32,17 @@ SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170b inherit setuptools3 features_check +do_install_append() { + install -d ${D}${datadir}/${PN}/test + cp -R --no-dereference --preserve=mode,links -v ${S}/* ${D}${datadir}/${PN}/test +} +PACKAGES =+ "${PN}-test" +RDEPENDS_${PN}-test += "bash" +FILES_${PN}-test += "${datadir}/${PN}/test" + +# To test, install ufw-test package. You can enter /usr/share/ufw/test and run as root: +# PYTHONPATH=tests/testarea/lib/python ./run_tests.sh -s -i python3 root + RDEPENDS_${PN} = " \ iptables \ python3 \ @@ -33,14 +51,35 @@ RDEPENDS_${PN} = " \ RRECOMMENDS_${PN} = " \ kernel-module-ipv6 \ - kernel-module-nf-conntrack-ipv6 \ + kernel-module-ipt-reject \ + kernel-module-iptable-mangle \ + kernel-module-iptable-raw \ + kernel-module-ip6table-raw \ + kernel-module-ip6t-reject \ + kernel-module-ip6t-rt \ + kernel-module-ip6table-mangle \ + kernel-module-nf-conntrack \ kernel-module-nf-log-common \ + kernel-module-nf-conntrack-broadcast \ + kernel-module-nf-conntrack-ftp \ + kernel-module-nf-conntrack-netbios-ns \ + kernel-module-nf-log-ipv4 \ + kernel-module-nf-log-ipv6 \ kernel-module-nf-log-ipv4 \ kernel-module-nf-log-ipv6 \ - kernel-module-nf-addrtype \ - kernel-module-nf-limit \ - kernel-module-nf-log \ - kernel-module-nf-recent \ + kernel-module-nf-nat-ftp \ + kernel-module-xt-addrtype \ + kernel-module-xt-comment \ + kernel-module-xt-conntrack \ + kernel-module-xt-hashlimit \ + kernel-module-xt-hl \ + kernel-module-xt-multiport \ + kernel-module-xt-ratetest \ + kernel-module-xt-socket \ + kernel-module-xt-tcpudp \ + kernel-module-xt-limit \ + kernel-module-xt-log \ + kernel-module-xt-recent \ " # Certain items are explicitly put under /lib, not base_libdir when installed. diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb index 54e855a099..5d968f1476 100644 --- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb +++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb @@ -9,7 +9,7 @@ DEPENDS += "libgcrypt" PV .= "r550-2jnpr1" SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740" -SRC_URI = "git://github.com/ndpgroup/vpnc \ +SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \ file://long-help \ file://default.conf \ file://0001-search-for-log-help-in-build-dir.patch \ diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb index db7b0d486b..b9c545e155 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" PROVIDES += "cyassl" RPROVIDES_${PN} = "cyassl" -SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https" +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master" SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch new file mode 100644 index 0000000000..88794aa7ab --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch @@ -0,0 +1,111 @@ +From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001 +From: Martin Dummer <md11@users.sourceforge.net> +Date: Sun, 12 Sep 2021 22:52:26 +0200 +Subject: [PATCH] fix buffer overflow in atftpd + +Andreas B. Mundt <andi@debian.org> reports: + +I've found a problem in atftpd that might be relevant for security. +The daemon can be crashed by any client sending a crafted combination +of TFTP options to the server. As TFTP is usually only used in the LAN, +it's probably not too dramatic. + +Observations and how to reproduce the issue +=========================================== + +Install bullseye packages and prepare tftp-root: + sudo apt install atftp atftpd + mkdir tmp + touch tmp/file.txt + +Run server: + /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \ + --logfile=/dev/stdout --verbose=7 --port 2000 tmp + +Fetch file from client: + /usr/bin/atftp -g --trace --option "blksize 8" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Crash server by adding another option to the tiny blksize: + /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Analysis +======== + +The reason for the crash is a buffer overflow. The size of the buffer keeping the data +to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode +and block number). However, the same buffer is used for the OACK, which for a blksize=8 +overflows as soon as another option is set. + +Signed-off-by: Martin Dummer <md11@users.sourceforge.net> + +CVE: CVE-2021-41054 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + tftpd_file.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tftpd_file.c b/tftpd_file.c +index ff40e8d..37a0906 100644 +--- a/tftpd_file.c ++++ b/tftpd_file.c +@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data) + logger(LOG_DEBUG, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data) + logger(LOG_INFO, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb index ff9084dbf6..32b776e578 100644 --- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb +++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb @@ -6,9 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f" -SRC_URI = "git://git.code.sf.net/p/atftp/code \ +SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \ file://atftpd.init \ file://atftpd.service \ + file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \ + file://0001-fix-buffer-overflow-in-atftpd.patch \ " SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \ file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \ diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index d55dc4ab7e..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396" SRCREV = "e41cfb986c1b1935770de554872247453fdbb079" -SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ +SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://avoid-to-call-AC_TRY_RUN.patch \ file://Fix-hardcoded-libdir.patch \ file://debian_patches_0014_avoid_pic_overwrite.diff \ @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" @@ -96,3 +97,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug" FILES_${PN}-staticdev += "${libdir}/sasl2/*.a" INSANE_SKIP_${PN} += "dev-so" + +# CVE-2020-8032 affects only openSUSE +CVE_CHECK_WHITELIST += "CVE-2020-8032" diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch new file mode 100644 index 0000000000..d5e0deb899 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch @@ -0,0 +1,31 @@ +From 31d88f46bfc67de2659991674253a5d5dfb92afc Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 12 Aug 2020 12:00:29 -0700 +Subject: [PATCH] Makefile: Do not set -Werror + +clang finds more warnings which causes build to fail, disable treating +warning as errors + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + usr/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/Makefile b/usr/Makefile +index 21bb154..0018605 100644 +--- a/usr/Makefile ++++ b/usr/Makefile +@@ -35,7 +35,7 @@ endif + PKG_CONFIG = /usr/bin/pkg-config + + CFLAGS ?= -O2 -g +-WARNFLAGS ?= -Wall -Wextra -Werror -Wstrict-prototypes -fno-common ++WARNFLAGS ?= -Wall -Wextra -Wstrict-prototypes -fno-common + CFLAGS += $(WARNFLAGS) -I../include -I. -D_GNU_SOURCE \ + -I$(TOPDIR)/libopeniscsiusr + CFLAGS += $(shell $(PKG_CONFIG) --cflags libkmod) +-- +2.28.0 + diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.0.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb index 97b5563574..7cf8cfa94c 100644 --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.0.bb +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb @@ -12,9 +12,10 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d) LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRCREV ?= "549f8987be49583bb06b117a364bea3a8fc5250c" +SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771" -SRC_URI = "git://github.com/open-iscsi/open-iscsi \ +SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \ + file://0001-Makefile-Do-not-set-Werror.patch \ file://initd.debian \ file://99_iscsi-initiator-utils \ file://iscsi-initiator \ @@ -23,9 +24,6 @@ SRC_URI = "git://github.com/open-iscsi/open-iscsi \ file://set_initiatorname \ " S = "${WORKDIR}/git" -B = "${WORKDIR}/build" - -PV .= "+git${SRCPV}" inherit update-rc.d systemd autotools pkgconfig @@ -34,7 +32,7 @@ EXTRA_OECONF = " \ --host=${BUILD_SYS} \ " -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', '--without-systemd', d)}" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', '--without-systemd NO_SYSTEMD=1', d)}" EXTRA_OEMAKE = ' \ OS="${TARGET_SYS}" \ @@ -43,7 +41,6 @@ EXTRA_OEMAKE = ' \ MANDIR="${mandir}" \ OPTFLAGS="-DNO_SYSTEMD ${CFLAGS}" \ PKG_CONFIG="${STAGING_BINDIR_NATIVE}/pkg-config" \ - NO_SYSTEMD=1 \ ' diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb index 6b73506c2a..d5296f6a96 100644 --- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb +++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb @@ -12,9 +12,10 @@ inherit features_check systemd RDEPENDS_${PN} = "python3-pygobject python3-dbus" REQUIRED_DISTRO_FEATURES = "systemd" -SRC_URI = "https://gitlab.com/craftyguy/networkd-dispatcher/-/archive/${PV}/networkd-dispatcher-${PV}.tar.bz2" -SRC_URI[md5sum] = "304d7dcc21331ea295e207f8493cb8d8" -SRC_URI[sha256sum] = "21f84c3646a043329dc64787e4e58dfce592b2559b0e3069af82c469805660c2" +SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c" +SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master" + +S = "${WORKDIR}/git" SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "networkd-dispatcher.service" diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch new file mode 100644 index 0000000000..b6ec8c70df --- /dev/null +++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch @@ -0,0 +1,46 @@ +From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 30 Dec 2021 10:35:57 +0800 +Subject: [PATCH] fix build with glibc 2.34 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The closefrom() function which is introduced in glibc 2.34 conflicts +with the one provided by postfix. + +Fixes: +| In file included from attr_clnt.c:88: +| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ +| 363 | extern void closefrom (int __lowfd) __THROW; +| | ^~~~~~~~~ +| In file included from attr_clnt.c:87: +| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ +| 1506 | extern int closefrom(int); +| | ^~~~~~~~~ + +Upstream-Status: Backport +[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/util/sys_defs.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h +index 39daa16..5de5855 100644 +--- a/src/util/sys_defs.h ++++ b/src/util/sys_defs.h +@@ -827,6 +827,9 @@ extern int initgroups(const char *, int); + #define HAVE_POSIX_GETPW_R + #endif + #endif ++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34) ++#define HAS_CLOSEFROM ++#endif + + #endif + +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb index db5b41bfbd..2612e12be4 100644 --- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb +++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb @@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P file://postfix-install.patch \ file://icu-config.patch \ file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \ + file://0001-fix-build-with-glibc-2.34.patch \ " -SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec" -UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz" +SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2" +UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch new file mode 100644 index 0000000000..712d5db07d --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch @@ -0,0 +1,51 @@ +From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001 +From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com> +Date: Tue, 3 Aug 2021 21:53:28 +0200 +Subject: [PATCH] CVE-2021-46854 + +mod_radius: copy _only_ the password + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43] +CVE: CVE-2021-46854 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/mod_radius.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index b56cdfe..f234dd5 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type, + + pwlen = strlen((const char *) passwd); + ++ /* Clear the buffers. */ ++ memset(pwhash, '\0', sizeof(pwhash)); ++ + if (pwlen == 0) { + pwlen = RADIUS_PASSWD_LEN; + + } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { ++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */ ++ memcpy(pwhash, passwd, pwlen); + + /* Round up the length. */ + pwlen += (RADIUS_PASSWD_LEN - 1); + + /* Truncate the length, as necessary. */ + pwlen &= ~(RADIUS_PASSWD_LEN - 1); ++ } else { ++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */ ++ memcpy(pwhash, passwd, pwlen); + } + +- /* Clear the buffers. */ +- memset(pwhash, '\0', sizeof(pwhash)); +- memcpy(pwhash, passwd, pwlen); + + /* Find the password attribute. */ + attrib = radius_get_attrib(packet, RADIUS_PASSWORD); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 0000000000..12f6948075 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch @@ -0,0 +1,278 @@ +From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <tj@castaglia.org> +Date: Sun, 6 Aug 2023 13:16:26 -0700 +Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly + formatted input text from client, caused by quote/backslash semantics, by + skipping those semantics. + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] +CVE: CVE-2023-51713 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/str.h | 3 ++- + src/main.c | 35 +++++++++++++++++++++++++++++----- + src/str.c | 22 +++++++++++++--------- + tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 94 insertions(+), 16 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 316a32a..049a1b2 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -121,6 +121,7 @@ const char *pr_gid2str(pool *, gid_t); + #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 + #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 + #define PR_STR_FL_IGNORE_CASE 0x0004 ++#define PR_STR_FL_IGNORE_QUOTES 0x0008 + + char *pr_str_get_token(char **, char *); + char *pr_str_get_token2(char **, char *, size_t *); +diff --git a/src/main.c b/src/main.c +index 1ead27f..01b1ef8 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -787,8 +787,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* By default, pr_str_get_word will handle quotes and backslashes for ++ * escaping characters. This can produce words which are shorter, use ++ * fewer bytes than the corresponding input buffer. ++ * ++ * In this particular situation, we use the length of this initial word ++ * for determining the length of the remaining buffer bytes, assumed to ++ * contain the FTP command arguments. If this initial word is thus ++ * unexpectedly "shorter", due to nonconformant FTP text, it can lead ++ * the subsequent buffer scan, looking for CRNUL sequencees, to access ++ * unexpected memory addresses (Issue #1683). ++ * ++ * Thus for this particular situation, we tell the function to ignore/skip ++ * such quote/backslash semantics, and treat them as any other character ++ * using the IGNORE_QUOTES flag. ++ */ ++ + ptr = buf; +- wrd = pr_str_get_word(&ptr, str_flags); ++ wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); + if (wrd == NULL) { + /* Nothing there...bail out. */ + pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); +@@ -796,6 +812,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* Note that this first word is the FTP command. This is why we make ++ * use of the ptr buffer, which advances through the input buffer as ++ * we read words from the buffer. ++ */ ++ + subpool = make_sub_pool(p); + pr_pool_tag(subpool, "make_ftp_cmd pool"); + cmd = pcalloc(subpool, sizeof(cmd_rec)); +@@ -822,6 +843,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + arg_len = buflen - strlen(wrd); + arg = pcalloc(cmd->pool, arg_len + 1); + ++ /* Remember that ptr here is advanced past the first word. */ + for (i = 0, j = 0; i < arg_len; i++) { + pr_signals_handle(); + if (i > 1 && +@@ -830,15 +852,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + + /* Strip out the NUL by simply not copying it into the new buffer. */ + have_crnul = TRUE; +- ++ + } else { + arg[j++] = ptr[i]; + } + } + +- cmd->arg = arg; +- +- if (have_crnul) { ++ if (have_crnul == TRUE) { + char *dup_arg; + + /* Now make a copy of the stripped argument; this is what we need to +@@ -848,6 +868,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + ptr = dup_arg; + } + ++ cmd->arg = arg; ++ ++ /* Now we can read the remamining words, as command arguments, from the ++ * input buffer. ++ */ + while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { + pr_signals_handle(); + *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); +diff --git a/src/str.c b/src/str.c +index eeed096..04188ce 100644 +--- a/src/str.c ++++ b/src/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { + + char *pr_str_get_word(char **cp, int flags) { + char *res, *dst; +- char quote_mode = 0; ++ int quote_mode = FALSE; + + if (cp == NULL || + !*cp || +@@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { + } + } + +- if (**cp == '\"') { +- quote_mode++; +- (*cp)++; ++ if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { ++ if (**cp == '\"') { ++ quote_mode = TRUE; ++ (*cp)++; ++ } + } + + while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { + pr_signals_handle(); + +- if (**cp == '\\' && quote_mode) { +- ++ if (**cp == '\\' && ++ quote_mode == TRUE) { + /* Escaped char */ + if (*((*cp)+1)) { +- *dst = *(++(*cp)); ++ *dst++ = *(++(*cp)); ++ (*cp)++; ++ continue; + } + } + + *dst++ = **cp; +- ++(*cp); ++ (*cp)++; + } + + if (**cp) { +diff --git a/tests/api/str.c b/tests/api/str.c +index 7c6e110..77fda8f 100644 +--- a/tests/api/str.c ++++ b/tests/api/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server testsuite +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -695,19 +695,23 @@ END_TEST + START_TEST (get_word_test) { + char *ok, *res, *str; + ++ mark_point(); + res = pr_str_get_word(NULL, 0); + fail_unless(res == NULL, "Failed to handle null arguments"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = NULL; + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle null str argument"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = pstrdup(p, " "); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle whitespace argument"); + ++ mark_point(); + str = pstrdup(p, " foo"); + res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); + fail_unless(res != NULL, "Failed to handle whitespace argument: %s", +@@ -723,6 +727,7 @@ START_TEST (get_word_test) { + ok = "foo"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + ++ mark_point(); + str = pstrdup(p, " # foo"); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle commented argument"); +@@ -742,6 +747,8 @@ START_TEST (get_word_test) { + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + + /* Test multiple embedded quotes. */ ++ ++ mark_point(); + str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); + res = pr_str_get_word(&str, 0); + fail_unless(res != NULL, "Failed to handle quoted argument: %s", +@@ -770,6 +777,47 @@ START_TEST (get_word_test) { + + ok = "quz norf"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ ++ /* Test embedded quotes with backslashes (Issue #1683). */ ++ mark_point(); ++ ++ str = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ ok = "\\SYST"; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ /* Note that pr_str_get_word() is intended to be called multiple times ++ * on an advancing buffer, effectively tokenizing the buffer. This is ++ * why the function does NOT decrement its quote mode. ++ */ ++ ok = ""; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ /* Now do the same tests with the IGNORE_QUOTES flag */ ++ mark_point(); ++ ++ str = ok = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = ok = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + } + END_TEST + +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 1e4697a633..aa1f9e4ef9 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb @@ -12,6 +12,8 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2021-46854.patch \ + file://CVE-2023-51713.patch \ " SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch new file mode 100644 index 0000000000..b11721041e --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch @@ -0,0 +1,608 @@ +Partial backport of: + +From 6ea12e8fb590ac6959e9356a81aa3370576568c3 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Tue, 26 Jul 2022 15:05:54 +0000 +Subject: [PATCH] Remove support for Gopher protocol (#1092) + +Gopher code quality remains too low for production use in most +environments. The code is a persistent source of vulnerabilities and +fixing it requires significant effort. We should not be spending scarce +Project resources on improving that code, especially given the lack of +strong demand for Gopher support. + +With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +Gopher URI scheme result in ERR_UNSUP_REQ. + +Default Squid configuration still considers TCP port 70 "safe". The +corresponding Safe_ports ACL rule has not been removed for consistency +sake: We consider WAIS port safe even though Squid refuses to forward +WAIS requests: + + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46728.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3] +CVE: CVE-2023-46728 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/Programming-Guide/Groups.dox | 5 - + doc/debug-sections.txt | 1 - + doc/manuals/de.po | 2 +- + doc/manuals/en.po | 2 +- + doc/manuals/en_AU.po | 2 +- + doc/manuals/es.po | 2 +- + doc/manuals/fr.po | 2 +- + doc/manuals/it.po | 2 +- + errors/af.po | 6 +- + errors/az.po | 6 +- + errors/bg.po | 6 +- + errors/ca.po | 6 +- + errors/cs.po | 6 +- + errors/da.po | 6 +- + errors/de.po | 6 +- + errors/el.po | 4 +- + errors/en.po | 6 +- + errors/errorpage.css | 2 +- + errors/es-mx.po | 3 +- + errors/es.po | 4 +- + errors/et.po | 6 +- + errors/fi.po | 7 +- + errors/fr.po | 6 +- + errors/he.po | 6 +- + errors/hu.po | 6 +- + errors/hy.po | 6 +- + errors/it.po | 4 +- + errors/ja.po | 6 +- + errors/ko.po | 6 +- + errors/lt.po | 6 +- + errors/lv.po | 6 +- + errors/nl.po | 6 +- + errors/pl.po | 6 +- + errors/pt-br.po | 6 +- + errors/pt.po | 6 +- + errors/ro.po | 4 +- + errors/ru.po | 6 +- + errors/sk.po | 6 +- + errors/sl.po | 6 +- + errors/sr-latn.po | 4 +- + errors/sv.po | 6 +- + errors/templates/ERR_UNSUP_REQ | 2 +- + errors/tr.po | 6 +- + errors/uk.po | 6 +- + errors/vi.po | 4 +- + errors/zh-hans.po | 6 +- + errors/zh-hant.po | 7 +- + src/FwdState.cc | 5 - + src/HttpRequest.cc | 6 - + src/IoStats.h | 2 +- + src/Makefile.am | 8 - + src/adaptation/ecap/Host.cc | 1 - + src/adaptation/ecap/MessageRep.cc | 2 - + src/anyp/ProtocolType.h | 1 - + src/anyp/Uri.cc | 1 - + src/anyp/UriScheme.cc | 3 - + src/cf.data.pre | 5 +- + src/client_side_request.cc | 4 - + src/error/forward.h | 2 +- + src/gopher.cc | 993 ----------------------- + src/gopher.h | 29 - + src/http/Message.h | 1 - + src/mgr/IoAction.cc | 3 - + src/mgr/IoAction.h | 2 - + src/squid.8.in | 2 +- + src/stat.cc | 19 - + src/tests/Stub.am | 1 - + src/tests/stub_gopher.cc | 17 - + test-suite/squidconf/regressions-3.4.0.1 | 1 - + 69 files changed, 88 insertions(+), 1251 deletions(-) + delete mode 100644 src/gopher.cc + delete mode 100644 src/gopher.h + delete mode 100644 src/tests/stub_gopher.cc + +--- a/src/FwdState.cc ++++ b/src/FwdState.cc +@@ -28,7 +28,6 @@ + #include "fde.h" + #include "FwdState.h" + #include "globals.h" +-#include "gopher.h" + #include "hier_code.h" + #include "http.h" + #include "http/Stream.h" +@@ -1004,10 +1003,6 @@ FwdState::dispatch() + httpStart(this); + break; + +- case AnyP::PROTO_GOPHER: +- gopherStart(this); +- break; +- + case AnyP::PROTO_FTP: + if (request->flags.ftpNative) + Ftp::StartRelay(this); +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -18,7 +18,6 @@ + #include "Downloader.h" + #include "err_detail_type.h" + #include "globals.h" +-#include "gopher.h" + #include "http.h" + #include "http/one/RequestParser.h" + #include "http/Stream.h" +@@ -556,11 +555,6 @@ HttpRequest::maybeCacheable() + return false; + break; + +- case AnyP::PROTO_GOPHER: +- if (!gopherCachable(this)) +- return false; +- break; +- + case AnyP::PROTO_CACHE_OBJECT: + return false; + +--- a/src/IoStats.h ++++ b/src/IoStats.h +@@ -22,7 +22,7 @@ public: + int writes; + int write_hist[histSize]; + } +- Http, Ftp, Gopher; ++ Http, Ftp; + }; + + #endif /* SQUID_IOSTATS_H_ */ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -306,8 +306,6 @@ squid_SOURCES = \ + FwdState.h \ + Generic.h \ + globals.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + helper.h \ + hier_code.h \ +@@ -1259,8 +1257,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -1678,8 +1674,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -1914,8 +1908,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2145,8 +2137,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2461,8 +2451,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -3307,8 +3295,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +--- a/src/adaptation/ecap/Host.cc ++++ b/src/adaptation/ecap/Host.cc +@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host() + libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP); + libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); + libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); +- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER); + libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); + libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); + libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS); +--- a/src/adaptation/ecap/MessageRep.cc ++++ b/src/adaptation/ecap/MessageRep.cc +@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol + return libecap::protocolHttps; + case AnyP::PROTO_FTP: + return libecap::protocolFtp; +- case AnyP::PROTO_GOPHER: +- return libecap::protocolGopher; + case AnyP::PROTO_WAIS: + return libecap::protocolWais; + case AnyP::PROTO_WHOIS: +--- a/src/anyp/ProtocolType.h ++++ b/src/anyp/ProtocolType.h +@@ -27,7 +27,6 @@ typedef enum { + PROTO_HTTPS, + PROTO_COAP, + PROTO_COAPS, +- PROTO_GOPHER, + PROTO_WAIS, + PROTO_CACHE_OBJECT, + PROTO_ICP, +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -852,8 +852,6 @@ urlCheckRequest(const HttpRequest * r) + if (r->method == Http::METHOD_PUT) + rc = 1; + +- case AnyP::PROTO_GOPHER: +- + case AnyP::PROTO_WAIS: + + case AnyP::PROTO_WHOIS: +--- a/src/anyp/UriScheme.cc ++++ b/src/anyp/UriScheme.cc +@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const + // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur. + return 5683; + +- case AnyP::PROTO_GOPHER: +- return 70; +- + case AnyP::PROTO_WAIS: + return 210; + +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -33,7 +33,6 @@ + #include "fd.h" + #include "fde.h" + #include "format/Token.h" +-#include "gopher.h" + #include "helper.h" + #include "helper/Reply.h" + #include "http.h" +@@ -965,9 +964,6 @@ clientHierarchical(ClientHttpRequest * h + if (request->url.getScheme() == AnyP::PROTO_HTTP) + return method.respMaybeCacheable(); + +- if (request->url.getScheme() == AnyP::PROTO_GOPHER) +- return gopherCachable(request); +- + if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) + return 0; + +--- a/src/err_type.h ++++ b/src/err_type.h +@@ -65,7 +65,7 @@ typedef enum { + ERR_GATEWAY_FAILURE, + + /* Special Cases */ +- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */ ++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */ + ERR_SQUID_SIGNATURE, /* not really an error */ + ERR_SHUTTING_DOWN, + ERR_PROTOCOL_UNKNOWN, +--- a/src/HttpMsg.h ++++ b/src/HttpMsg.h +@@ -38,7 +38,6 @@ public: + srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server + srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption + srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons +- srcGopher = 1 << (16 + 14), ///< Gopher server + srcWhois = 1 << (16 + 15), ///< Whois server + srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask + srcSafe = 0x0000FFFF ///< Safe sources mask +--- a/src/mgr/IoAction.cc ++++ b/src/mgr/IoAction.cc +@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const Io + ftp_reads += stats.ftp_reads; + for (int i = 0; i < IoStats::histSize; ++i) + ftp_read_hist[i] += stats.ftp_read_hist[i]; +- gopher_reads += stats.gopher_reads; +- for (int i = 0; i < IoStats::histSize; ++i) +- gopher_read_hist[i] += stats.gopher_read_hist[i]; + + return *this; + } +--- a/src/mgr/IoAction.h ++++ b/src/mgr/IoAction.h +@@ -27,10 +27,8 @@ public: + public: + double http_reads; + double ftp_reads; +- double gopher_reads; + double http_read_hist[IoStats::histSize]; + double ftp_read_hist[IoStats::histSize]; +- double gopher_read_hist[IoStats::histSize]; + }; + + /// implement aggregated 'io' action +--- a/src/stat.cc ++++ b/src/stat.cc +@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats) + for (i = 0; i < IoStats::histSize; ++i) { + stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i]; + } +- +- stats.gopher_reads = IOStats.Gopher.reads; +- +- for (i = 0; i < IoStats::histSize; ++i) { +- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i]; +- } + } + + void +@@ -245,19 +239,6 @@ DumpIoStats(Mgr::IoActionData& stats, St + } + + storeAppendPrintf(sentry, "\n"); +- storeAppendPrintf(sentry, "Gopher I/O\n"); +- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads); +- storeAppendPrintf(sentry, "Read Histogram:\n"); +- +- for (i = 0; i < IoStats::histSize; ++i) { +- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n", +- i ? (1 << (i - 1)) + 1 : 1, +- 1 << i, +- stats.gopher_read_hist[i], +- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads)); +- } +- +- storeAppendPrintf(sentry, "\n"); + } + + static const char * +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -263,7 +263,7 @@ am__squid_SOURCES_DIST = AclRegs.cc Auth + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h htcp.cc \ + htcp.h http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -352,7 +352,7 @@ am_squid_OBJECTS = $(am__objects_1) Acce + EventLoop.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) FadingCounter.$(OBJEXT) \ + fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrRange.$(OBJEXT) HttpHdrSc.$(OBJEXT) \ + HttpHdrScTarget.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -539,7 +539,7 @@ am__tests_testCacheManager_SOURCES_DIST + tests/stub_ETag.cc event.cc external_acl.cc \ + ExternalACLEntry.cc fatal.h tests/stub_fatal.cc fd.h fd.cc \ + fde.cc FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc hier_code.h \ ++ FwdState.cc FwdState.h hier_code.h \ + helper.cc htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -594,7 +594,7 @@ am_tests_testCacheManager_OBJECTS = Acce + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) HttpHeader.$(OBJEXT) \ + HttpHeaderTools.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ +@@ -838,7 +838,7 @@ am__tests_testEvent_SOURCES_DIST = Acces + EventLoop.h EventLoop.cc external_acl.cc ExternalACLEntry.cc \ + FadingCounter.cc fatal.h tests/stub_fatal.cc fd.h fd.cc fde.cc \ + FileMap.h filemap.cc fqdncache.h fqdncache.cc FwdState.cc \ +- FwdState.h gopher.h gopher.cc helper.cc hier_code.h htcp.cc \ ++ FwdState.h helper.cc hier_code.h htcp.cc \ + htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -891,7 +891,7 @@ am_tests_testEvent_OBJECTS = AccessLogEn + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -975,8 +975,8 @@ am__tests_testEventLoop_SOURCES_DIST = A + tests/stub_ETag.cc EventLoop.h EventLoop.cc event.cc \ + external_acl.cc ExternalACLEntry.cc FadingCounter.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -1029,7 +1029,7 @@ am_tests_testEventLoop_OBJECTS = AccessL + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1187,7 +1187,7 @@ am__tests_testHttpRequest_SOURCES_DIST = + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc \ + tests/stub_ETag.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc helper.cc \ ++ FwdState.cc FwdState.h helper.cc \ + hier_code.h htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -1243,7 +1243,7 @@ am_tests_testHttpRequest_OBJECTS = Acces + $(am__objects_4) errorpage.$(OBJEXT) tests/stub_ETag.$(OBJEXT) \ + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1670,8 +1670,8 @@ am__tests_testURL_SOURCES_DIST = AccessL + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc ETag.cc \ + event.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1725,7 +1725,7 @@ am_tests_testURL_OBJECTS = AccessLogEntr + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -1925,8 +1925,8 @@ am__tests_test_http_range_SOURCES_DIST = + dns_internal.cc errorpage.cc tests/stub_ETag.cc event.cc \ + FadingCounter.cc fatal.h tests/stub_libauth.cc \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1979,7 +1979,7 @@ am_tests_test_http_range_OBJECTS = Acces + FadingCounter.$(OBJEXT) tests/stub_libauth.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ + filemap.$(OBJEXT) fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ +- gopher.$(OBJEXT) helper.$(OBJEXT) $(am__objects_5) \ ++ helper.$(OBJEXT) $(am__objects_5) \ + http.$(OBJEXT) HttpBody.$(OBJEXT) \ + tests/stub_HttpControlMsg.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ + HttpHdrContRange.$(OBJEXT) HttpHdrRange.$(OBJEXT) \ +@@ -2131,7 +2131,7 @@ am__depfiles_remade = ./$(DEPDIR)/Access + ./$(DEPDIR)/external_acl.Po ./$(DEPDIR)/fatal.Po \ + ./$(DEPDIR)/fd.Po ./$(DEPDIR)/fde.Po ./$(DEPDIR)/filemap.Po \ + ./$(DEPDIR)/fqdncache.Po ./$(DEPDIR)/fs_io.Po \ +- ./$(DEPDIR)/globals.Po ./$(DEPDIR)/gopher.Po \ ++ ./$(DEPDIR)/globals.Po \ + ./$(DEPDIR)/helper.Po ./$(DEPDIR)/hier_code.Po \ + ./$(DEPDIR)/htcp.Po ./$(DEPDIR)/http.Po \ + ./$(DEPDIR)/icp_opcode.Po ./$(DEPDIR)/icp_v2.Po \ +@@ -3043,7 +3043,7 @@ squid_SOURCES = $(ACL_REGISTRATION_SOURC + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h \ + $(HTCPSOURCE) http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -3708,8 +3708,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -4134,8 +4132,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4371,8 +4367,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4604,8 +4598,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4924,8 +4916,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -5777,8 +5767,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -6823,7 +6811,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fqdncache.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fs_io.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/globals.Po@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gopher.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/helper.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hier_code.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/htcp.Po@am__quote@ # am--include-marker +@@ -7804,7 +7791,6 @@ distclean: distclean-recursive + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po +@@ -8129,7 +8115,6 @@ maintainer-clean: maintainer-clean-recur + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch new file mode 100644 index 0000000000..5b4e370d49 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch @@ -0,0 +1,1154 @@ +Backport of: + +From 417da4006cf5c97d44e74431b816fc58fec9e270 Mon Sep 17 00:00:00 2001 +From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com> +Date: Mon, 18 Mar 2019 17:48:21 +0000 +Subject: [PATCH] Fix incremental parsing of chunked quoted extensions (#310) + +Before this change, incremental parsing of quoted chunked extensions +was broken for two reasons: + +* Http::One::Parser::skipLineTerminator() unexpectedly threw after + partially received quoted chunk extension value. + +* When Http::One::Tokenizer was unable to parse a quoted extension, + it incorrectly restored the input buffer to the beginning of the + extension value (instead of the extension itself), thus making + further incremental parsing iterations impossible. + +IMO, the reason for this problem was that Http::One::Tokenizer::qdText() +could not distinguish two cases (returning false in both): + +* the end of the quoted string not yet reached + +* an input error, e.g., wrong/unexpected character + +A possible approach could be to improve Http::One::Tokenizer, making it +aware about "needs more data" state. However, to be acceptable, +these improvements should be done in the base Parser::Tokenizer +class instead. These changes seem to be non-trivial and could be +done separately and later. + +Another approach, used here, is to simplify the complex and error-prone +chunked extensions parsing algorithm, fixing incremental parsing bugs +and still parse incrementally in almost all cases. The performance +regression could be expected only in relatively rare cases of partially +received or malformed extensions. + +Also: +* fixed parsing of partial use-original-body extension values +* do not treat an invalid use-original-body as an unknown extension +* optimization: parse use-original-body extension only in ICAP context + (i.e., where it is expected) +* improvement: added a new API to TeChunkedParser to specify known + chunked extensions list + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846-pre1.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270] +CVE: CVE-2023-46846 #Dependency Patch1 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/adaptation/icap/ModXact.cc | 21 ++++- + src/adaptation/icap/ModXact.h | 20 +++++ + src/http/one/Parser.cc | 35 ++++---- + src/http/one/Parser.h | 10 ++- + src/http/one/RequestParser.cc | 16 ++-- + src/http/one/RequestParser.h | 8 +- + src/http/one/ResponseParser.cc | 17 ++-- + src/http/one/ResponseParser.h | 2 +- + src/http/one/TeChunkedParser.cc | 139 ++++++++++++++++++-------------- + src/http/one/TeChunkedParser.h | 41 ++++++++-- + src/http/one/Tokenizer.cc | 104 ++++++++++++------------ + src/http/one/Tokenizer.h | 89 ++++++++------------ + src/http/one/forward.h | 3 + + src/parser/BinaryTokenizer.h | 3 +- + src/parser/Makefile.am | 1 + + src/parser/Tokenizer.cc | 40 +++++++++ + src/parser/Tokenizer.h | 13 +++ + src/parser/forward.h | 22 +++++ + 18 files changed, 364 insertions(+), 220 deletions(-) + create mode 100644 src/parser/forward.h + +--- a/src/adaptation/icap/ModXact.cc ++++ b/src/adaptation/icap/ModXact.cc +@@ -25,12 +25,13 @@ + #include "comm.h" + #include "comm/Connection.h" + #include "err_detail_type.h" +-#include "http/one/TeChunkedParser.h" + #include "HttpHeaderTools.h" + #include "HttpMsg.h" + #include "HttpReply.h" + #include "HttpRequest.h" + #include "MasterXaction.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + #include "SquidTime.h" + + // flow and terminology: +@@ -44,6 +45,8 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation: + + static const size_t TheBackupLimit = BodyPipe::MaxCapacity; + ++const SBuf Adaptation::Icap::ChunkExtensionValueParser::UseOriginalBodyName("use-original-body"); ++ + Adaptation::Icap::ModXact::State::State() + { + memset(this, 0, sizeof(*this)); +@@ -1108,6 +1111,7 @@ void Adaptation::Icap::ModXact::decideOn + state.parsing = State::psBody; + replyHttpBodySize = 0; + bodyParser = new Http1::TeChunkedParser; ++ bodyParser->parseExtensionValuesWith(&extensionParser); + makeAdaptedBodyPipe("adapted response from the ICAP server"); + Must(state.sending == State::sendingAdapted); + } else { +@@ -1142,9 +1146,8 @@ void Adaptation::Icap::ModXact::parseBod + } + + if (parsed) { +- if (state.readyForUob && bodyParser->useOriginBody >= 0) { +- prepPartialBodyEchoing( +- static_cast<uint64_t>(bodyParser->useOriginBody)); ++ if (state.readyForUob && extensionParser.sawUseOriginalBody()) { ++ prepPartialBodyEchoing(extensionParser.useOriginalBody()); + stopParsing(); + return; + } +@@ -2014,3 +2017,14 @@ void Adaptation::Icap::ModXactLauncher:: + } + } + ++void ++Adaptation::Icap::ChunkExtensionValueParser::parse(Tokenizer &tok, const SBuf &extName) ++{ ++ if (extName == UseOriginalBodyName) { ++ useOriginalBody_ = tok.udec64("use-original-body"); ++ assert(useOriginalBody_ >= 0); ++ } else { ++ Ignore(tok, extName); ++ } ++} ++ +--- a/src/adaptation/icap/ModXact.h ++++ b/src/adaptation/icap/ModXact.h +@@ -15,6 +15,7 @@ + #include "adaptation/icap/Xaction.h" + #include "BodyPipe.h" + #include "http/one/forward.h" ++#include "http/one/TeChunkedParser.h" + + /* + * ICAPModXact implements ICAP REQMOD and RESPMOD transaction using +@@ -105,6 +106,23 @@ private: + enum State { stDisabled, stWriting, stIeof, stDone } theState; + }; + ++/// handles ICAP-specific chunk extensions supported by Squid ++class ChunkExtensionValueParser: public Http1::ChunkExtensionValueParser ++{ ++public: ++ /* Http1::ChunkExtensionValueParser API */ ++ virtual void parse(Tokenizer &tok, const SBuf &extName) override; ++ ++ bool sawUseOriginalBody() const { return useOriginalBody_ >= 0; } ++ uint64_t useOriginalBody() const { assert(sawUseOriginalBody()); return static_cast<uint64_t>(useOriginalBody_); } ++ ++private: ++ static const SBuf UseOriginalBodyName; ++ ++ /// the value of the parsed use-original-body chunk extension (or -1) ++ int64_t useOriginalBody_ = -1; ++}; ++ + class ModXact: public Xaction, public BodyProducer, public BodyConsumer + { + CBDATA_CLASS(ModXact); +@@ -270,6 +288,8 @@ private: + + int adaptHistoryId; ///< adaptation history slot reservation + ++ ChunkExtensionValueParser extensionParser; ++ + class State + { + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -7,10 +7,11 @@ + */ + + #include "squid.h" ++#include "base/CharacterSet.h" + #include "Debug.h" + #include "http/one/Parser.h" +-#include "http/one/Tokenizer.h" + #include "mime_header.h" ++#include "parser/Tokenizer.h" + #include "SquidConfig.h" + + /// RFC 7230 section 2.6 - 7 magic octets +@@ -61,20 +62,19 @@ Http::One::Parser::DelimiterCharacters() + RelaxedDelimiterCharacters() : CharacterSet::SP; + } + +-bool +-Http::One::Parser::skipLineTerminator(Http1::Tokenizer &tok) const ++void ++Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { + if (tok.skip(Http1::CrLf())) +- return true; ++ return; + + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) +- return true; ++ return; + + if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- return false; // need more data ++ throw InsufficientInput(); + + throw TexcHere("garbage instead of CRLF line terminator"); +- return false; // unreachable, but make naive compilers happy + } + + /// all characters except the LF line terminator +@@ -102,7 +102,7 @@ LineCharacters() + void + Http::One::Parser::cleanMimePrefix() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + while (tok.skipOne(RelaxedDelimiterCharacters())) { + (void)tok.skipAll(LineCharacters()); // optional line content + // LF terminator is required. +@@ -137,7 +137,7 @@ Http::One::Parser::cleanMimePrefix() + void + Http::One::Parser::unfoldMime() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + const auto szLimit = mimeHeaderBlock_.length(); + mimeHeaderBlock_.clear(); + // prevent the mime sender being able to make append() realloc/grow multiple times. +@@ -228,7 +228,7 @@ Http::One::Parser::getHostHeaderField() + debugs(25, 5, "looking for " << name); + + // while we can find more LF in the SBuf +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + SBuf p; + + while (tok.prefix(p, LineCharacters())) { +@@ -250,7 +250,7 @@ Http::One::Parser::getHostHeaderField() + p.consume(namelen + 1); + + // TODO: optimize SBuf::trim to take CharacterSet directly +- Http1::Tokenizer t(p); ++ Tokenizer t(p); + t.skipAll(CharacterSet::WSP); + p = t.remaining(); + +@@ -278,10 +278,15 @@ Http::One::ErrorLevel() + } + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-bool +-Http::One::ParseBws(Tokenizer &tok) ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) + { +- if (const auto count = tok.skipAll(Parser::WhitespaceCharacters())) { ++ const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); // even if count is positive ++ ++ if (count) { + // Generating BWS is a MUST-level violation so warn about it as needed. + debugs(33, ErrorLevel(), "found " << count << " BWS octets"); + // RFC 7230 says we MUST parse BWS, so we fall through even if +@@ -289,6 +294,6 @@ Http::One::ParseBws(Tokenizer &tok) + } + // else we successfully "parsed" an empty BWS sequence + +- return true; ++ // success: no more BWS characters expected + } + +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -12,6 +12,7 @@ + #include "anyp/ProtocolVersion.h" + #include "http/one/forward.h" + #include "http/StatusCode.h" ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Http { +@@ -40,6 +41,7 @@ class Parser : public RefCountable + { + public: + typedef SBuf::size_type size_type; ++ typedef ::Parser::Tokenizer Tokenizer; + + Parser() : parseStatusCode(Http::scNone), parsingStage_(HTTP_PARSE_NONE), hackExpectsMime_(false) {} + virtual ~Parser() {} +@@ -118,11 +120,11 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * throws if non-terminator is detected. ++ * \throws exception on bad or InsuffientInput. + * \retval true only if line terminator found. + * \retval false incomplete or missing line terminator, need more data. + */ +- bool skipLineTerminator(Http1::Tokenizer &tok) const; ++ void skipLineTerminator(Tokenizer &) const; + + /** + * Scan to find the mime headers block for current message. +@@ -159,8 +161,8 @@ private: + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \returns true (always; unlike all the skip*() functions) +-bool ParseBws(Tokenizer &tok); ++/// \throws InsufficientInput when the end of BWS cannot be confirmed ++void ParseBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +--- a/src/http/one/RequestParser.cc ++++ b/src/http/one/RequestParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/RequestParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -64,7 +64,7 @@ Http::One::RequestParser::skipGarbageLin + * RFC 7230 section 2.6, 3.1 and 3.5 + */ + bool +-Http::One::RequestParser::parseMethodField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseMethodField(Tokenizer &tok) + { + // method field is a sequence of TCHAR. + // Limit to 32 characters to prevent overly long sequences of non-HTTP +@@ -145,7 +145,7 @@ Http::One::RequestParser::RequestTargetC + } + + bool +-Http::One::RequestParser::parseUriField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseUriField(Tokenizer &tok) + { + /* Arbitrary 64KB URI upper length limit. + * +@@ -178,7 +178,7 @@ Http::One::RequestParser::parseUriField( + } + + bool +-Http::One::RequestParser::parseHttpVersionField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseHttpVersionField(Tokenizer &tok) + { + static const SBuf http1p0("HTTP/1.0"); + static const SBuf http1p1("HTTP/1.1"); +@@ -253,7 +253,7 @@ Http::One::RequestParser::skipDelimiter( + + /// Parse CRs at the end of request-line, just before the terminating LF. + bool +-Http::One::RequestParser::skipTrailingCrs(Http1::Tokenizer &tok) ++Http::One::RequestParser::skipTrailingCrs(Tokenizer &tok) + { + if (Config.onoff.relaxed_header_parser) { + (void)tok.skipAllTrailing(CharacterSet::CR); // optional; multiple OK +@@ -289,12 +289,12 @@ Http::One::RequestParser::parseRequestFi + // Earlier, skipGarbageLines() took care of any leading LFs (if allowed). + // Now, the request line has to end at the first LF. + static const CharacterSet lineChars = CharacterSet::LF.complement("notLF"); +- ::Parser::Tokenizer lineTok(buf_); ++ Tokenizer lineTok(buf_); + if (!lineTok.prefix(line, lineChars) || !lineTok.skip('\n')) { + if (buf_.length() >= Config.maxRequestHeaderSize) { + /* who should we blame for our failure to parse this line? */ + +- Http1::Tokenizer methodTok(buf_); ++ Tokenizer methodTok(buf_); + if (!parseMethodField(methodTok)) + return -1; // blame a bad method (or its delimiter) + +@@ -308,7 +308,7 @@ Http::One::RequestParser::parseRequestFi + return 0; + } + +- Http1::Tokenizer tok(line); ++ Tokenizer tok(line); + + if (!parseMethodField(tok)) + return -1; +--- a/src/http/one/RequestParser.h ++++ b/src/http/one/RequestParser.h +@@ -54,11 +54,11 @@ private: + bool doParse(const SBuf &aBuf); + + /* all these return false and set parseStatusCode on parsing failures */ +- bool parseMethodField(Http1::Tokenizer &); +- bool parseUriField(Http1::Tokenizer &); +- bool parseHttpVersionField(Http1::Tokenizer &); ++ bool parseMethodField(Tokenizer &); ++ bool parseUriField(Tokenizer &); ++ bool parseHttpVersionField(Tokenizer &); + bool skipDelimiter(const size_t count, const char *where); +- bool skipTrailingCrs(Http1::Tokenizer &tok); ++ bool skipTrailingCrs(Tokenizer &tok); + + bool http0() const {return !msgProtocol_.major;} + static const CharacterSet &RequestTargetCharacters(); +--- a/src/http/one/ResponseParser.cc ++++ b/src/http/one/ResponseParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/ResponseParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -47,7 +47,7 @@ Http::One::ResponseParser::firstLineSize + // NP: we found the protocol version and consumed it already. + // just need the status code and reason phrase + int +-Http::One::ResponseParser::parseResponseStatusAndReason(Http1::Tokenizer &tok, const CharacterSet &WspDelim) ++Http::One::ResponseParser::parseResponseStatusAndReason(Tokenizer &tok, const CharacterSet &WspDelim) + { + if (!completedStatus_) { + debugs(74, 9, "seek status-code in: " << tok.remaining().substr(0,10) << "..."); +@@ -87,14 +87,13 @@ Http::One::ResponseParser::parseResponse + static const CharacterSet phraseChars = CharacterSet::WSP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + (void)tok.prefix(reasonPhrase_, phraseChars); // optional, no error if missing + try { +- if (skipLineTerminator(tok)) { +- debugs(74, DBG_DATA, "parse remaining buf={length=" << tok.remaining().length() << ", data='" << tok.remaining() << "'}"); +- buf_ = tok.remaining(); // resume checkpoint +- return 1; +- } ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); // resume checkpoint ++ debugs(74, DBG_DATA, Raw("leftovers", buf_.rawContent(), buf_.length())); ++ return 1; ++ } catch (const InsufficientInput &) { + reasonPhrase_.clear(); + return 0; // need more to be sure we have it all +- + } catch (const std::exception &ex) { + debugs(74, 6, "invalid status-line: " << ex.what()); + } +@@ -119,7 +118,7 @@ Http::One::ResponseParser::parseResponse + int + Http::One::ResponseParser::parseResponseFirstLine() + { +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + const CharacterSet &WspDelim = DelimiterCharacters(); + +--- a/src/http/one/ResponseParser.h ++++ b/src/http/one/ResponseParser.h +@@ -43,7 +43,7 @@ public: + + private: + int parseResponseFirstLine(); +- int parseResponseStatusAndReason(Http1::Tokenizer&, const CharacterSet &); ++ int parseResponseStatusAndReason(Tokenizer&, const CharacterSet &); + + /// magic prefix for identifying ICY response messages + static const SBuf IcyMagic; +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -13,10 +13,13 @@ + #include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" + #include "MemBuf.h" ++#include "parser/Tokenizer.h" + #include "Parsing.h" ++#include "sbuf/Stream.h" + #include "SquidConfig.h" + +-Http::One::TeChunkedParser::TeChunkedParser() ++Http::One::TeChunkedParser::TeChunkedParser(): ++ customExtensionValueParser(nullptr) + { + // chunked encoding only exists in HTTP/1.1 + Http1::Parser::msgProtocol_ = Http::ProtocolVersion(1,1); +@@ -31,7 +34,11 @@ Http::One::TeChunkedParser::clear() + buf_.clear(); + theChunkSize = theLeftBodySize = 0; + theOut = NULL; +- useOriginBody = -1; ++ // XXX: We do not reset customExtensionValueParser here. Based on the ++ // clear() API description, we must, but it makes little sense and could ++ // break method callers if they appear because some of them may forget to ++ // reset customExtensionValueParser. TODO: Remove Http1::Parser as our ++ // parent class and this unnecessary method with it. + } + + bool +@@ -49,14 +56,14 @@ Http::One::TeChunkedParser::parse(const + if (parsingStage_ == Http1::HTTP_PARSE_NONE) + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + // loop for as many chunks as we can + // use do-while instead of while so that we can incrementally + // restart in the middle of a chunk/frame + do { + +- if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkExtension(tok, theChunkSize)) ++ if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkMetadataSuffix(tok)) + return false; + + if (parsingStage_ == Http1::HTTP_PARSE_CHUNK && !parseChunkBody(tok)) +@@ -80,7 +87,7 @@ Http::One::TeChunkedParser::needsMoreSpa + + /// RFC 7230 section 4.1 chunk-size + bool +-Http::One::TeChunkedParser::parseChunkSize(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok) + { + Must(theChunkSize <= 0); // Should(), really + +@@ -104,66 +111,75 @@ Http::One::TeChunkedParser::parseChunkSi + return false; // should not be reachable + } + +-/** +- * Parses chunk metadata suffix, looking for interesting extensions and/or +- * getting to the line terminator. RFC 7230 section 4.1.1 and its Errata #4667: +- * +- * chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +- * chunk-ext-name = token +- * chunk-ext-val = token / quoted-string +- * +- * ICAP 'use-original-body=N' extension is supported. +- */ +-bool +-Http::One::TeChunkedParser::parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown) +-{ +- SBuf ext; +- SBuf value; +- while ( +- ParseBws(tok) && // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- tok.skip(';') && +- ParseBws(tok) && // Bug 4492: ICAP servers send SP before chunk-ext-name +- tok.prefix(ext, CharacterSet::TCHAR)) { // chunk-ext-name +- +- // whole value part is optional. if no '=' expect next chunk-ext +- if (ParseBws(tok) && tok.skip('=') && ParseBws(tok)) { +- +- if (!skipKnown) { +- if (ext.cmp("use-original-body",17) == 0 && tok.int64(useOriginBody, 10)) { +- debugs(94, 3, "Found chunk extension " << ext << "=" << useOriginBody); +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- } +- +- debugs(94, 5, "skipping unknown chunk extension " << ext); +- +- // unknown might have a value token or quoted-string +- if (tok.quotedStringOrToken(value) && !tok.atEnd()) { +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- +- // otherwise need more data OR corrupt syntax +- break; +- } +- +- if (!tok.atEnd()) +- buf_ = tok.remaining(); // parse checkpoint (unless there might be more token name) +- } +- +- if (skipLineTerminator(tok)) { +- buf_ = tok.remaining(); // checkpoint +- // non-0 chunk means data, 0-size means optional Trailer follows ++/// Parses "[chunk-ext] CRLF" from RFC 7230 section 4.1.1: ++/// chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF ++/// last-chunk = 1*"0" [ chunk-ext ] CRLF ++bool ++Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) ++{ ++ // Code becomes much simpler when incremental parsing functions throw on ++ // bad or insufficient input, like in the code below. TODO: Expand up. ++ try { ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; ++ } catch (const InsufficientInput &) { ++ tok.reset(buf_); // backtrack to the last commit point ++ return false; + } ++ // other exceptions bubble up to kill message parsing ++} ++ ++/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++{ ++ do { ++ ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + +- return false; ++ if (!tok.skip(';')) ++ return; // reached the end of extensions (if any) ++ ++ parseOneChunkExtension(tok); ++ buf_ = tok.remaining(); // got one extension ++ } while (true); ++} ++ ++void ++Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName) ++{ ++ const auto ignoredValue = tokenOrQuotedString(tok); ++ debugs(94, 5, extName << " with value " << ignoredValue); ++} ++ ++/// Parses a single chunk-ext list element: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++{ ++ ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name ++ ++ const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ ++ ParseBws(tok); ++ ++ if (!tok.skip('=')) ++ return; // parsed a valueless chunk-ext ++ ++ ParseBws(tok); ++ ++ // optimization: the only currently supported extension needs last-chunk ++ if (!theChunkSize && customExtensionValueParser) ++ customExtensionValueParser->parse(tok, extName); ++ else ++ ChunkExtensionValueParser::Ignore(tok, extName); + } + + bool +-Http::One::TeChunkedParser::parseChunkBody(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkBody(Tokenizer &tok) + { + if (theLeftBodySize > 0) { + buf_ = tok.remaining(); // sync buffers before buf_ use +@@ -188,17 +204,20 @@ Http::One::TeChunkedParser::parseChunkBo + } + + bool +-Http::One::TeChunkedParser::parseChunkEnd(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok) + { + Must(theLeftBodySize == 0); // Should(), really + +- if (skipLineTerminator(tok)) { ++ try { ++ skipLineTerminator(tok); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + return true; + } +- +- return false; ++ catch (const InsufficientInput &) { ++ return false; ++ } ++ // other exceptions bubble up to kill message parsing + } + +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -18,6 +18,26 @@ namespace Http + namespace One + { + ++using ::Parser::InsufficientInput; ++ ++// TODO: Move this class into http/one/ChunkExtensionValueParser.* ++/// A customizable parser of a single chunk extension value (chunk-ext-val). ++/// From RFC 7230 section 4.1.1 and its Errata #4667: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++/// chunk-ext-name = token ++/// chunk-ext-val = token / quoted-string ++class ChunkExtensionValueParser ++{ ++public: ++ typedef ::Parser::Tokenizer Tokenizer; ++ ++ /// extracts and ignores the value of a named extension ++ static void Ignore(Tokenizer &tok, const SBuf &extName); ++ ++ /// extracts and then interprets (or ignores) the extension value ++ virtual void parse(Tokenizer &tok, const SBuf &extName) = 0; ++}; ++ + /** + * An incremental parser for chunked transfer coding + * defined in RFC 7230 section 4.1. +@@ -25,7 +45,7 @@ namespace One + * + * The parser shovels content bytes from the raw + * input buffer into the content output buffer, both caller-supplied. +- * Ignores chunk extensions except for ICAP's ieof. ++ * Chunk extensions like use-original-body are handled via parseExtensionValuesWith(). + * Trailers are available via mimeHeader() if wanted. + */ + class TeChunkedParser : public Http1::Parser +@@ -37,6 +57,10 @@ public: + /// set the buffer to be used to store decoded chunk data + void setPayloadBuffer(MemBuf *parsedContent) {theOut = parsedContent;} + ++ /// Instead of ignoring all chunk extension values, give the supplied ++ /// parser a chance to handle them. Only applied to last-chunk (for now). ++ void parseExtensionValuesWith(ChunkExtensionValueParser *parser) { customExtensionValueParser = parser; } ++ + bool needsMoreSpace() const; + + /* Http1::Parser API */ +@@ -45,17 +69,20 @@ public: + virtual Parser::size_type firstLineSize() const {return 0;} // has no meaning with multiple chunks + + private: +- bool parseChunkSize(Http1::Tokenizer &tok); +- bool parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown); +- bool parseChunkBody(Http1::Tokenizer &tok); +- bool parseChunkEnd(Http1::Tokenizer &tok); ++ bool parseChunkSize(Tokenizer &tok); ++ bool parseChunkMetadataSuffix(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); ++ void parseOneChunkExtension(Tokenizer &); ++ bool parseChunkBody(Tokenizer &tok); ++ bool parseChunkEnd(Tokenizer &tok); + + MemBuf *theOut; + uint64_t theChunkSize; + uint64_t theLeftBodySize; + +-public: +- int64_t useOriginBody; ++ /// An optional plugin for parsing and interpreting custom chunk-ext-val. ++ /// This "visitor" object is owned by our creator. ++ ChunkExtensionValueParser *customExtensionValueParser; + }; + + } // namespace One +--- a/src/http/one/Tokenizer.cc ++++ b/src/http/one/Tokenizer.cc +@@ -8,35 +8,18 @@ + + #include "squid.h" + #include "Debug.h" ++#include "http/one/Parser.h" + #include "http/one/Tokenizer.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + +-bool +-Http::One::Tokenizer::quotedString(SBuf &returnedToken, const bool http1p0) ++/// Extracts quoted-string after the caller removes the initial '"'. ++/// \param http1p0 whether to prohibit \-escaped characters in quoted strings ++/// \throws InsufficientInput when input can be a token _prefix_ ++/// \returns extracted quoted string (without quotes and with chars unescaped) ++static SBuf ++parseQuotedStringSuffix(Parser::Tokenizer &tok, const bool http1p0) + { +- checkpoint(); +- +- if (!skip('"')) +- return false; +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::quotedStringOrToken(SBuf &returnedToken, const bool http1p0) +-{ +- checkpoint(); +- +- if (!skip('"')) +- return prefix(returnedToken, CharacterSet::TCHAR); +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::qdText(SBuf &returnedToken, const bool http1p0) +-{ +- // the initial DQUOTE has been skipped by the caller +- + /* + * RFC 1945 - defines qdtext: + * inclusive of LWS (which includes CR and LF) +@@ -61,12 +44,17 @@ Http::One::Tokenizer::qdText(SBuf &retur + // best we can do is a conditional reference since http1p0 value may change per-client + const CharacterSet &tokenChars = (http1p0 ? qdtext1p0 : qdtext1p1); + +- for (;;) { +- SBuf::size_type prefixLen = buf().findFirstNotOf(tokenChars); +- returnedToken.append(consume(prefixLen)); ++ SBuf parsedToken; ++ ++ while (!tok.atEnd()) { ++ SBuf qdText; ++ if (tok.prefix(qdText, tokenChars)) ++ parsedToken.append(qdText); ++ ++ if (!http1p0 && tok.skip('\\')) { // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not ++ if (tok.atEnd()) ++ break; + +- // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not +- if (!http1p0 && skip('\\')) { + /* RFC 7230 section 3.2.6 + * + * The backslash octet ("\") can be used as a single-octet quoting +@@ -78,32 +66,42 @@ Http::One::Tokenizer::qdText(SBuf &retur + */ + static const CharacterSet qPairChars = CharacterSet::HTAB + CharacterSet::SP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + SBuf escaped; +- if (!prefix(escaped, qPairChars, 1)) { +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } +- returnedToken.append(escaped); ++ if (!tok.prefix(escaped, qPairChars, 1)) ++ throw TexcHere("invalid escaped character in quoted-pair"); ++ ++ parsedToken.append(escaped); + continue; ++ } + +- } else if (skip('"')) { +- break; // done ++ if (tok.skip('"')) ++ return parsedToken; // may be empty + +- } else if (atEnd()) { +- // need more data +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } ++ if (tok.atEnd()) ++ break; + +- // else, we have an error +- debugs(24, 8, "invalid bytes for set " << tokenChars.name); +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; ++ throw TexcHere(ToSBuf("invalid bytes for set ", tokenChars.name)); + } + +- // found the whole string +- return true; ++ throw Http::One::InsufficientInput(); ++} ++ ++SBuf ++Http::One::tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0) ++{ ++ if (tok.skip('"')) ++ return parseQuotedStringSuffix(tok, http1p0); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf parsedToken; ++ if (!tok.prefix(parsedToken, CharacterSet::TCHAR)) ++ throw TexcHere("invalid input while expecting an HTTP token"); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ // got the complete token ++ return parsedToken; + } + +--- a/src/http/one/Tokenizer.h ++++ b/src/http/one/Tokenizer.h +@@ -9,68 +9,47 @@ + #ifndef SQUID_SRC_HTTP_ONE_TOKENIZER_H + #define SQUID_SRC_HTTP_ONE_TOKENIZER_H + +-#include "parser/Tokenizer.h" ++#include "parser/forward.h" ++#include "sbuf/forward.h" + + namespace Http { + namespace One { + + /** +- * Lexical processor extended to tokenize HTTP/1.x syntax. ++ * Extracts either an HTTP/1 token or quoted-string while dealing with ++ * possibly incomplete input typical for incremental text parsers. ++ * Unescapes escaped characters in HTTP/1.1 quoted strings. + * +- * \see ::Parser::Tokenizer for more detail ++ * \param http1p0 whether to prohibit \-escaped characters in quoted strings ++ * \throws InsufficientInput as appropriate, including on unterminated tokens ++ * \returns extracted token or quoted string (without quotes) ++ * ++ * Governed by: ++ * - RFC 1945 section 2.1 ++ * " ++ * A string of text is parsed as a single word if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = ( <"> *(qdtext) <"> ) ++ * ++ * qdtext = <any CHAR except <"> and CTLs, ++ * but including LWS> ++ * ++ * Single-character quoting using the backslash ("\") character is not ++ * permitted in HTTP/1.0. ++ * " ++ * ++ * - RFC 7230 section 3.2.6 ++ * " ++ * A string of text is parsed as a single value if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ++ * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text ++ * obs-text = %x80-FF ++ * " + */ +-class Tokenizer : public ::Parser::Tokenizer +-{ +-public: +- Tokenizer(SBuf &s) : ::Parser::Tokenizer(s), savedStats_(0) {} +- +- /** +- * Attempt to parse a quoted-string lexical construct. +- * +- * Governed by: +- * - RFC 1945 section 2.1 +- * " +- * A string of text is parsed as a single word if it is quoted using +- * double-quote marks. +- * +- * quoted-string = ( <"> *(qdtext) <"> ) +- * +- * qdtext = <any CHAR except <"> and CTLs, +- * but including LWS> +- * +- * Single-character quoting using the backslash ("\") character is not +- * permitted in HTTP/1.0. +- * " +- * +- * - RFC 7230 section 3.2.6 +- * " +- * A string of text is parsed as a single value if it is quoted using +- * double-quote marks. +- * +- * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE +- * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text +- * obs-text = %x80-FF +- * " +- * +- * \param escaped HTTP/1.0 does not permit \-escaped characters +- */ +- bool quotedString(SBuf &value, const bool http1p0 = false); +- +- /** +- * Attempt to parse a (token / quoted-string ) lexical construct. +- */ +- bool quotedStringOrToken(SBuf &value, const bool http1p0 = false); +- +-private: +- /// parse the internal component of a quote-string, and terminal DQUOTE +- bool qdText(SBuf &value, const bool http1p0); +- +- void checkpoint() { savedCheckpoint_ = buf(); savedStats_ = parsedSize(); } +- void restoreLastCheckpoint() { undoParse(savedCheckpoint_, savedStats_); } +- +- SBuf savedCheckpoint_; +- SBuf::size_type savedStats_; +-}; ++SBuf tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0 = false); + + } // namespace One + } // namespace Http +--- a/src/http/one/forward.h ++++ b/src/http/one/forward.h +@@ -10,6 +10,7 @@ + #define SQUID_SRC_HTTP_ONE_FORWARD_H + + #include "base/RefCount.h" ++#include "parser/forward.h" + #include "sbuf/forward.h" + + namespace Http { +@@ -31,6 +32,8 @@ typedef RefCount<Http::One::ResponsePars + /// CRLF textual representation + const SBuf &CrLf(); + ++using ::Parser::InsufficientInput; ++ + } // namespace One + } // namespace Http + +--- a/src/parser/BinaryTokenizer.h ++++ b/src/parser/BinaryTokenizer.h +@@ -9,6 +9,7 @@ + #ifndef SQUID_SRC_PARSER_BINARYTOKENIZER_H + #define SQUID_SRC_PARSER_BINARYTOKENIZER_H + ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Parser +@@ -44,7 +45,7 @@ public: + class BinaryTokenizer + { + public: +- class InsufficientInput {}; // thrown when a method runs out of data ++ typedef ::Parser::InsufficientInput InsufficientInput; + typedef uint64_t size_type; // enough for the largest supported offset + + BinaryTokenizer(); +--- a/src/parser/Makefile.am ++++ b/src/parser/Makefile.am +@@ -13,6 +13,7 @@ noinst_LTLIBRARIES = libparser.la + libparser_la_SOURCES = \ + BinaryTokenizer.h \ + BinaryTokenizer.cc \ ++ forward.h \ + Tokenizer.h \ + Tokenizer.cc + +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -10,7 +10,9 @@ + + #include "squid.h" + #include "Debug.h" ++#include "parser/forward.h" + #include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + + #include <cerrno> + #if HAVE_CTYPE_H +@@ -96,6 +98,23 @@ Parser::Tokenizer::prefix(SBuf &returned + return true; + } + ++SBuf ++Parser::Tokenizer::prefix(const char *description, const CharacterSet &tokenChars, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf result; ++ ++ if (!prefix(result, tokenChars, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ return result; ++} ++ + bool + Parser::Tokenizer::suffix(SBuf &returnedToken, const CharacterSet &tokenChars, const SBuf::size_type limit) + { +@@ -283,3 +302,24 @@ Parser::Tokenizer::int64(int64_t & resul + return success(s - range.rawContent()); + } + ++int64_t ++Parser::Tokenizer::udec64(const char *description, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ int64_t result = 0; ++ ++ // Since we only support unsigned decimals, a parsing failure with a ++ // non-empty input always implies invalid/malformed input (or a buggy ++ // limit=0 caller). TODO: Support signed and non-decimal integers by ++ // refactoring int64() to detect insufficient input. ++ if (!int64(result, 10, false, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); // more digits may be coming ++ ++ return result; ++} ++ +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -143,6 +143,19 @@ public: + */ + bool int64(int64_t &result, int base = 0, bool allowSign = true, SBuf::size_type limit = SBuf::npos); + ++ /* ++ * The methods below mimic their counterparts documented above, but they ++ * throw on errors, including InsufficientInput. The field description ++ * parameter is used for error reporting and debugging. ++ */ ++ ++ /// prefix() wrapper but throws InsufficientInput if input contains ++ /// nothing but the prefix (i.e. if the prefix is not "terminated") ++ SBuf prefix(const char *description, const CharacterSet &tokenChars, SBuf::size_type limit = SBuf::npos); ++ ++ /// int64() wrapper but limited to unsigned decimal integers (for now) ++ int64_t udec64(const char *description, SBuf::size_type limit = SBuf::npos); ++ + protected: + SBuf consume(const SBuf::size_type n); + SBuf::size_type success(const SBuf::size_type n); +--- /dev/null ++++ b/src/parser/forward.h +@@ -0,0 +1,22 @@ ++/* ++ * Copyright (C) 1996-2019 The Squid Software Foundation and contributors ++ * ++ * Squid software is distributed under GPLv2+ license and includes ++ * contributions from numerous individuals and organizations. ++ * Please see the COPYING and CONTRIBUTORS files for details. ++ */ ++ ++#ifndef SQUID_PARSER_FORWARD_H ++#define SQUID_PARSER_FORWARD_H ++ ++namespace Parser { ++class Tokenizer; ++class BinaryTokenizer; ++ ++// TODO: Move this declaration (to parser/Elements.h) if we need more like it. ++/// thrown by modern "incremental" parsers when they need more data ++class InsufficientInput {}; ++} // namespace Parser ++ ++#endif /* SQUID_PARSER_FORWARD_H */ ++ diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch new file mode 100644 index 0000000000..a6d0965e7a --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch @@ -0,0 +1,169 @@ +From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001 +From: Amos Jeffries <yadij@users.noreply.github.com> +Date: Fri, 13 Oct 2023 08:44:16 +0000 +Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/05f6af2f4c85cc99323cfff6149c3d74af661b6d] +CVE: CVE-2023-46846 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/http/one/Parser.cc | 8 +------- + src/http/one/Parser.h | 4 +--- + src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++----- + src/parser/Tokenizer.cc | 12 ++++++++++++ + src/parser/Tokenizer.h | 7 +++++++ + 5 files changed, 39 insertions(+), 15 deletions(-) + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters() + void + Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { +- if (tok.skip(Http1::CrLf())) +- return; +- + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) + return; + +- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- throw InsufficientInput(); +- +- throw TexcHere("garbage instead of CRLF line terminator"); ++ tok.skipRequired("line-terminating CRLF", Http1::CrLf()); + } + + /// all characters except the LF line terminator +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -120,9 +120,7 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * \throws exception on bad or InsuffientInput. +- * \retval true only if line terminator found. +- * \retval false incomplete or missing line terminator, need more data. ++ * \throws exception on bad or InsufficientInput + */ + void skipLineTerminator(Tokenizer &) const; + +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSi + { + Must(theChunkSize <= 0); // Should(), really + ++ static const SBuf bannedHexPrefixLower("0x"); ++ static const SBuf bannedHexPrefixUpper("0X"); ++ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper)) ++ throw TextException("chunk starts with 0x", Here()); ++ + int64_t size = -1; + if (tok.int64(size, 16, false) && !tok.atEnd()) { + if (size < 0) +@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMe + // bad or insufficient input, like in the code below. TODO: Expand up. + try { + parseChunkExtensions(tok); // a possibly empty chunk-ext list +- skipLineTerminator(tok); ++ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; +@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMe + // other exceptions bubble up to kill message parsing + } + +-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { + do { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkEx + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension ++ callerTok = tok; + } while (true); + } + +@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ig + /// Parses a single chunk-ext list element: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok) + { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name + + const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ callerTok = tok; // in case we determine that this is a valueless chunk-ext + + ParseBws(tok); + +@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChun + customExtensionValueParser->parse(tok, extName); + else + ChunkExtensionValueParser::Ignore(tok, extName); ++ ++ callerTok = tok; + } + + bool +@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEn + Must(theLeftBodySize == 0); // Should(), really + + try { +- skipLineTerminator(tok); ++ tok.skipRequired("chunk CRLF", Http1::CrLf()); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const Charact + return success(prefixLen); + } + ++void ++Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip) ++{ ++ if (skip(tokenToSkip) || tokenToSkip.isEmpty()) ++ return; ++ ++ if (tokenToSkip.startsWith(buf_)) ++ throw InsufficientInput(); ++ ++ throw TextException(ToSBuf("cannot skip ", description), Here()); ++} ++ + bool + Parser::Tokenizer::skipOne(const CharacterSet &chars) + { +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -115,6 +115,13 @@ public: + */ + SBuf::size_type skipAll(const CharacterSet &discardables); + ++ /** skips a given character sequence (string); ++ * does nothing if the sequence is empty ++ * ++ * \throws exception on mismatching prefix or InsufficientInput ++ */ ++ void skipRequired(const char *description, const SBuf &tokenToSkip); ++ + /** Removes a single trailing character from the set. + * + * \return whether a character was removed diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 0000000000..d9f29569d1 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch @@ -0,0 +1,47 @@ +From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 +From: squidadm <squidadm@users.noreply.github.com> +Date: Wed, 18 Oct 2023 04:50:56 +1300 +Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization + (#1517) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html +where it was filed as "Stack Buffer Overflow in Digest Authentication". + +--------- + +Co-authored-by: Alex Bason <nonsleepr@gmail.com> +Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3] +CVE: CVE-2023-46847 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/auth/digest/Config.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 2d25fee..4c206e1 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -862,11 +862,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + break; + + case DIGEST_NC: +- if (value.size() != 8) { ++ if (value.size() == 8) { ++ // for historical reasons, the nc value MUST be exactly 8 bytes ++ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); ++ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); ++ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); ++ } else { + debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); ++ digest_request->nc[0] = 0; + } +- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); +- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + break; + + case DIGEST_CNONCE: +-- +2.40.1 diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch new file mode 100644 index 0000000000..d3cc549f98 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch @@ -0,0 +1,35 @@ +From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Wed, 25 Oct 2023 19:41:45 +0000 +Subject: [PATCH] RFC 1123: Fix date parsing (#1538) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html +where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time +Handling". + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b] +CVE: CVE-2023-49285 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/rfc1123.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/rfc1123.c b/lib/rfc1123.c +index e5bf9a4d705..cb484cc002b 100644 +--- a/lib/rfc1123.c ++++ b/lib/rfc1123.c +@@ -50,7 +50,13 @@ make_month(const char *s) + char month[3]; + + month[0] = xtoupper(*s); ++ if (!month[0]) ++ return -1; // protects *(s + 1) below ++ + month[1] = xtolower(*(s + 1)); ++ if (!month[1]) ++ return -1; // protects *(s + 2) below ++ + month[2] = xtolower(*(s + 2)); + + for (i = 0; i < 12; i++) diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 0000000000..8e0bdf387c --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch @@ -0,0 +1,87 @@ +From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Fri, 27 Oct 2023 21:27:20 +0000 +Subject: [PATCH] Exit without asserting when helper process startup fails + (#1543) + +... to dup() after fork() and before execvp(). + +Assertions are for handling program logic errors. Helper initialization +code already handled system call errors correctly (i.e. by exiting the +newly created helper process with an error), except for a couple of +assert()s that could be triggered by dup(2) failures. + +This bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html +where it was filed as 'Assertion in Squid "Helper" Process Creator'. + +Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] +CVE: CVE-2023-49286 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ipc.cc | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -20,6 +20,12 @@ + #include "SquidIpc.h" + #include "tools.h" + ++#include <cstdlib> ++ ++#if HAVE_UNISTD_H ++#include <unistd.h> ++#endif ++ + static const char *hello_string = "hi there\n"; + #ifndef HELLO_BUF_SZ + #define HELLO_BUF_SZ 32 +@@ -365,6 +371,22 @@ + } + + PutEnvironment(); ++ ++ // A dup(2) wrapper that reports and exits the process on errors. The ++ // exiting logic is only suitable for this child process context. ++ const auto dupOrExit = [prog,name](const int oldFd) { ++ const auto newFd = dup(oldFd); ++ if (newFd < 0) { ++ const auto savedErrno = errno; ++ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); ++ debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); ++ debugs(54, DBG_CRITICAL, "helper program name: " << prog); ++ debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); ++ _exit(1); ++ } ++ return newFd; ++ }; ++ + /* + * This double-dup stuff avoids problems when one of + * crfd, cwfd, or debug_log are in the rage 0-2. +@@ -372,17 +394,16 @@ + + do { + /* First make sure 0-2 is occupied by something. Gets cleaned up later */ +- x = dup(crfd); +- assert(x > -1); +- } while (x < 3 && x > -1); ++ x = dupOrExit(crfd); ++ } while (x < 3); + + close(x); + +- t1 = dup(crfd); ++ t1 = dupOrExit(crfd); + +- t2 = dup(cwfd); ++ t2 = dupOrExit(cwfd); + +- t3 = dup(fileno(debug_log)); ++ t3 = dupOrExit(fileno(debug_log)); + + assert(t1 > 2 && t2 > 2 && t3 > 2); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch @@ -0,0 +1,62 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] +CVE: CVE-2023-50269 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 19949acd84..09c0a2cd7c 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb @@ -24,6 +24,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch \ file://0001-tools.cc-fixed-unused-result-warning.patch \ file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ + file://CVE-2023-46847.patch \ + file://CVE-2023-46728.patch \ + file://CVE-2023-46846-pre1.patch \ + file://CVE-2023-46846.patch \ + file://CVE-2023-49285.patch \ + file://CVE-2023-49286.patch \ + file://CVE-2023-50269.patch \ " SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb index 115353fec7..071002c5e7 100644 --- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb +++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403" SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99" -SRC_URI = "git://github.com/arno-iptables-firewall/aif" +SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch new file mode 100644 index 0000000000..21d4cfd822 --- /dev/null +++ b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch @@ -0,0 +1,19 @@ +ebtables: use optimizations from bitbake + +Enables building with O2 or Os to create smaller binaries. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> + +--- a/Makefile 2021-04-16 12:43:40.475431286 +0000 ++++ b/Makefile 2021-04-16 12:45:23.654597711 +0000 +@@ -18,7 +18,7 @@ SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + + CFLAGS:=-Wall -Wunused -Werror +-CFLAGS_SH_LIB:=-fPIC -O3 ++CFLAGS_SH_LIB:=-fPIC + CC:=gcc + + ifeq ($(shell uname -m),sparc64) diff --git a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb index 276784009f..8b6dcea439 100644 --- a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb +++ b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb @@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \ file://0007-extensions-Use-stdint-types.patch \ file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \ file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \ + file://ebtables_optimizations.patch \ " SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb index 2f627d458e..994825cb7e 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324" PV .= "+git${SRCPV}" -SRC_URI = "git://git.netfilter.org/libnetfilter_log" +SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb index 896cfdfaa4..1bbab6f3cb 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54" -SRC_URI = "git://git.netfilter.org/libnetfilter_queue \ +SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \ file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \ " diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb index 4ff00bf873..fee9967ebd 100644 --- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb +++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb @@ -5,7 +5,7 @@ SECTION = "libs" DEPENDS = "libmnl" SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195" -SRC_URI = "git://git.netfilter.org/libnftnl \ +SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \ file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ " diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb index a3d4b7cc55..d7467ff4a6 100644 --- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb +++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" DEPENDS = "openssl zlib icu" -SRC_URI = "git://github.com/znc/znc.git;name=znc \ - git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \ +SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ + git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ " SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb deleted file mode 100644 index 73199592c8..0000000000 --- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ /dev/null @@ -1,35 +0,0 @@ -require wireguard.inc - -SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" - -SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat" - -inherit module kernel-module-split - -DEPENDS = "virtual/kernel libmnl" - -# This module requires Linux 3.10 higher and several networking related -# configuration options. For exact kernel requirements visit: -# https://www.wireguard.io/install/#kernel-requirements - -EXTRA_OEMAKE_append = " \ - KERNELDIR=${STAGING_KERNEL_DIR} \ - " - -MAKE_TARGETS = "module" - -RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" -MODULE_NAME = "wireguard" - -# Kernel module packages MUST begin with 'kernel-module-', otherwise -# multilib image generation can fail. -# -# The following line is only necessary if the recipe name does not begin -# with kernel-module-. -PKG_${PN} = "kernel-module-${MODULE_NAME}" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb new file mode 100644 index 0000000000..df2db15349 --- /dev/null +++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb @@ -0,0 +1,23 @@ +require wireguard.inc + +SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004" + +SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master" + +inherit module kernel-module-split + +DEPENDS = "virtual/kernel libmnl" + +# This module requires Linux 3.10 higher and several networking related +# configuration options. For exact kernel requirements visit: +# https://www.wireguard.io/install/#kernel-requirements + +EXTRA_OEMAKE_append = " \ + KERNELDIR=${STAGING_KERNEL_DIR} \ + " + +MAKE_TARGETS = "module" +MODULES_INSTALL_TARGET = "module-install" + +RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" +MODULE_NAME = "wireguard" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb index f698b9a9af..b63ef88182 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb @@ -1,7 +1,7 @@ require wireguard.inc -SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585" -SRC_URI = "git://git.zx2c4.com/wireguard-tools" +SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8" +SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master" inherit bash-completion systemd pkgconfig @@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl" do_install () { oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \ - SYSTEMDUNITDIR="${systemd_unitdir}" \ + SYSTEMDUNITDIR="${systemd_system_unitdir}" \ WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \ WITH_BASHCOMPLETION=yes \ WITH_WGQUICK=yes \ diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb index 6dd15ad9fc..fdcd906516 100644 --- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb +++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb @@ -12,7 +12,7 @@ SECTION = "net" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754" -SRC_URI = "git://github.com/jech/babeld.git;protocol=git" +SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master" SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4" UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb index 0f8dc92df3..ce31233264 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb @@ -26,6 +26,19 @@ SRC_URI = "https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-${P SRC_URI[md5sum] = "4e139a8e1133349006b0436291c9e29b" SRC_URI[sha256sum] = "2cef0ee9900504c5277fb81de0a28e6c0835fe482ebecf1067c6864f5c4eda74" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch new file mode 100644 index 0000000000..4e537c8859 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch @@ -0,0 +1,116 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner <fenner@gmail.com> +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind + +Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57] +CVE: CVE-2022-44792 & CVE-2022-44793 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + agent/snmp_agent.c | 32 +++++++++++++++++++ + apps/snmpset.c | 1 + + .../default/T0142snmpv2csetnull_simple | 31 ++++++++++++++++++ + 3 files changed, 64 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 26653f4..eba5b4e 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ +diff --git a/apps/snmpset.c b/apps/snmpset.c +index a2374bc..cd01b9a 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000..0f1b8f3 +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 6b4b6ce8ed..79f2c1d89d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb @@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://CVE-2020-15861-0004.patch \ file://CVE-2020-15861-0005.patch \ file://CVE-2020-15862.patch \ + file://CVE-2022-44792-CVE-2022-44793.patch \ " SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a" SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index cccbfa19a6..c425b48e19 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" -SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git" +SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" DEPENDS = "virtual/libc" @@ -35,3 +35,7 @@ do_install_append() { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run } + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_WHITELIST = "CVE-2018-1078" diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch new file mode 100644 index 0000000000..bdb48a3993 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch @@ -0,0 +1,117 @@ +From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski <mt@suse.com> +Date: Fri Nov 11 09:07:22 UTC 2022 +Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation + +Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890 + +Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch + +CVE: CVE-2021-44038 +Signed-off-by: Marius Tomaschewski <mt@suse.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + redhat/bgpd.service | 2 -- + redhat/isisd.service | 2 -- + redhat/ospf6d.service | 2 -- + redhat/ospfd.service | 2 -- + redhat/ripd.service | 2 -- + redhat/ripngd.service | 2 -- + redhat/zebra.service | 3 --- + 7 files changed, 15 deletions(-) + +diff --git a/redhat/bgpd.service b/redhat/bgpd.service +index a50bfff..6f46a97 100644 +--- a/redhat/bgpd.service ++++ b/redhat/bgpd.service +@@ -10,8 +10,6 @@ Documentation=man:bgpd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf + ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf + Restart=on-abort + +diff --git a/redhat/isisd.service b/redhat/isisd.service +index 93663aa..c1464c0 100644 +--- a/redhat/isisd.service ++++ b/redhat/isisd.service +@@ -10,8 +10,6 @@ Documentation=man:isisd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf + ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf + Restart=on-abort + +diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service +index 3c1c978..d493429 100644 +--- a/redhat/ospf6d.service ++++ b/redhat/ospf6d.service +@@ -10,8 +10,6 @@ Documentation=man:ospf6d + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf + ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf + Restart=on-abort + +diff --git a/redhat/ospfd.service b/redhat/ospfd.service +index 0084b6c..6c84580 100644 +--- a/redhat/ospfd.service ++++ b/redhat/ospfd.service +@@ -10,8 +10,6 @@ Documentation=man:ospfd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf + ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf + Restart=on-abort + +diff --git a/redhat/ripd.service b/redhat/ripd.service +index 103b5a9..be0f75c 100644 +--- a/redhat/ripd.service ++++ b/redhat/ripd.service +@@ -10,8 +10,6 @@ Documentation=man:ripd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf + ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf + Restart=on-abort + +diff --git a/redhat/ripngd.service b/redhat/ripngd.service +index 6fe6ba8..23447da 100644 +--- a/redhat/ripngd.service ++++ b/redhat/ripngd.service +@@ -10,8 +10,6 @@ Documentation=man:ripngd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf + ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf + Restart=on-abort + +diff --git a/redhat/zebra.service b/redhat/zebra.service +index fa5a004..e3cf0ab 100644 +--- a/redhat/zebra.service ++++ b/redhat/zebra.service +@@ -10,9 +10,6 @@ Documentation=man:zebra + Type=forking + EnvironmentFile=-/etc/sysconfig/quagga + ExecStartPre=/sbin/ip route flush proto zebra +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf + ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf + Restart=on-abort + +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 134a33d478..5ef3843b15 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \ file://ripd.service \ file://ripngd.service \ file://zebra.service \ + file://CVE-2021-44038.patch \ " - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap" PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam" diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb index b02e183db7..181698d778 100644 --- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb +++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb @@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/xelerance/xl2tpd.git" +SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https" SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb index c02a19944d..b59dc4ca1b 100644 --- a/meta-networking/recipes-support/arptables/arptables_git.bb +++ b/meta-networking/recipes-support/arptables/arptables_git.bb @@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a" PV = "0.0.5+git${SRCPV}" SRC_URI = " \ - git://git.netfilter.org/arptables \ + git://git.netfilter.org/arptables;branch=master \ file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \ file://arptables-arpt-get-target-fix.patch \ file://arptables.service \ diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb index 1c87c48bfa..4b195ededa 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37" SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606" SRC_URI = "\ - git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \ + git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \ file://kernel-headers.patch \ file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \ file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \ diff --git a/meta-networking/recipes-support/celt051/celt051_git.bb b/meta-networking/recipes-support/celt051/celt051_git.bb index 12b9124f74..c3e4cbbe6d 100644 --- a/meta-networking/recipes-support/celt051/celt051_git.bb +++ b/meta-networking/recipes-support/celt051/celt051_git.bb @@ -16,7 +16,7 @@ PV = "0.5.1.3+git${SRCPV}" SRCREV = "5555aae843f57241d005e330b9cb65602d56db0f" -SRC_URI = "git://git.xiph.org/celt.git;branch=compat-v0.5.1;protocol=https \ +SRC_URI = "git://gitlab.xiph.org/xiph/celt.git;branch=compat-v0.5.1;protocol=https \ file://0001-configure.ac-make-tools-support-optional.patch \ file://0001-tests-Include-entcode.c-into-test-sources-to-provide.patch \ " diff --git a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch new file mode 100644 index 0000000000..79df1007e0 --- /dev/null +++ b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch @@ -0,0 +1,204 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed filesystem like NFS is not generally expected, but if +there is a reason to do that, these old kernel and NFS versions are not +considered to be supported for saving files by chronyd. + +This is a minimal backport specific to this issue of the following +commits: +- commit 2fc8edacb810 ("use PATH_MAX") +- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()") +- commit 7a4c396bba8f ("util: add functions for common file operations") +- commit e18903a6b563 ("switch to new util file functions") + +Reported-by: Matthias Gerstner <mgerstner@suse.de> + +Upstream-Status: Backport [https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545] +CVE: CVE-2020-14367 +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +diff --git a/logging.c b/logging.c +index d2296e0..fd7f900 100644 +--- a/logging.c ++++ b/logging.c +@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity, + system_log = 0; + log_message(1, severity, buf); + } ++ exit(1); + break; + default: + assert(0); +diff --git a/main.c b/main.c +index 6ccf32e..8edb2e1 100644 +--- a/main.c ++++ b/main.c +@@ -281,13 +281,9 @@ write_pidfile(void) + if (!pidfile[0]) + return; + +- out = fopen(pidfile, "w"); +- if (!out) { +- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno)); +- } else { +- fprintf(out, "%d\n", (int)getpid()); +- fclose(out); +- } ++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644); ++ fprintf(out, "%d\n", (int)getpid()); ++ fclose(out); + } + + /* ================================================== */ +diff --git a/sysincl.h b/sysincl.h +index 296c5e6..873a3bd 100644 +--- a/sysincl.h ++++ b/sysincl.h +@@ -37,6 +37,7 @@ + #include <glob.h> + #include <grp.h> + #include <inttypes.h> ++#include <limits.h> + #include <math.h> + #include <netinet/in.h> + #include <pwd.h> +diff --git a/util.c b/util.c +index e7e3442..83b3b20 100644 +--- a/util.c ++++ b/util.c +@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++static int ++join_path(const char *basedir, const char *name, const char *suffix, ++ char *buffer, size_t length, LOG_Severity severity) ++{ ++ const char *sep; ++ ++ if (!basedir) { ++ basedir = ""; ++ sep = ""; ++ } else { ++ sep = "/"; ++ } ++ ++ if (!suffix) ++ suffix = ""; ++ ++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) { ++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ ++FILE * ++UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm) ++{ ++ const char *file_mode; ++ char path[PATH_MAX]; ++ LOG_Severity severity; ++ int fd, flags; ++ FILE *file; ++ ++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR; ++ ++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity)) ++ return NULL; ++ ++ switch (mode) { ++ case 'r': ++ case 'R': ++ flags = O_RDONLY; ++ file_mode = "r"; ++ if (severity != LOGS_FATAL) ++ severity = LOGS_DEBUG; ++ break; ++ case 'w': ++ case 'W': ++ flags = O_WRONLY | O_CREAT | O_EXCL; ++ file_mode = "w"; ++ break; ++ case 'a': ++ case 'A': ++ flags = O_WRONLY | O_CREAT | O_APPEND; ++ file_mode = "a"; ++ break; ++ default: ++ assert(0); ++ return NULL; ++ } ++ ++try_again: ++ fd = open(path, flags, perm); ++ if (fd < 0) { ++ if (errno == EEXIST) { ++ if (unlink(path) < 0) { ++ LOG(severity, "Could not remove %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ DEBUG_LOG("Removed %s", path); ++ goto try_again; ++ } ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ ++ UTI_FdSetCloexec(fd); ++ ++ file = fdopen(fd, file_mode); ++ if (!file) { ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ close(fd); ++ return NULL; ++ } ++ ++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode); ++ ++ return file; ++} ++ ++/* ================================================== */ ++ + void + UTI_DropRoot(uid_t uid, gid_t gid) + { +diff --git a/util.h b/util.h +index e3d6767..a2481cc 100644 +--- a/util.h ++++ b/util.h +@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Open a file. The full path of the file is constructed from the basedir ++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). ++ Created files have specified permissions (umasked). Returns NULL on error. ++ The following modes are supported (if the mode is an uppercase character, ++ errors are fatal): ++ r/R - open an existing file for reading ++ w/W - open a new file for writing (remove existing file) ++ a/A - open an existing file for appending (create if does not exist) */ ++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm); ++ + /* Set process user/group IDs and drop supplementary groups */ + extern void UTI_DropRoot(uid_t uid, gid_t gid); + +-- +cgit v0.10.2 + diff --git a/meta-networking/recipes-support/chrony/chrony_3.5.bb b/meta-networking/recipes-support/chrony/chrony_3.5.bb index 7c6356d264..182ce13ccf 100644 --- a/meta-networking/recipes-support/chrony/chrony_3.5.bb +++ b/meta-networking/recipes-support/chrony/chrony_3.5.bb @@ -34,6 +34,7 @@ SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \ file://chrony.conf \ file://chronyd \ file://arm_eabi.patch \ + file://CVE-2020-14367.patch \ " SRC_URI_append_libc-musl = " \ diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb index 8d82ee4546..e76481cc1b 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PV = "6.10" SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a" -SRC_URI = "git://git.samba.org/cifs-utils.git" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" S = "${WORKDIR}/git" DEPENDS += "libtalloc" diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb index 799cf8611c..3da651c478 100644 --- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb +++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029" DEPENDS = "curl" DEPENDS_class-native = "curl-native" -SRC_URI = "git://github.com/jpbarrette/curlpp.git" +SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https" SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f" diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch new file mode 100644 index 0000000000..360931a83b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch @@ -0,0 +1,1040 @@ +From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 15 Mar 2021 21:59:51 +0000 +Subject: [PATCH] Use random source ports where possible if source + addresses/interfaces in use. + +CVE-2021-3448 applies. + +It's possible to specify the source address or interface to be +used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4 +or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of +these have, until now, used a single socket, bound to a fixed +port. This was originally done to allow an error (non-existent +interface, or non-local address) to be detected at start-up. This +means that any upstream servers specified in such a way don't use +random source ports, and are more susceptible to cache-poisoning +attacks. + +We now use random ports where possible, even when the +source is specified, so server=8.8.8.8@1.2.3.4 or +server=8.8.8.8@eth0 will use random source +ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will +use the explicitly configured port, and should only be done with +understanding of the security implications. +Note that this change changes non-existing interface, or non-local +source address errors from fatal to run-time. The error will be +logged and communiction with the server not possible. + +Upstream-Status: Backport +CVE: CVE-2021-3448 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + CHANGELOG | 22 +++ + man/dnsmasq.8 | 4 +- + src/dnsmasq.c | 31 ++-- + src/dnsmasq.h | 26 ++-- + src/forward.c | 392 ++++++++++++++++++++++++++++++-------------------- + src/loop.c | 20 +-- + src/network.c | 110 +++++--------- + src/option.c | 3 +- + src/tftp.c | 6 +- + src/util.c | 2 +- + 10 files changed, 344 insertions(+), 272 deletions(-) + +Index: dnsmasq-2.81/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.81.orig/man/dnsmasq.8 ++++ dnsmasq-2.81/man/dnsmasq.8 +@@ -489,7 +489,7 @@ source address specified but the port ma + part of the source address. Forcing queries to an interface is not + implemented on all platforms supported by dnsmasq. + .TP +-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]] ++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]] + This is functionally the same as + .B --server, + but provides some syntactic sugar to make specifying address-to-name queries easier. For example +Index: dnsmasq-2.81/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.c ++++ dnsmasq-2.81/src/dnsmasq.c +@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now) + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int wait = 0, i; + + #ifdef HAVE_TFTP +@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now) + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + poll_listen(serverfdp->fd, POLLIN); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0) +- poll_listen(daemon->randomsocks[i].fd, POLLIN); +- ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0) ++ poll_listen(daemon->randomsocks[i].fd, POLLIN); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ poll_listen(rfl->rfd->fd, POLLIN); ++ + for (listener = daemon->listeners; listener; listener = listener->next) + { + /* only listen for queries if we have resources */ +@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int i; + int pipefd[2]; + + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + if (poll_check(serverfdp->fd, POLLIN)) +- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now); ++ reply_query(serverfdp->fd, now); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0 && +- poll_check(daemon->randomsocks[i].fd, POLLIN)) +- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now); ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && ++ poll_check(daemon->randomsocks[i].fd, POLLIN)) ++ reply_query(daemon->randomsocks[i].fd, now); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ if (poll_check(rfl->rfd->fd, POLLIN)) ++ reply_query(rfl->rfd->fd, now); + + /* Races. The child process can die before we read all of the data from the + pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -542,13 +542,20 @@ struct serverfd { + }; + + struct randfd { ++ struct server *serv; + int fd; +- unsigned short refcount, family; ++ unsigned short refcount; /* refcount == 0xffff means overflow record. */ + }; +- ++ ++struct randfd_list { ++ struct randfd *rfd; ++ struct randfd_list *next; ++}; ++ + struct server { + union mysockaddr addr, source_addr; + char interface[IF_NAMESIZE+1]; ++ unsigned int ifindex; /* corresponding to interface, above */ + struct serverfd *sfd; + char *domain; /* set if this server only handles a domain. */ + int flags, tcpfd, edns_pktsz; +@@ -669,8 +676,7 @@ struct frec { + struct frec_src *next; + } frec_src; + struct server *sentto; /* NULL means free */ +- struct randfd *rfd4; +- struct randfd *rfd6; ++ struct randfd_list *rfds; + unsigned short new_id; + int fd, forwardall, flags; + time_t time; +@@ -1100,11 +1106,12 @@ extern struct daemon { + int forwardcount; + struct server *srv_save; /* Used for resend on DoD */ + size_t packet_len; /* " " */ +- struct randfd *rfd_save; /* " " */ ++ int fd_save; /* " " */ + pid_t tcp_pids[MAX_PROCS]; + int tcp_pipes[MAX_PROCS]; + int pipe_to_parent; + struct randfd randomsocks[RANDOM_SOCKS]; ++ struct randfd_list *rfl_spare, *rfl_poll; + int v6pktinfo; + struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */ + int log_id, log_display_id; /* ids of transactions for logging */ +@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char + void safe_pipe(int *fd, int read_noblock); + void *whine_malloc(size_t size); + int sa_len(union mysockaddr *addr); +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2); ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2); + int hostname_isequal(const char *a, const char *b); + int hostname_issubdomain(char *a, char *b); + time_t dnsmasq_time(void); +@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso + int option_read_dynfile(char *file, int flags); + + /* forward.c */ +-void reply_query(int fd, int family, time_t now); ++void reply_query(int fd, time_t now); + void receive_query(struct listener *listen, time_t now); + unsigned char *tcp_request(int confd, time_t now, + union mysockaddr *local_addr, struct in_addr netmask, int auth_dns); +@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char * + union mysockaddr *to, union all_addr *source, + unsigned int iface); + void resend_query(void); +-struct randfd *allocate_rfd(int family); +-void free_rfd(struct randfd *rfd); ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv); ++void free_rfds(struct randfd_list **fdlp); + + /* network.c */ + int indextoname(int fd, int index, char *name); + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp); +-int random_sock(int family); + void pre_allocate_sfds(void); + int reload_servers(char *fname); + void mark_servers(int flag); +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio + if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) + PUTSHORT(SAFE_PKTSZ, pheader); + +- if (forward->sentto->addr.sa.sa_family == AF_INET) +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); +- else +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); +- +- +- if (forward->sentto->sfd) +- fd = forward->sentto->sfd->fd; +- else ++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1) + { +- if (forward->sentto->addr.sa.sa_family == AF_INET6) +- fd = forward->rfd6->fd; ++ if (forward->sentto->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); + else +- fd = forward->rfd4->fd; ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); ++ ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); + } + +- while (retry_send(sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); +- + return 1; + } + #endif +@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio + + while (1) + { ++ int fd; ++ + /* only send to servers dealing with our domain. + domain may be NULL, in which case server->domain + must be NULL also. */ + + if (type == (start->flags & SERV_TYPE) && + (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && +- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ ((fd = allocate_rfd(&forward->rfds, start)) != -1)) + { +- int fd; +- +- /* find server socket to use, may need to get random one. */ +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- if (!forward->rfd6 && +- !(forward->rfd6 = allocate_rfd(AF_INET6))) +- break; +- daemon->rfd_save = forward->rfd6; +- fd = forward->rfd6->fd; +- } +- else +- { +- if (!forward->rfd4 && +- !(forward->rfd4 = allocate_rfd(AF_INET))) +- break; +- daemon->rfd_save = forward->rfd4; +- fd = forward->rfd4->fd; +- } + + #ifdef HAVE_CONNTRACK +- /* Copy connection mark of incoming query to outgoing connection. */ +- if (option_bool(OPT_CONNTRACK)) +- { +- unsigned int mark; +- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) +- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); +- } +-#endif ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ unsigned int mark; ++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) ++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + } +- ++#endif ++ + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER)) + { +@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio + /* Keep info in case we want to re-send this packet */ + daemon->srv_save = start; + daemon->packet_len = plen; ++ daemon->fd_save = fd; + + if (!gotname) + strcpy(daemon->namebuff, "query"); +@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio + break; + forward->forwardall++; + } +- } ++ } + + if (!(start = start->next)) + start = daemon->servers; +@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h + } + + /* sets new last_server */ +-void reply_query(int fd, int family, time_t now) ++void reply_query(int fd, time_t now) + { + /* packet from peer server, extract data for cache, and send to + original requester */ +@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + /* Determine the address of the server replying so that we can mark that as good */ +- if ((serveraddr.sa.sa_family = family) == AF_INET6) ++ if (serveraddr.sa.sa_family == AF_INET6) + serveraddr.in6.sin6_flowinfo = 0; + + header = (struct dns_header *)daemon->packet; +@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim + + hash = hash_questions(header, n, daemon->namebuff); + +- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim + } + + +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- /* may have changed family */ +- if (!forward->rfd6) +- forward->rfd6 = allocate_rfd(AF_INET6); +- fd = forward->rfd6->fd; +- } +- else +- { +- /* may have changed family */ +- if (!forward->rfd4) +- forward->rfd4 = allocate_rfd(AF_INET); +- fd = forward->rfd4->fd; +- } +- } ++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1) ++ return; + + #ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr); +@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim + } + + new->sentto = server; +- new->rfd4 = NULL; +- new->rfd6 = NULL; ++ new->rfds = NULL; + new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; +@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim + /* Don't resend this. */ + daemon->srv_save = NULL; + +- if (server->sfd) +- fd = server->sfd->fd; +- else +- { +- fd = -1; +- if (server->addr.sa.sa_family == AF_INET6) +- { +- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) +- fd = new->rfd6->fd; +- } +- else +- { +- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) +- fd = new->rfd4->fd; +- } +- } +- +- if (fd != -1) ++ if ((fd = allocate_rfd(&new->rfds, server)) != -1) + { + #ifdef HAVE_CONNTRACK + /* Copy connection mark of incoming query to outgoing connection. */ +@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; + netmask.s_addr = 0; + +@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t + f->next = daemon->frec_list; + f->time = now; + f->sentto = NULL; +- f->rfd4 = NULL; ++ f->rfds = NULL; + f->flags = 0; +- f->rfd6 = NULL; + #ifdef HAVE_DNSSEC + f->dependent = NULL; + f->blocking_query = NULL; +@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t + return f; + } + +-struct randfd *allocate_rfd(int family) ++/* return a UDP socket bound to a random port, have to cope with straying into ++ occupied port nos and reserved ones. */ ++static int random_sock(struct server *s) ++{ ++ int fd; ++ ++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1) ++ { ++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0)) ++ return fd; ++ ++ if (s->interface[0] == 0) ++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff); ++ else ++ strcpy(daemon->namebuff, s->interface); ++ ++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"), ++ daemon->namebuff, strerror(errno)); ++ close(fd); ++ } ++ ++ return -1; ++} ++ ++/* compare source addresses and interface, serv2 can be null. */ ++static int server_isequal(const struct server *serv1, ++ const struct server *serv2) ++{ ++ return (serv2 && ++ serv2->ifindex == serv1->ifindex && ++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) && ++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0); ++} ++ ++/* fdlp points to chain of randomfds already in use by transaction. ++ If there's already a suitable one, return it, else allocate a ++ new one and add it to the list. ++ ++ Not leaking any resources in the face of allocation failures ++ is rather convoluted here. ++ ++ Note that rfd->serv may be NULL, when a server goes away. ++*/ ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv) + { + static int finger = 0; +- int i; ++ int i, j = 0; ++ struct randfd_list *rfl; ++ struct randfd *rfd = NULL; ++ int fd = 0; ++ ++ /* If server has a pre-allocated fd, use that. */ ++ if (serv->sfd) ++ return serv->sfd->fd; ++ ++ /* existing suitable random port socket linked to this transaction? */ ++ for (rfl = *fdlp; rfl; rfl = rfl->next) ++ if (server_isequal(serv, rfl->rfd->serv)) ++ return rfl->rfd->fd; ++ ++ /* No. need new link. */ ++ if ((rfl = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl->next; ++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list)))) ++ return -1; + + /* limit the number of sockets we have open to avoid starvation of + (eg) TFTP. Once we have a reasonable number, randomness should be OK */ +- + for (i = 0; i < RANDOM_SOCKS; i++) + if (daemon->randomsocks[i].refcount == 0) + { +- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1) +- break; +- +- daemon->randomsocks[i].refcount = 1; +- daemon->randomsocks[i].family = family; +- return &daemon->randomsocks[i]; ++ if ((fd = random_sock(serv)) != -1) ++ { ++ rfd = &daemon->randomsocks[i]; ++ rfd->serv = serv; ++ rfd->fd = fd; ++ rfd->refcount = 1; ++ } ++ break; + } + + /* No free ones or cannot get new socket, grab an existing one */ +- for (i = 0; i < RANDOM_SOCKS; i++) ++ if (!rfd) ++ for (j = 0; j < RANDOM_SOCKS; j++) ++ { ++ i = (j + finger) % RANDOM_SOCKS; ++ if (daemon->randomsocks[i].refcount != 0 && ++ server_isequal(serv, daemon->randomsocks[i].serv) && ++ daemon->randomsocks[i].refcount != 0xfffe) ++ { ++ finger = i + 1; ++ rfd = &daemon->randomsocks[i]; ++ rfd->refcount++; ++ break; ++ } ++ } ++ ++ if (j == RANDOM_SOCKS) + { +- int j = (i+finger) % RANDOM_SOCKS; +- if (daemon->randomsocks[j].refcount != 0 && +- daemon->randomsocks[j].family == family && +- daemon->randomsocks[j].refcount != 0xffff) ++ struct randfd_list *rfl_poll; ++ ++ /* there are no free slots, and non with the same parameters we can piggy-back on. ++ We're going to have to allocate a new temporary record, distinguished by ++ refcount == 0xffff. This will exist in the frec randfd list, never be shared, ++ and be freed when no longer in use. It will also be held on ++ the daemon->rfl_poll list so the poll system can find it. */ ++ ++ if ((rfl_poll = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl_poll->next; ++ else ++ rfl_poll = whine_malloc(sizeof(struct randfd_list)); ++ ++ if (!rfl_poll || ++ !(rfd = whine_malloc(sizeof(struct randfd))) || ++ (fd = random_sock(serv)) == -1) + { +- finger = j; +- daemon->randomsocks[j].refcount++; +- return &daemon->randomsocks[j]; ++ ++ /* Don't leak anything we may already have */ ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ ++ if (rfl_poll) ++ { ++ rfl_poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl_poll; ++ } ++ ++ if (rfd) ++ free(rfd); ++ ++ return -1; /* doom */ + } ++ ++ /* Note rfd->serv not set here, since it's not reused */ ++ rfd->fd = fd; ++ rfd->refcount = 0xffff; /* marker for temp record */ ++ ++ rfl_poll->rfd = rfd; ++ rfl_poll->next = daemon->rfl_poll; ++ daemon->rfl_poll = rfl_poll; + } + +- return NULL; /* doom */ ++ rfl->rfd = rfd; ++ rfl->next = *fdlp; ++ *fdlp = rfl; ++ ++ return rfl->rfd->fd; + } + +-void free_rfd(struct randfd *rfd) ++void free_rfds(struct randfd_list **fdlp) + { +- if (rfd && --(rfd->refcount) == 0) +- close(rfd->fd); ++ struct randfd_list *tmp, *rfl, *poll, *next, **up; ++ ++ for (rfl = *fdlp; rfl; rfl = tmp) ++ { ++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0) ++ close(rfl->rfd->fd); ++ ++ /* temporary overflow record */ ++ if (rfl->rfd->refcount == 0xffff) ++ { ++ free(rfl->rfd); ++ ++ /* go through the link of all these by steam to delete. ++ This list is expected to be almost always empty. */ ++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next) ++ { ++ next = poll->next; ++ ++ if (poll->rfd == rfl->rfd) ++ { ++ *up = poll->next; ++ poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = poll; ++ } ++ else ++ up = &poll->next; ++ } ++ } ++ ++ tmp = rfl->next; ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ } ++ ++ *fdlp = NULL; + } + + static void free_frec(struct frec *f) +@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f) + } + + f->frec_src.next = NULL; +- free_rfd(f->rfd4); +- f->rfd4 = NULL; ++ free_rfds(&f->rfds); + f->sentto = NULL; + f->flags = 0; +- free_rfd(f->rfd6); +- f->rfd6 = NULL; + + #ifdef HAVE_DNSSEC + if (f->stash) +@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash) + { + struct frec *f; ++ struct server *s; ++ int type; ++ struct randfd_list *fdl; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ +- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ for (fdl = f->rfds; fdl; fdl = fdl->next) ++ if (fdl->rfd->fd == fd) + return f; ++ } + +- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) +- return f; ++ /* Sent to upstream from socket associated with a server. ++ Note we have to iterate over all the possible servers, since they may ++ have different bound sockets. */ ++ type = f->sentto->flags & SERV_TYPE; ++ s = f->sentto; ++ do { ++ if ((type == (s->flags & SERV_TYPE)) && ++ (type != SERV_HAS_DOMAIN || ++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) && ++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ s->sfd && s->sfd->fd == fd) ++ return f; ++ ++ s = s->next ? s->next : daemon->servers; ++ } while (s != f->sentto); + +- /* sent to upstream from bound socket. */ +- if (f->sentto->sfd && f->sentto->sfd->fd == fd) +- return f; +- } +- + return NULL; + } + +@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query + void resend_query() + { + if (daemon->srv_save) +- { +- int fd; +- +- if (daemon->srv_save->sfd) +- fd = daemon->srv_save->sfd->fd; +- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0) +- fd = daemon->rfd_save->fd; +- else +- return; +- +- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0, +- &daemon->srv_save->addr.sa, +- sa_len(&daemon->srv_save->addr)))); +- } ++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0, ++ &daemon->srv_save->addr.sa, ++ sa_len(&daemon->srv_save->addr)))); + } + + /* A server record is going away, remove references to it */ + void server_gone(struct server *server) + { + struct frec *f; ++ int i; + + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->sentto == server) + free_frec(f); ++ ++ /* If any random socket refers to this server, NULL the reference. ++ No more references to the socket will be created in the future. */ ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server) ++ daemon->randomsocks[i].serv = NULL; + + if (daemon->last_server == server) + daemon->last_server = NULL; +Index: dnsmasq-2.81/src/loop.c +=================================================================== +--- dnsmasq-2.81.orig/src/loop.c ++++ dnsmasq-2.81/src/loop.c +@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid); + void loop_send_probes() + { + struct server *serv; ++ struct randfd_list *rfds = NULL; + + if (!option_bool(OPT_LOOP_DETECT)) + return; +@@ -34,22 +35,15 @@ void loop_send_probes() + { + ssize_t len = loop_make_probe(serv->uid); + int fd; +- struct randfd *rfd = NULL; + +- if (serv->sfd) +- fd = serv->sfd->fd; +- else +- { +- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family))) +- continue; +- fd = rfd->fd; +- } ++ if ((fd = allocate_rfd(&rfds, serv)) == -1) ++ continue; + + while (retry_send(sendto(fd, daemon->packet, len, 0, + &serv->addr.sa, sa_len(&serv->addr)))); +- +- free_rfd(rfd); + } ++ ++ free_rfds(&rfds); + } + + static ssize_t loop_make_probe(u32 uid) +Index: dnsmasq-2.81/src/network.c +=================================================================== +--- dnsmasq-2.81.orig/src/network.c ++++ dnsmasq-2.81/src/network.c +@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset) + #ifdef HAVE_AUTH + struct auth_zone *zone; + #endif ++ struct server *serv; + + /* Do this max once per select cycle - also inhibits netlink socket use + in TCP child processes. */ +@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset) + + if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1) + return 0; +- ++ ++ /* iface indexes can change when interfaces are created/destroyed. ++ We use them in the main forwarding control path, when the path ++ to a server is specified by an interface, so cache them. ++ Update the cache here. */ ++ for (serv = daemon->servers; serv; serv = serv->next) ++ if (strlen(serv->interface) != 0) ++ { ++ struct ifreq ifr; ++ ++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE); ++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1) ++ serv->ifindex = ifr.ifr_ifindex; ++ } ++ + /* Mark interfaces for garbage collection */ + for (iface = daemon->interfaces; iface; iface = iface->next) + iface->found = 0; +@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset) + + errno = errsave; + spare = param.spare; +- ++ + return ret; + } + +@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af) + /* use mshdr so that the CMSDG_* macros are available */ + msg.msg_control = daemon->packet; + msg.msg_controllen = len = daemon->packet_buff_sz; +- ++ + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if (af == AF_INET) + { + if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 && +@@ -1102,59 +1117,6 @@ void join_multicast(int dienow) + } + #endif + +-/* return a UDP socket bound to a random port, have to cope with straying into +- occupied port nos and reserved ones. */ +-int random_sock(int family) +-{ +- int fd; +- +- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1) +- { +- union mysockaddr addr; +- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; +- int tries = ports_avail < 30 ? 3 * ports_avail : 100; +- +- memset(&addr, 0, sizeof(addr)); +- addr.sa.sa_family = family; +- +- /* don't loop forever if all ports in use. */ +- +- if (fix_fd(fd)) +- while(tries--) +- { +- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail))); +- +- if (family == AF_INET) +- { +- addr.in.sin_addr.s_addr = INADDR_ANY; +- addr.in.sin_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in.sin_len = sizeof(struct sockaddr_in); +-#endif +- } +- else +- { +- addr.in6.sin6_addr = in6addr_any; +- addr.in6.sin6_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in6.sin6_len = sizeof(struct sockaddr_in6); +-#endif +- } +- +- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0) +- return fd; +- +- if (errno != EADDRINUSE && errno != EACCES) +- break; +- } +- +- close(fd); +- } +- +- return -1; +-} +- +- + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp) + { + union mysockaddr addr_copy = *addr; +@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr + return 1; + } + +-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname) ++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex) + { + struct serverfd *sfd; +- unsigned int ifindex = 0; + int errsave; + int opt = 1; + + /* when using random ports, servers which would otherwise use +- the INADDR_ANY/port0 socket have sfd set to NULL */ +- if (!daemon->osport && intname[0] == 0) ++ the INADDR_ANY/port0 socket have sfd set to NULL, this is ++ anything without an explictly set source port. */ ++ if (!daemon->osport) + { + errno = 0; + + if (addr->sa.sa_family == AF_INET && +- addr->in.sin_addr.s_addr == INADDR_ANY && + addr->in.sin_port == htons(0)) + return NULL; + + if (addr->sa.sa_family == AF_INET6 && +- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 && + addr->in6.sin6_port == htons(0)) + return NULL; + } + +- if (intname && strlen(intname) != 0) +- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */ +- + /* may have a suitable one already */ + for (sfd = daemon->sfds; sfd; sfd = sfd->next ) +- if (sockaddr_isequal(&sfd->source_addr, addr) && +- strcmp(intname, sfd->interface) == 0 && +- ifindex == sfd->ifindex) ++ if (ifindex == sfd->ifindex && ++ sockaddr_isequal(&sfd->source_addr, addr) && ++ strcmp(intname, sfd->interface) == 0) + return sfd; + + /* need to make a new one. */ +@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in.sin_len = sizeof(struct sockaddr_in); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + + memset(&addr, 0, sizeof(addr)); +@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in6.sin6_len = sizeof(struct sockaddr_in6); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + } + + for (srv = daemon->servers; srv; srv = srv->next) + if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) && +- !allocate_sfd(&srv->source_addr, srv->interface) && ++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) && + errno != 0 && + option_bool(OPT_NOWILD)) + { +@@ -1506,7 +1463,7 @@ void check_servers(void) + + /* Do we need a socket set? */ + if (!serv->sfd && +- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) && ++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) && + errno != 0) + { + my_syslog(LOG_WARNING, +Index: dnsmasq-2.81/src/option.c +=================================================================== +--- dnsmasq-2.81.orig/src/option.c ++++ dnsmasq-2.81/src/option.c +@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso + if (interface_opt) + { + #if defined(SO_BINDTODEVICE) +- safe_strncpy(interface, interface_opt, IF_NAMESIZE); ++ safe_strncpy(interface, source, IF_NAMESIZE); ++ source = interface_opt; + #else + return _("interface binding not supported"); + #endif +Index: dnsmasq-2.81/src/tftp.c +=================================================================== +--- dnsmasq-2.81.orig/src/tftp.c ++++ dnsmasq-2.81/src/tftp.c +@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now) + + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if ((len = get_block(daemon->packet, transfer)) == -1) + { + len = tftp_err_oops(daemon->packet, transfer->file->filename); +Index: dnsmasq-2.81/src/util.c +=================================================================== +--- dnsmasq-2.81.orig/src/util.c ++++ dnsmasq-2.81/src/util.c +@@ -316,7 +316,7 @@ void *whine_malloc(size_t size) + return ret; + } + +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2) ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2) + { + if (s1->sa.sa_family == s2->sa.sa_family) + { diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,188 @@ +From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 17:39:21 +0530 +Subject: [PATCH] CVE-2022-0934 + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39] +CVE: CVE-2022-0934 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CHANGELOG | 2 ++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 29 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 60b08d0..d1d7e41 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -88,6 +88,8 @@ version 2.81 + + Add --script-on-renewal option. + ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. + + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method +diff --git a/src/rfc3315.c b/src/rfc3315.c +index b3f0a0a..eef1360 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RENEW: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRENEW", NULL, NULL); + +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch new file mode 100644 index 0000000000..dd3bd27408 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch @@ -0,0 +1,63 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] +CVE: CVE-2023-28450 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + CHANGELOG | 8 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d1d7e41..7a560d3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -91,6 +91,14 @@ version 2.81 + Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index f2803f9..3cca4bc 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max=<size> + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port=<query_port> + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 54f6f48..29ac3e7 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.18.2 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 92415386c2..f2b8feac56 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -4,5 +4,13 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8" SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0" SRC_URI += "\ file://lua.patch \ + file://CVE-2020-25681.patch \ + file://CVE-2020-25684.patch \ + file://CVE-2020-25685-1.patch \ + file://CVE-2020-25685-2.patch \ + file://CVE-2020-25686-1.patch \ + file://CVE-2020-25686-2.patch \ + file://CVE-2021-3448.patch \ + file://CVE-2022-0934.patch \ + file://CVE-2023-28450.patch \ " - diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch new file mode 100644 index 0000000000..6756157700 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch @@ -0,0 +1,370 @@ +From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 11 Nov 2020 23:25:04 +0000 +Subject: [PATCH] Fix remote buffer overflow CERT VU#434904 + +The problem is in the sort_rrset() function and allows a remote +attacker to overwrite memory. Any dnsmasq instance with DNSSEC +enabled is vulnerable. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 7 +- + src/dnssec.c | 273 ++++++++++++++++++++++++++++----------------------- + 2 files changed, 158 insertions(+), 122 deletions(-) + +CVE: CVE-2020-25681 +CVE: CVE-2020-25682 +CVE: CVE-2020-25683 +CVE: CVE-2020-25687 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a] +Comment: Refreshed first two hunks + +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -223,138 +223,144 @@ static int check_date_range(unsigned lon + && serial_compare_32(curtime, date_end) == SERIAL_LT; + } + +-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining +- data, pointed to by *p, should be used raw. */ +-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, +- unsigned char **p, u16 **desc) ++/* Return bytes of canonicalised rrdata one by one. ++ Init state->ip with the RR, and state->end with the end of same. ++ Init state->op to NULL. ++ Init state->desc to RR descriptor. ++ Init state->buff with a MAXDNAME * 2 buffer. ++ ++ After each call which returns 1, state->op points to the next byte of data. ++ On returning 0, the end has been reached. ++*/ ++struct rdata_state { ++ u16 *desc; ++ size_t c; ++ unsigned char *end, *ip, *op; ++ char *buff; ++}; ++ ++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state) + { +- int d = **desc; ++ int d; + +- /* No more data needs mangling */ +- if (d == (u16)-1) ++ if (state->op && state->c != 1) + { +- /* If there's more data than we have space for, just return what fits, +- we'll get called again for more chunks */ +- if (end - *p > bufflen) +- { +- memcpy(buff, *p, bufflen); +- *p += bufflen; +- return bufflen; +- } +- +- return 0; ++ state->op++; ++ state->c--; ++ return 1; + } +- +- (*desc)++; +- +- if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) +- /* domain-name, canonicalise */ +- return to_wire(buff); +- else +- { +- /* plain data preceding a domain-name, don't run off the end of the data */ +- if ((end - *p) < d) +- d = end - *p; +- +- if (d != 0) ++ ++ while (1) ++ { ++ d = *(state->desc); ++ if (d == (u16)-1) + { +- memcpy(buff, *p, d); +- *p += d; ++ /* all the bytes to the end. */ ++ if ((state->c = state->end - state->ip) != 0) ++ { ++ state->op = state->ip; ++ state->ip = state->end;; ++ } ++ else ++ return 0; ++ } ++ else ++ { ++ state->desc++; ++ ++ if (d == (u16)0) ++ { ++ /* domain-name, canonicalise */ ++ int len; ++ ++ if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) || ++ (len = to_wire(state->buff)) == 0) ++ continue; ++ ++ state->c = len; ++ state->op = (unsigned char *)state->buff; ++ } ++ else ++ { ++ /* plain data preceding a domain-name, don't run off the end of the data */ ++ if ((state->end - state->ip) < d) ++ d = state->end - state->ip; ++ ++ if (d == 0) ++ continue; ++ ++ state->op = state->ip; ++ state->c = d; ++ state->ip += d; ++ } + } + +- return d; ++ return 1; + } + } + +-/* Bubble sort the RRset into the canonical order. +- Note that the byte-streams from two RRs may get unsynced: consider +- RRs which have two domain-names at the start and then other data. +- The domain-names may have different lengths in each RR, but sort equal +- +- ------------ +- |abcde|fghi| +- ------------ +- |abcd|efghi| +- ------------ +- +- leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables. +-*/ ++/* Bubble sort the RRset into the canonical order. */ + + static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, + unsigned char **rrset, char *buff1, char *buff2) + { +- int swap, quit, i, j; ++ int swap, i, j; + + do + { + for (swap = 0, i = 0; i < rrsetidx-1; i++) + { +- int rdlen1, rdlen2, left1, left2, len1, len2, len, rc; +- u16 *dp1, *dp2; +- unsigned char *end1, *end2; ++ int rdlen1, rdlen2; ++ struct rdata_state state1, state2; ++ + /* Note that these have been determined to be OK previously, + so we don't need to check for NULL return here. */ +- unsigned char *p1 = skip_name(rrset[i], header, plen, 10); +- unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10); +- +- p1 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen1, p1); +- end1 = p1 + rdlen1; +- +- p2 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen2, p2); +- end2 = p2 + rdlen2; +- +- dp1 = dp2 = rr_desc; +- +- for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;) ++ state1.ip = skip_name(rrset[i], header, plen, 10); ++ state2.ip = skip_name(rrset[i+1], header, plen, 10); ++ state1.op = state2.op = NULL; ++ state1.buff = buff1; ++ state2.buff = buff2; ++ state1.desc = state2.desc = rr_desc; ++ ++ state1.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen1, state1.ip); ++ if (!CHECK_LEN(header, state1.ip, plen, rdlen1)) ++ return rrsetidx; /* short packet */ ++ state1.end = state1.ip + rdlen1; ++ state2.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen2, state2.ip); ++ if (!CHECK_LEN(header, state2.ip, plen, rdlen2)) ++ return rrsetidx; /* short packet */ ++ state2.end = state2.ip + rdlen2; ++ ++ while (1) + { +- if (left1 != 0) +- memmove(buff1, buff1 + len1 - left1, left1); +- +- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0) +- { +- quit = 1; +- len1 = end1 - p1; +- memcpy(buff1 + left1, p1, len1); ++ int ok1, ok2; ++ ok1 = get_rdata(header, plen, &state1); ++ ok2 = get_rdata(header, plen, &state2); ++ ++ if (!ok1 && !ok2) ++ { ++ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ ++ for (j = i+1; j < rrsetidx-1; j++) ++ rrset[j] = rrset[j+1]; ++ rrsetidx--; ++ i--; ++ break; + } +- len1 += left1; +- +- if (left2 != 0) +- memmove(buff2, buff2 + len2 - left2, left2); +- +- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0) +- { +- quit = 1; +- len2 = end2 - p2; +- memcpy(buff2 + left2, p2, len2); +- } +- len2 += left2; +- +- if (len1 > len2) +- left1 = len1 - len2, left2 = 0, len = len2; +- else +- left2 = len2 - len1, left1 = 0, len = len1; +- +- rc = (len == 0) ? 0 : memcmp(buff1, buff2, len); +- +- if (rc > 0 || (rc == 0 && quit && len1 > len2)) ++ else if (ok1 && (!ok2 || *state1.op > *state2.op)) + { + unsigned char *tmp = rrset[i+1]; + rrset[i+1] = rrset[i]; + rrset[i] = tmp; +- swap = quit = 1; +- } +- else if (rc == 0 && quit && len1 == len2) +- { +- /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ +- for (j = i+1; j < rrsetidx-1; j++) +- rrset[j] = rrset[j+1]; +- rrsetidx--; +- i--; ++ swap = 1; ++ break; + } +- else if (rc < 0) +- quit = 1; ++ else if (ok2 && (!ok1 || *state2.op > *state1.op)) ++ break; ++ ++ /* arrive here when bytes are equal, go round the loop again ++ and compare the next ones. */ + } + } + } while (swap); +@@ -569,12 +575,15 @@ static int validate_rrset(time_t now, st + wire_len = to_wire(keyname); + hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname); + from_wire(keyname); ++ ++#define RRBUFLEN 300 /* Most RRs are smaller than this. */ + + for (i = 0; i < rrsetidx; ++i) + { +- int seg; +- unsigned char *end, *cp; +- u16 len, *dp; ++ int j; ++ struct rdata_state state; ++ u16 len; ++ unsigned char rrbuf[RRBUFLEN]; + + p = rrset[i]; + +@@ -586,12 +595,11 @@ static int validate_rrset(time_t now, st + /* if more labels than in RRsig name, hash *.<no labels in rrsig labels field> 4035 5.3.2 */ + if (labels < name_labels) + { +- int k; +- for (k = name_labels - labels; k != 0; k--) ++ for (j = name_labels - labels; j != 0; j--) + { + while (*name_start != '.' && *name_start != 0) + name_start++; +- if (k != 1 && *name_start == '.') ++ if (j != 1 && *name_start == '.') + name_start++; + } + +@@ -612,24 +620,44 @@ static int validate_rrset(time_t now, st + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; + +- end = p + rdlen; +- +- /* canonicalise rdata and calculate length of same, use name buffer as workspace. +- Note that name buffer is twice MAXDNAME long in DNSSEC mode. */ +- cp = p; +- dp = rr_desc; +- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg); +- len += end - cp; +- len = htons(len); ++ /* canonicalise rdata and calculate length of same, use ++ name buffer as workspace for get_rdata. */ ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ state.buff = name; ++ state.end = p + rdlen; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ if (j < RRBUFLEN) ++ rrbuf[j] = *state.op; ++ ++ len = htons((u16)j); + hash->update(ctx, 2, (unsigned char *)&len); ++ ++ /* If the RR is shorter than RRBUFLEN (most of them, in practice) ++ then we can just digest it now. If it exceeds RRBUFLEN we have to ++ go back to the start and do it in chunks. */ ++ if (j >= RRBUFLEN) ++ { ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ { ++ rrbuf[j] = *state.op; ++ ++ if (j == RRBUFLEN - 1) ++ { ++ hash->update(ctx, RRBUFLEN, rrbuf); ++ j = -1; ++ } ++ } ++ } + +- /* Now canonicalise again and digest. */ +- cp = p; +- dp = rr_desc; +- while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp))) +- hash->update(ctx, seg, (unsigned char *)name); +- if (cp != end) +- hash->update(ctx, end - cp, cp); ++ if (j != 0) ++ hash->update(ctx, j, rrbuf); + } + + hash->digest(ctx, hash->digest_size, digest); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch new file mode 100644 index 0000000000..f7ff4b27cc --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch @@ -0,0 +1,98 @@ +From 257ac0c5f7732cbc6aa96fdd3b06602234593aca Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 18:49:23 +0000 +Subject: [PATCH] Check destination of DNS UDP query replies. + +At any time, dnsmasq will have a set of sockets open, bound to +random ports, on which it sends queries to upstream nameservers. +This patch fixes the existing problem that a reply for ANY in-flight +query would be accepted via ANY open port, which increases the +chances of an attacker flooding answers "in the blind" in an +attempt to poison the DNS cache. CERT VU#434904 refers. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 6 +++++- + src/forward.c | 37 ++++++++++++++++++++++++++++--------- + 2 files changed, 33 insertions(+), 10 deletions(-) + +CVE: CVE-2020-25684 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -805,7 +805,7 @@ void reply_query(int fd, int family, tim + crc = questions_crc(header, n, daemon->namebuff); + #endif + +- if (!(forward = lookup_frec(ntohs(header->id), hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -2338,14 +2338,25 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) + { + struct frec *f; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) +- return f; ++ { ++ /* sent from random port */ ++ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ return f; ++ ++ if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) ++ return f; ++ ++ /* sent to upstream from bound socket. */ ++ if (f->sentto->sfd && f->sentto->sfd->fd == fd) ++ return f; ++ } + + return NULL; + } +@@ -2406,12 +2417,20 @@ void server_gone(struct server *server) + static unsigned short get_id(void) + { + unsigned short ret = 0; ++ struct frec *f; + +- do +- ret = rand16(); +- while (lookup_frec(ret, NULL)); +- +- return ret; ++ while (1) ++ { ++ ret = rand16(); ++ ++ /* ensure id is unique. */ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && f->new_id == ret) ++ break; ++ ++ if (!f) ++ return ret; ++ } + } + + diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch new file mode 100644 index 0000000000..5eb582c671 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch @@ -0,0 +1,587 @@ +From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 22:06:07 +0000 +Subject: [PATCH] Use SHA-256 to provide security against DNS cache poisoning. + +Use the SHA-256 hash function to verify that DNS answers +received are for the questions originally asked. This replaces +the slightly insecure SHA-1 (when compiled with DNSSEC) or +the very insecure CRC32 (otherwise). Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 5 + + Makefile | 3 +- + bld/Android.mk | 2 +- + src/dnsmasq.h | 11 +- + src/dnssec.c | 31 ----- + src/forward.c | 43 ++----- + src/hash_questions.c | 281 +++++++++++++++++++++++++++++++++++++++++++ + src/rfc1035.c | 49 -------- + 8 files changed, 301 insertions(+), 124 deletions(-) + create mode 100644 src/hash_questions.c + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: No change in any hunk + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -77,7 +77,8 @@ objs = cache.o rfc1035.o util.o option.o + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o ++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ ++ metrics.o hash_questions.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h metrics.h +Index: dnsmasq-2.81/bld/Android.mk +=================================================================== +--- dnsmasq-2.81.orig/bld/Android.mk ++++ dnsmasq-2.81/bld/Android.mk +@@ -11,7 +11,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ + loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ +- crypto.c dump.c ubus.c ++ crypto.c dump.c ubus.c metrics.c hash_questions.c + + LOCAL_MODULE := dnsmasq + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -654,11 +654,7 @@ struct hostsfile { + #define FREC_TEST_PKTSZ 256 + #define FREC_HAS_EXTRADATA 512 + +-#ifdef HAVE_DNSSEC +-#define HASH_SIZE 20 /* SHA-1 digest size */ +-#else +-#define HASH_SIZE sizeof(int) +-#endif ++#define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { + union mysockaddr source; +@@ -1218,7 +1214,6 @@ int check_for_bogus_wildcard(struct dns_ + struct bogus_addr *baddr, time_t now); + int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr); + int check_for_local_domain(char *name, time_t now); +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name); + size_t resize_packet(struct dns_header *header, size_t plen, + unsigned char *pheader, size_t hlen); + int add_resource_record(struct dns_header *header, char *limit, int *truncp, +@@ -1243,9 +1238,11 @@ int dnssec_validate_reply(time_t now, st + int check_unsigned, int *neganswer, int *nons, int *nsec_ttl); + int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); + int setup_timestamp(void); + ++/* hash_questions.c */ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name); ++ + /* crypto.c */ + const struct nettle_hash *hash_find(char *name); + int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -2084,35 +2084,4 @@ size_t dnssec_generate_query(struct dns_ + return ret; + } + +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int len; +- unsigned char *p = (unsigned char *)(header+1); +- const struct nettle_hash *hash; +- void *ctx; +- unsigned char *digest; +- +- if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest)) +- return NULL; +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- break; /* bad packet */ +- +- len = to_wire(name); +- hash->update(ctx, len, (unsigned char *)name); +- /* CRC the class and type as well */ +- hash->update(ctx, 4, p); +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- break; /* bad packet */ +- } +- +- hash->digest(ctx, hash->digest_size, digest); +- return digest; +-} +- + #endif /* HAVE_DNSSEC */ +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -256,19 +256,16 @@ static int forward_query(int udpfd, unio + union all_addr *addrp = NULL; + unsigned int flags = 0; + struct server *start = NULL; +-#ifdef HAVE_DNSSEC + void *hash = hash_questions(header, plen, daemon->namebuff); ++#ifdef HAVE_DNSSEC + int do_dnssec = 0; +-#else +- unsigned int crc = questions_crc(header, plen, daemon->namebuff); +- void *hash = &crc; + #endif + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; + + /* may be no servers available. */ +- if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) ++ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { + /* If we didn't get an answer advertising a maximal packet in EDNS, + fall back to 1280, which should work everywhere on IPv6. +@@ -769,9 +766,6 @@ void reply_query(int fd, int family, tim + size_t nn; + struct server *server; + void *hash; +-#ifndef HAVE_DNSSEC +- unsigned int crc; +-#endif + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +@@ -798,12 +792,7 @@ void reply_query(int fd, int family, tim + if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME) + server->edns_pktsz = daemon->edns_pktsz; + +-#ifdef HAVE_DNSSEC + hash = hash_questions(header, n, daemon->namebuff); +-#else +- hash = &crc; +- crc = questions_crc(header, n, daemon->namebuff); +-#endif + + if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; +@@ -1115,8 +1104,7 @@ void reply_query(int fd, int family, tim + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr), + querystr("dnssec-query", querytype)); + +- if ((hash = hash_questions(header, nn, daemon->namebuff))) +- memcpy(new->hash, hash, HASH_SIZE); ++ memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); + new->new_id = get_id(); + header->id = htons(new->new_id); + /* Save query for retransmission */ +@@ -1969,15 +1957,9 @@ unsigned char *tcp_request(int confd, ti + if (!flags && last_server) + { + struct server *firstsendto = NULL; +-#ifdef HAVE_DNSSEC +- unsigned char *newhash, hash[HASH_SIZE]; +- if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) +- memcpy(hash, newhash, HASH_SIZE); +- else +- memset(hash, 0, HASH_SIZE); +-#else +- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); +-#endif ++ unsigned char hash[HASH_SIZE]; ++ memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); ++ + /* Loop round available servers until we succeed in connecting to one. + Note that this code subtly ensures that consecutive queries on this connection + which can go to the same server, do so. */ +@@ -2116,20 +2098,11 @@ unsigned char *tcp_request(int confd, ti + /* If the crc of the question section doesn't match the crc we sent, then + someone might be attempting to insert bogus values into the cache by + sending replies containing questions and bogus answers. */ +-#ifdef HAVE_DNSSEC +- newhash = hash_questions(header, (unsigned int)m, daemon->namebuff); +- if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0) ++ if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) + { + m = 0; + break; + } +-#else +- if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff)) +- { +- m = 0; +- break; +- } +-#endif + + m = process_reply(header, now, last_server, (unsigned int)m, + option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, +@@ -2344,7 +2317,7 @@ static struct frec *lookup_frec(unsigned + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && +- (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) ++ (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ + if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- /dev/null ++++ dnsmasq-2.81/src/hash_questions.c +@@ -0,0 +1,281 @@ ++/* Copyright (c) 2012-2020 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see <http://www.gnu.org/licenses/>. ++*/ ++ ++ ++/* Hash the question section. This is used to safely detect query ++ retransmission and to detect answers to questions we didn't ask, which ++ might be poisoning attacks. Note that we decode the name rather ++ than CRC the raw bytes, since replies might be compressed differently. ++ We ignore case in the names for the same reason. ++ ++ The hash used is SHA-256. If we're building with DNSSEC support, ++ we use the Nettle cypto library. If not, we prefer not to ++ add a dependency on Nettle, and use a stand-alone implementaion. ++*/ ++ ++#include "dnsmasq.h" ++ ++#ifdef HAVE_DNSSEC ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ const struct nettle_hash *hash; ++ void *ctx; ++ unsigned char *digest; ++ ++ if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest)) ++ { ++ /* don't think this can ever happen. */ ++ static unsigned char dummy[HASH_SIZE]; ++ static int warned = 0; ++ ++ if (warned) ++ my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object")); ++ warned = 1; ++ ++ return dummy; ++ } ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ hash->update(ctx, cp - name, (unsigned char *)name); ++ /* CRC the class and type as well */ ++ hash->update(ctx, 4, p); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ hash->digest(ctx, hash->digest_size, digest); ++ return digest; ++} ++ ++#else /* HAVE_DNSSEC */ ++ ++#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest ++typedef unsigned char BYTE; // 8-bit byte ++typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines ++ ++typedef struct { ++ BYTE data[64]; ++ WORD datalen; ++ unsigned long long bitlen; ++ WORD state[8]; ++} SHA256_CTX; ++ ++static void sha256_init(SHA256_CTX *ctx); ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]); ++ ++ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ SHA256_CTX ctx; ++ static BYTE digest[SHA256_BLOCK_SIZE]; ++ ++ sha256_init(&ctx); ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ sha256_update(&ctx, (BYTE *)name, cp - name); ++ /* CRC the class and type as well */ ++ sha256_update(&ctx, (BYTE *)p, 4); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ sha256_final(&ctx, digest); ++ return (unsigned char *)digest; ++} ++ ++/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms ++ and was written by Brad Conte (brad@bradconte.com), to whom all credit is given. ++ ++ This code is in the public domain, and the copyright notice at the head of this ++ file does not apply to it. ++*/ ++ ++ ++/****************************** MACROS ******************************/ ++#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) ++#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) ++ ++#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) ++#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) ++#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) ++#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) ++#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) ++#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) ++ ++/**************************** VARIABLES *****************************/ ++static const WORD k[64] = { ++ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, ++ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, ++ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, ++ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, ++ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, ++ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, ++ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, ++ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 ++}; ++ ++/*********************** FUNCTION DEFINITIONS ***********************/ ++static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) ++{ ++ WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; ++ ++ for (i = 0, j = 0; i < 16; ++i, j += 4) ++ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); ++ for ( ; i < 64; ++i) ++ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; ++ ++ a = ctx->state[0]; ++ b = ctx->state[1]; ++ c = ctx->state[2]; ++ d = ctx->state[3]; ++ e = ctx->state[4]; ++ f = ctx->state[5]; ++ g = ctx->state[6]; ++ h = ctx->state[7]; ++ ++ for (i = 0; i < 64; ++i) ++ { ++ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; ++ t2 = EP0(a) + MAJ(a,b,c); ++ h = g; ++ g = f; ++ f = e; ++ e = d + t1; ++ d = c; ++ c = b; ++ b = a; ++ a = t1 + t2; ++ } ++ ++ ctx->state[0] += a; ++ ctx->state[1] += b; ++ ctx->state[2] += c; ++ ctx->state[3] += d; ++ ctx->state[4] += e; ++ ctx->state[5] += f; ++ ctx->state[6] += g; ++ ctx->state[7] += h; ++} ++ ++static void sha256_init(SHA256_CTX *ctx) ++{ ++ ctx->datalen = 0; ++ ctx->bitlen = 0; ++ ctx->state[0] = 0x6a09e667; ++ ctx->state[1] = 0xbb67ae85; ++ ctx->state[2] = 0x3c6ef372; ++ ctx->state[3] = 0xa54ff53a; ++ ctx->state[4] = 0x510e527f; ++ ctx->state[5] = 0x9b05688c; ++ ctx->state[6] = 0x1f83d9ab; ++ ctx->state[7] = 0x5be0cd19; ++} ++ ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) ++{ ++ WORD i; ++ ++ for (i = 0; i < len; ++i) ++ { ++ ctx->data[ctx->datalen] = data[i]; ++ ctx->datalen++; ++ if (ctx->datalen == 64) { ++ sha256_transform(ctx, ctx->data); ++ ctx->bitlen += 512; ++ ctx->datalen = 0; ++ } ++ } ++} ++ ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) ++{ ++ WORD i; ++ ++ i = ctx->datalen; ++ ++ // Pad whatever data is left in the buffer. ++ if (ctx->datalen < 56) ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 56) ++ ctx->data[i++] = 0x00; ++ } ++ else ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 64) ++ ctx->data[i++] = 0x00; ++ sha256_transform(ctx, ctx->data); ++ memset(ctx->data, 0, 56); ++ } ++ ++ // Append to the padding the total message's length in bits and transform. ++ ctx->bitlen += ctx->datalen * 8; ++ ctx->data[63] = ctx->bitlen; ++ ctx->data[62] = ctx->bitlen >> 8; ++ ctx->data[61] = ctx->bitlen >> 16; ++ ctx->data[60] = ctx->bitlen >> 24; ++ ctx->data[59] = ctx->bitlen >> 32; ++ ctx->data[58] = ctx->bitlen >> 40; ++ ctx->data[57] = ctx->bitlen >> 48; ++ ctx->data[56] = ctx->bitlen >> 56; ++ sha256_transform(ctx, ctx->data); ++ ++ // Since this implementation uses little endian byte ordering and SHA uses big endian, ++ // reverse all the bytes when copying the final state to the output hash. ++ for (i = 0; i < 4; ++i) ++ { ++ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; ++ } ++} ++ ++#endif +Index: dnsmasq-2.81/src/rfc1035.c +=================================================================== +--- dnsmasq-2.81.orig/src/rfc1035.c ++++ dnsmasq-2.81/src/rfc1035.c +@@ -333,55 +333,6 @@ unsigned char *skip_section(unsigned cha + return ansp; + } + +-/* CRC the question section. This is used to safely detect query +- retransmission and to detect answers to questions we didn't ask, which +- might be poisoning attacks. Note that we decode the name rather +- than CRC the raw bytes, since replies might be compressed differently. +- We ignore case in the names for the same reason. Return all-ones +- if there is not question section. */ +-#ifndef HAVE_DNSSEC +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int crc = 0xffffffff; +- unsigned char *p1, *p = (unsigned char *)(header+1); +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- return crc; /* bad packet */ +- +- for (p1 = (unsigned char *)name; *p1; p1++) +- { +- int i = 8; +- char c = *p1; +- +- if (c >= 'A' && c <= 'Z') +- c += 'a' - 'A'; +- +- crc ^= c << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- /* CRC the class and type as well */ +- for (p1 = p; p1 < p+4; p1++) +- { +- int i = 8; +- crc ^= *p1 << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- return crc; /* bad packet */ +- } +- +- return crc; +-} +-#endif +- + size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen) + { + unsigned char *ansp = skip_questions(header, plen); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch new file mode 100644 index 0000000000..302c42ccca --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch @@ -0,0 +1,175 @@ +From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 25 Nov 2020 17:18:55 +0100 +Subject: [PATCH] Support hash function from nettle (only) + +Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from +nettle, but keep DNSSEC disabled at build time. Skips use of internal +hash implementation without support for validation built-in. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + Makefile | 8 +++++--- + bld/pkg-wrapper | 41 ++++++++++++++++++++++------------------- + src/config.h | 8 ++++++++ + src/crypto.c | 7 +++++++ + src/dnsmasq.h | 2 +- + src/hash_questions.c | 2 +- + 6 files changed, 44 insertions(+), 24 deletions(-) + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -53,7 +53,7 @@ top?=$(CURDIR) + + dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` + dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` +-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus` ++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` + idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` + idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` + idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` +@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/ + ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` + lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` + lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` +-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` +-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` ++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` ++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` + gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` + sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` + version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' +Index: dnsmasq-2.81/bld/pkg-wrapper +=================================================================== +--- dnsmasq-2.81.orig/bld/pkg-wrapper ++++ dnsmasq-2.81/bld/pkg-wrapper +@@ -1,35 +1,37 @@ + #!/bin/sh + +-search=$1 +-shift +-pkg=$1 +-shift +-op=$1 +-shift +- + in=`cat` + +-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ +- echo $in | grep $search >/dev/null 2>&1; then ++search() ++{ ++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ ++ echo $in | grep $1 >/dev/null 2>&1 ++} ++ ++while [ "$#" -gt 0 ]; do ++ search=$1 ++ pkg=$2 ++ op=$3 ++ lib=$4 ++ shift 4 ++if search "$search"; then ++ + # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP + if [ $op = "--copy" ]; then + if [ -z "$pkg" ]; then +- pkg="$*" +- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ +- echo $in | grep $pkg >/dev/null 2>&1; then ++ pkg="$lib" ++ elif search "$pkg"; then + pkg="" + else +- pkg="$*" ++ pkg="$lib" + fi +- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then +- pkg=`$pkg --static $op $*` ++ elif search "${search}_STATIC"; then ++ pkg=`$pkg --static $op $lib` + else +- pkg=`$pkg $op $*` ++ pkg=`$pkg $op $lib` + fi + +- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then ++ if search "${search}_STATIC"; then + if [ $op = "--libs" ] || [ $op = "--copy" ]; then + echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" + else +@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:] + fi + fi + ++done +Index: dnsmasq-2.81/src/config.h +=================================================================== +--- dnsmasq-2.81.orig/src/config.h ++++ dnsmasq-2.81/src/config.h +@@ -118,6 +118,9 @@ HAVE_AUTH + define this to include the facility to act as an authoritative DNS + server for one or more zones. + ++HAVE_NETTLEHASH ++ include just hash function from nettle, but no DNSSEC. ++ + HAVE_DNSSEC + include DNSSEC validator. + +@@ -185,6 +188,7 @@ RESOLVFILE + /* #define HAVE_IDN */ + /* #define HAVE_LIBIDN2 */ + /* #define HAVE_CONNTRACK */ ++/* #define HAVE_NETTLEHASH */ + /* #define HAVE_DNSSEC */ + + +@@ -418,6 +422,10 @@ static char *compile_opts = + "no-" + #endif + "auth " ++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) ++"no-" ++#endif ++"nettlehash " + #ifndef HAVE_DNSSEC + "no-" + #endif +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head + # include <nettle/nettle-meta.h> + #endif + ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) ++# include <nettle/nettle-meta.h> ++#endif + /* daemon is function in the C library.... */ + #define daemon dnsmasq_daemon + +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- dnsmasq-2.81.orig/src/hash_questions.c ++++ dnsmasq-2.81/src/hash_questions.c +@@ -28,7 +28,7 @@ + + #include "dnsmasq.h" + +-#ifdef HAVE_DNSSEC ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) + unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) + { + int q; diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch new file mode 100644 index 0000000000..fd9d0a9b16 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch @@ -0,0 +1,332 @@ +From 15b60ddf935a531269bb8c68198de012a4967156 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 18 Nov 2020 18:34:55 +0000 +Subject: [PATCH] Handle multiple identical near simultaneous DNS queries + better. + +Previously, such queries would all be forwarded +independently. This is, in theory, inefficent but in practise +not a problem, _except_ that is means that an answer for any +of the forwarded queries will be accepted and cached. +An attacker can send a query multiple times, and for each repeat, +another {port, ID} becomes capable of accepting the answer he is +sending in the blind, to random IDs and ports. The chance of a +succesful attack is therefore multiplied by the number of repeats +of the query. The new behaviour detects repeated queries and +merely stores the clients sending repeats so that when the +first query completes, the answer can be sent to all the +clients who asked. Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 16 +++++- + src/dnsmasq.h | 19 ++++--- + src/forward.c | 142 ++++++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 147 insertions(+), 30 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -655,19 +655,24 @@ struct hostsfile { + #define FREC_DO_QUESTION 64 + #define FREC_ADDED_PHEADER 128 + #define FREC_TEST_PKTSZ 256 +-#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_PHEADER 1024 + + #define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { +- union mysockaddr source; +- union all_addr dest; ++ struct frec_src { ++ union mysockaddr source; ++ union all_addr dest; ++ unsigned int iface, log_id; ++ unsigned short orig_id; ++ struct frec_src *next; ++ } frec_src; + struct server *sentto; /* NULL means free */ + struct randfd *rfd4; + struct randfd *rfd6; +- unsigned int iface; +- unsigned short orig_id, new_id; +- int log_id, fd, forwardall, flags; ++ unsigned short new_id; ++ int fd, forwardall, flags; + time_t time; + unsigned char *hash[HASH_SIZE]; + #ifdef HAVE_DNSSEC +@@ -1085,6 +1090,8 @@ extern struct daemon { + int back_to_the_future; + #endif + struct frec *frec_list; ++ struct frec_src *free_frec_src; ++ int frec_src_count; + struct serverfd *sfds; + struct irec *interfaces; + struct listener *listeners; +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); ++ + static unsigned short get_id(void); + static void free_frec(struct frec *f); + +@@ -255,6 +257,7 @@ static int forward_query(int udpfd, unio + int type = SERV_DO_DNSSEC, norebind = 0; + union all_addr *addrp = NULL; + unsigned int flags = 0; ++ unsigned int fwd_flags = 0; + struct server *start = NULL; + void *hash = hash_questions(header, plen, daemon->namebuff); + #ifdef HAVE_DNSSEC +@@ -263,7 +266,18 @@ static int forward_query(int udpfd, unio + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; +- ++ ++ if (header->hb4 & HB4_CD) ++ fwd_flags |= FREC_CHECKING_DISABLED; ++ if (ad_reqd) ++ fwd_flags |= FREC_AD_QUESTION; ++ if (oph) ++ fwd_flags |= FREC_HAS_PHEADER; ++#ifdef HAVE_DNSSEC ++ if (do_bit) ++ fwd_flags |= FREC_DO_QUESTION; ++#endif ++ + /* may be no servers available. */ + if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { +@@ -336,6 +350,39 @@ static int forward_query(int udpfd, unio + } + else + { ++ /* Query from new source, but the same query may be in progress ++ from another source. If so, just add this client to the ++ list that will get the reply. ++ ++ Note that is the EDNS client subnet option is in use, we can't do this, ++ as the clients (and therefore query EDNS options) will be different ++ for each query. The EDNS subnet code has checks to avoid ++ attacks in this case. */ ++ if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags))) ++ { ++ /* Note whine_malloc() zeros memory. */ ++ if (!daemon->free_frec_src && ++ daemon->frec_src_count < daemon->ftabsize && ++ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) ++ daemon->frec_src_count++; ++ ++ /* If we've been spammed with many duplicates, just drop the query. */ ++ if (daemon->free_frec_src) ++ { ++ struct frec_src *new = daemon->free_frec_src; ++ daemon->free_frec_src = new->next; ++ new->next = forward->frec_src.next; ++ forward->frec_src.next = new; ++ new->orig_id = ntohs(header->id); ++ new->source = *udpaddr; ++ new->dest = *dst_addr; ++ new->log_id = daemon->log_id; ++ new->iface = dst_iface; ++ } ++ ++ return 1; ++ } ++ + if (gotname) + flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); + +@@ -343,22 +390,22 @@ static int forward_query(int udpfd, unio + do_dnssec = type & SERV_DO_DNSSEC; + #endif + type &= ~SERV_DO_DNSSEC; +- ++ + if (daemon->servers && !flags) + forward = get_new_frec(now, NULL, NULL); + /* table full - flags == 0, return REFUSED */ + + if (forward) + { +- forward->source = *udpaddr; +- forward->dest = *dst_addr; +- forward->iface = dst_iface; +- forward->orig_id = ntohs(header->id); ++ forward->frec_src.source = *udpaddr; ++ forward->frec_src.orig_id = ntohs(header->id); ++ forward->frec_src.dest = *dst_addr; ++ forward->frec_src.iface = dst_iface; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); + forward->forwardall = 0; +- forward->flags = 0; ++ forward->flags = fwd_flags; + if (norebind) + forward->flags |= FREC_NOREBIND; + if (header->hb4 & HB4_CD) +@@ -413,9 +460,9 @@ static int forward_query(int udpfd, unio + unsigned char *pheader; + + /* If a query is retried, use the log_id for the retry when logging the answer. */ +- forward->log_id = daemon->log_id; ++ forward->frec_src.log_id = daemon->log_id; + +- plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet); ++ plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet); + + if (subnet) + forward->flags |= FREC_HAS_SUBNET; +@@ -552,7 +599,7 @@ static int forward_query(int udpfd, unio + return 1; + + /* could not send on, prepare to return */ +- header->id = htons(forward->orig_id); ++ header->id = htons(forward->frec_src.orig_id); + free_frec(forward); /* cancel */ + } + +@@ -804,8 +851,8 @@ void reply_query(int fd, int family, tim + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ +- daemon->log_display_id = forward->log_id; +- daemon->log_source_addr = &forward->source; ++ daemon->log_display_id = forward->frec_src.log_id; ++ daemon->log_source_addr = &forward->frec_src.source; + + if (daemon->ignore_addr && RCODE(header) == NOERROR && + check_for_ignored_address(header, n, daemon->ignore_addr)) +@@ -1077,6 +1124,7 @@ void reply_query(int fd, int family, tim + new->sentto = server; + new->rfd4 = NULL; + new->rfd6 = NULL; ++ new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; + +@@ -1212,9 +1260,11 @@ void reply_query(int fd, int family, tim + + if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, + forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, +- forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) ++ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) + { +- header->id = htons(forward->orig_id); ++ struct frec_src *src; ++ ++ header->id = htons(forward->frec_src.orig_id); + header->hb4 |= HB4_RA; /* recursion if available */ + #ifdef HAVE_DNSSEC + /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size +@@ -1230,13 +1280,26 @@ void reply_query(int fd, int family, tim + } + #endif + ++ for (src = &forward->frec_src; src; src = src->next) ++ { ++ header->id = htons(src->orig_id); ++ + #ifdef HAVE_DUMPFILE +- dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source); ++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source); + #endif +- +- send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, +- &forward->source, &forward->dest, forward->iface); ++ ++ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, ++ &src->source, &src->dest, src->iface); ++ ++ if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) ++ { ++ daemon->log_display_id = src->log_id; ++ daemon->log_source_addr = &src->source; ++ log_query(F_UPSTREAM, "query", NULL, "duplicate"); ++ } ++ } + } ++ + free_frec(forward); /* cancel */ + } + } +@@ -2198,6 +2261,17 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { ++ struct frec_src *src, *tmp; ++ ++ /* add back to freelist of not the record builtin to every frec. */ ++ for (src = f->frec_src.next; src; src = tmp) ++ { ++ tmp = src->next; ++ src->next = daemon->free_frec_src; ++ daemon->free_frec_src = src; ++ } ++ ++ f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; + f->sentto = NULL; +@@ -2339,17 +2413,39 @@ static struct frec *lookup_frec_by_sende + void *hash) + { + struct frec *f; ++ struct frec_src *src; ++ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && ++ !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) ++ for (src = &f->frec_src; src; src = src->next) ++ if (src->orig_id == id && ++ sockaddr_isequal(&src->source, addr)) ++ return f; ++ ++ return NULL; ++} ++ ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) ++{ ++ struct frec *f; ++ ++ /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below ++ ensures that no frec created for internal DNSSEC query can be returned here. */ ++ ++#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ ++ | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY) + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && +- f->orig_id == id && +- memcmp(hash, f->hash, HASH_SIZE) == 0 && +- sockaddr_isequal(&f->source, addr)) ++ (f->flags & FLAGMASK) == flags && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) + return f; +- ++ + return NULL; + } +- ++ + /* Send query packet again, if we can. */ + void resend_query() + { diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch new file mode 100644 index 0000000000..a6ffd37260 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch @@ -0,0 +1,63 @@ +From 6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 Dec 2020 18:35:11 +0000 +Subject: [PATCH] Small cleanups in frec_src datastucture handling. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + src/forward.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -364,7 +364,10 @@ static int forward_query(int udpfd, unio + if (!daemon->free_frec_src && + daemon->frec_src_count < daemon->ftabsize && + (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) +- daemon->frec_src_count++; ++ { ++ daemon->frec_src_count++; ++ daemon->free_frec_src->next = NULL; ++ } + + /* If we've been spammed with many duplicates, just drop the query. */ + if (daemon->free_frec_src) +@@ -401,6 +404,7 @@ static int forward_query(int udpfd, unio + forward->frec_src.orig_id = ntohs(header->id); + forward->frec_src.dest = *dst_addr; + forward->frec_src.iface = dst_iface; ++ forward->frec_src.next = NULL; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); +@@ -2261,16 +2265,16 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { +- struct frec_src *src, *tmp; +- +- /* add back to freelist of not the record builtin to every frec. */ +- for (src = f->frec_src.next; src; src = tmp) ++ struct frec_src *last; ++ ++ /* add back to freelist if not the record builtin to every frec. */ ++ for (last = f->frec_src.next; last && last->next; last = last->next) ; ++ if (last) + { +- tmp = src->next; +- src->next = daemon->free_frec_src; +- daemon->free_frec_src = src; ++ last->next = daemon->free_frec_src; ++ daemon->free_frec_src = f->frec_src.next; + } +- ++ + f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; diff --git a/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service b/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service index 2980f7def6..ef2f3f7e41 100644 --- a/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service +++ b/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service @@ -8,7 +8,7 @@ PIDFile=/run/dnsmasq.pid ExecStartPre=/usr/bin/dnsmasq --test ExecStart=/usr/bin/dnsmasq -x /run/dnsmasq.pid -7 /etc/dnsmasq.d --local-service ExecStartPost=/usr/bin/dnsmasq-resolvconf-helper start -ExecStopPre=/usr/bin/dnsmasq-resolvconf-helper stop +ExecStop=/usr/bin/dnsmasq-resolvconf-helper stop ExecStop=/bin/kill $MAINPID ExecReload=/bin/kill -HUP $MAINPID diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch new file mode 100644 index 0000000000..5580cd409f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch @@ -0,0 +1,30 @@ +From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12674 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); +-- +2.11.0 diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch index f86235076e..3f87714dcc 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch @@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> configure.ac | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) -diff --git a/configure.ac b/configure.ac -index 3b32614..94ec002 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -519,13 +519,10 @@ have_ioloop=no +Index: dovecot-2.2.36.4/configure.ac +=================================================================== +--- dovecot-2.2.36.4.orig/configure.ac ++++ dovecot-2.2.36.4/configure.ac +@@ -490,13 +490,10 @@ have_ioloop=no if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[ @@ -34,7 +34,7 @@ index 3b32614..94ec002 100644 ], [ i_cv_epoll_works=yes ], [ -@@ -653,7 +650,7 @@ fi +@@ -596,7 +593,7 @@ fi dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it. dnl * It may also be broken in AIX. AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ @@ -43,7 +43,7 @@ index 3b32614..94ec002 100644 #define _XOPEN_SOURCE 600 #include <stdio.h> #include <stdlib.h> -@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate( #if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7) possibly broken posix_fallocate #endif @@ -52,7 +52,7 @@ index 3b32614..94ec002 100644 int fd = creat("conftest.temp", 0600); int ret; if (fd == -1) { -@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate( } ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0; unlink("conftest.temp"); @@ -61,6 +61,3 @@ index 3b32614..94ec002 100644 ], [ i_cv_posix_fallocate_works=yes ], [ --- -1.8.4.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch index 65ae9bf910..3170ae8658 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch @@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> src/doveadm/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am -index c644646..6ae9144 100644 ---- a/src/doveadm/Makefile.am -+++ b/src/doveadm/Makefile.am -@@ -180,8 +180,8 @@ test_libs = \ +Index: dovecot-2.2.36.4/src/doveadm/Makefile.am +=================================================================== +--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am ++++ dovecot-2.2.36.4/src/doveadm/Makefile.am +@@ -182,8 +182,8 @@ test_libs = \ ../lib/liblib.la test_deps = $(noinst_LTLIBRARIES) $(test_libs) @@ -33,6 +33,3 @@ index c644646..6ae9144 100644 test_doveadm_util_DEPENDENCIES = $(test_deps) check: check-am check-test --- -2.14.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch new file mode 100644 index 0000000000..583f71ca58 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch @@ -0,0 +1,76 @@ +From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:33:31 +0300 +Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish() + helper function + +--- + src/lib-mail/message-parser.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index b1de1950a..aaa8dd8b7 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent) + return part; + } + ++static void message_part_finish(struct message_parser_ctx *ctx) ++{ ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part = ctx->part->parent; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_boundary *boundary, + struct message_block *block_r, bool first_line) + { +- struct message_part *part; + size_t line_size; + + i_assert(ctx->last_boundary == NULL); + + /* get back to parent MIME part, summing the child MIME part sizes + into parent's body sizes */ +- for (part = ctx->part; part != boundary->part; part = part->parent) { +- message_size_add(&part->parent->body_size, &part->body_size); +- message_size_add(&part->parent->body_size, &part->header_size); ++ while (ctx->part != boundary->part) { ++ message_part_finish(ctx); ++ i_assert(ctx->part != NULL); + } +- i_assert(part != NULL); +- ctx->part = part; + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx, + i_assert(ctx->input->eof || ctx->input->closed || + ctx->input->stream_errno != 0 || + ctx->broken_reason != NULL); +- while (ctx->part->parent != NULL) { +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->body_size); +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->header_size); +- ctx->part = ctx->part->parent; +- } ++ while (ctx->part->parent != NULL) ++ message_part_finish(ctx); + } + + if (block_r->size == 0) { +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch new file mode 100644 index 0000000000..9f24320ebf --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch @@ -0,0 +1,71 @@ +From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:34:22 +0300 +Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append() + to do all work internally + +--- + src/lib-mail/message-parser.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index aaa8dd8b7..2edf3e7a6 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx, + return 1; + } + +-static struct message_part * +-message_part_append(pool_t pool, struct message_part *parent) ++static void ++message_part_append(struct message_parser_ctx *ctx) + { ++ struct message_part *parent = ctx->part; + struct message_part *p, *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | + MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0); + +- part = p_new(pool, struct message_part, 1); ++ part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; + for (p = parent; p != NULL; p = p->parent) + p->children_count++; +@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent) + list = &(*list)->next; + + *list = part; +- return part; ++ ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + return parse_next_header_init(ctx, block_r); + } + +@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + static int parse_next_mime_header_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME; + + return parse_next_header_init(ctx, block_r); +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch new file mode 100644 index 0000000000..81aead8aad --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch @@ -0,0 +1,37 @@ +Backport of: + +From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12673 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st + if (length == 0 && space == 0) + return 1; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return 0; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return 0; diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch new file mode 100644 index 0000000000..e530902350 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch @@ -0,0 +1,49 @@ +From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:36:48 +0300 +Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating + children_count + +--- + src/lib-mail/message-parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 2edf3e7a6..05768a058 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -171,7 +171,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *p, *part, **list; ++ struct message_part *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx) + + part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; +- for (p = parent; p != NULL; p = p->parent) +- p->children_count++; + + /* set child position */ + part->physical_pos = +@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx) + { + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part->parent->children_count += 1 + ctx->part->children_count; + ctx->part = ctx->part->parent; + } + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch new file mode 100644 index 0000000000..ba6667fa99 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch @@ -0,0 +1,90 @@ +From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:00:38 +0300 +Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part + to linked list + +--- + src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c +=================================================================== +--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c ++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c +@@ -1,7 +1,7 @@ + /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */ + + #include "lib.h" +-#include "buffer.h" ++#include "array.h" + #include "str.h" + #include "istream.h" + #include "rfc822-parser.h" +@@ -34,6 +34,9 @@ struct message_parser_ctx { + const char *last_boundary; + struct message_boundary *boundaries; + ++ struct message_part **next_part; ++ ARRAY(struct message_part **) next_part_stack; ++ + size_t skip; + char last_chr; + unsigned int want_count; +@@ -171,7 +174,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *part, **list; ++ struct message_part *part; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -186,16 +189,27 @@ message_part_append(struct message_parse + parent->body_size.physical_size + + parent->header_size.physical_size; + +- list = &part->parent->children; +- while (*list != NULL) +- list = &(*list)->next; ++ /* add to parent's linked list */ ++ *ctx->next_part = part; ++ /* update the parent's end-of-linked-list pointer */ ++ struct message_part **next_part = &part->next; ++ array_append(&ctx->next_part_stack, &next_part, 1); ++ /* This part is now the new parent for the next message_part_append() ++ call. Its linked list begins with the children pointer. */ ++ ctx->next_part = &part->children; + +- *list = part; + ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) + { ++ struct message_part **const *parent_next_partp; ++ unsigned int count = array_count(&ctx->next_part_stack); ++ ++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1); ++ array_delete(&ctx->next_part_stack, count-1, 1); ++ ctx->next_part = *parent_next_partp; ++ + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); + ctx->part->parent->children_count += 1 + ctx->part->children_count; +@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st + ctx = message_parser_init_int(input, hdr_flags, flags); + ctx->part_pool = part_pool; + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); ++ ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); + return ctx; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch new file mode 100644 index 0000000000..4e63509b45 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch @@ -0,0 +1,45 @@ +From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:10:07 +0300 +Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to + finding the end of boundary line + +--- + src/lib-mail/message-parser.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index ff4e09e5a..6c6a680b5 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx, + } + + /* need to find the end of line */ +- if (memchr(data + 2, '\n', size - 2) == NULL && +- size < BOUNDARY_END_MAX_LEN && ++ data += 2; ++ size -= 2; ++ if (memchr(data, '\n', size) == NULL && ++ size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } + +- data += 2; +- size -= 2; +- + *boundary_r = boundary_find(ctx->boundaries, data, size); + if (*boundary_r == NULL) + return -1; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch new file mode 100644 index 0000000000..1012d7983e --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch @@ -0,0 +1,163 @@ +From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:53:12 +0300 +Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long + MIME boundaries + +RFC 2046 requires that the boundaries are a maximum of 70 characters +(excluding the "--" prefix and suffix). We allow 80 characters for a bit of +extra safety. Anything longer than that is truncated and treated the same +as if it was just 80 characters. +--- + src/lib-mail/message-parser.c | 7 ++- + src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 6c6a680b5..92f541b02 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -10,7 +10,8 @@ + + /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix. + We'll add a bit more just in case. */ +-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10) ++#define BOUNDARY_STRING_MAX_LEN (70 + 10) ++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + struct message_boundary { + struct message_boundary *next; +@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx, + rfc2231_parse(&parser, &results); + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { ++ /* truncate excessively long boundaries */ + ctx->last_boundary = +- p_strdup(ctx->parser_pool, results[1]); ++ p_strndup(ctx->parser_pool, results[1], ++ BOUNDARY_STRING_MAX_LEN); + break; + } + } +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 1f1aa1437..94aa3eb7c 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void) + test_end(); + } + ++static void test_message_parser_long_mime_boundary(void) ++{ ++ /* Close the boundaries in wrong reverse order. But because all ++ boundaries are actually truncated to the same size (..890) it ++ works the same as if all of them were duplicate boundaries. */ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n" ++"\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n" ++"\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n" ++"\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"1\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: text/plain\n" ++"\n" ++"22\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: text/plain\n" ++"\n" ++"333\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"4444\n"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts, *part; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser long mime boundary"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ part = parts; ++ test_assert(part->children_count == 6); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 126); ++ test_assert(part->header_size.virtual_size == 126+2); ++ test_assert(part->body_size.lines == 22); ++ test_assert(part->body_size.physical_size == 871); ++ test_assert(part->body_size.virtual_size == 871+22); ++ ++ part = parts->children; ++ test_assert(part->children_count == 5); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 125); ++ test_assert(part->header_size.virtual_size == 125+2); ++ test_assert(part->body_size.lines == 19); ++ test_assert(part->body_size.physical_size == 661); ++ test_assert(part->body_size.virtual_size == 661+19); ++ ++ part = parts->children->children; ++ test_assert(part->children_count == 4); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 124); ++ test_assert(part->header_size.virtual_size == 124+2); ++ test_assert(part->body_size.lines == 16); ++ test_assert(part->body_size.physical_size == 453); ++ test_assert(part->body_size.virtual_size == 453+16); ++ ++ part = parts->children->children->children; ++ for (unsigned int i = 1; i <= 3; i++, part = part->next) { ++ test_assert(part->children_count == 0); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 26); ++ test_assert(part->header_size.virtual_size == 26+2); ++ test_assert(part->body_size.lines == 0); ++ test_assert(part->body_size.physical_size == i); ++ test_assert(part->body_size.virtual_size == i); ++ } ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + int main(void) + { + static void (*test_functions[])(void) = { +@@ -654,6 +748,7 @@ int main(void) + test_message_parser_garbage_suffix_mime_boundary, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, ++ test_message_parser_long_mime_boundary, + test_message_parser_no_eoh, + NULL + }; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch new file mode 100644 index 0000000000..eeb6c96f1a --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch @@ -0,0 +1,72 @@ +From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 13:06:02 +0300 +Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups + when exact boundary is found + +When an exact boundary is found, there's no need to continue looking for +more boundaries. +--- + src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 92f541b02..c2934c761 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries, + while (boundaries != NULL) { + if (boundaries->len <= len && + memcmp(boundaries->boundary, data, boundaries->len) == 0 && +- (best == NULL || best->len < boundaries->len)) ++ (best == NULL || best->len < boundaries->len)) { + best = boundaries; ++ if (best->len == len) { ++ /* This is exactly the wanted boundary. There ++ can't be a better one. */ ++ break; ++ } ++ } + + boundaries = boundaries->next; + } +@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx, + /* need to find the end of line */ + data += 2; + size -= 2; +- if (memchr(data, '\n', size) == NULL && ++ const unsigned char *lf_pos = memchr(data, '\n', size); ++ if (lf_pos == NULL && + size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } +- +- *boundary_r = boundary_find(ctx->boundaries, data, size); ++ size_t find_size = size; ++ ++ if (lf_pos != NULL) { ++ find_size = lf_pos - data; ++ if (find_size > 0 && data[find_size-1] == '\r') ++ find_size--; ++ if (find_size > 2 && data[find_size-1] == '-' && ++ data[find_size-2] == '-') ++ find_size -= 2; ++ } else if (find_size > BOUNDARY_END_MAX_LEN) ++ find_size = BOUNDARY_END_MAX_LEN; ++ ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size); + if (*boundary_r == NULL) + return -1; + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch new file mode 100644 index 0000000000..4af070a879 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch @@ -0,0 +1,50 @@ +From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 14:53:27 +0300 +Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until() + helper function + +--- + src/lib-mail/message-parser.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index c2934c761..028f74159 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void ++boundary_remove_until(struct message_parser_ctx *ctx, ++ struct message_boundary *boundary) ++{ ++ ctx->boundaries = boundary; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +- ctx->boundaries = boundary->next; ++ boundary_remove_until(ctx, boundary->next); + } else { + /* forget about the boundaries we possibly skipped */ +- ctx->boundaries = boundary; ++ boundary_remove_until(ctx, boundary); + } + + /* the boundary itself should already be in buffer. add that. */ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch new file mode 100644 index 0000000000..aade7dc2b3 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch @@ -0,0 +1,169 @@ +From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 15:00:57 +0300 +Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for + parser + +This reduces memory usage when parsing many MIME parts where boundaries are +being added and removed constantly. +--- + src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 028f74159..8970d8e0e 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -17,14 +17,14 @@ struct message_boundary { + struct message_boundary *next; + + struct message_part *part; +- const char *boundary; ++ char *boundary; + size_t len; + + unsigned int epilogue_found:1; + }; + + struct message_parser_ctx { +- pool_t parser_pool, part_pool; ++ pool_t part_pool; + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; +@@ -32,7 +32,7 @@ struct message_parser_ctx { + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + +- const char *last_boundary; ++ char *last_boundary; + struct message_boundary *boundaries; + + struct message_part **next_part; +@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void message_boundary_free(struct message_boundary *b) ++{ ++ i_free(b->boundary); ++ i_free(b); ++} ++ + static void + boundary_remove_until(struct message_parser_ctx *ctx, + struct message_boundary *boundary) + { ++ while (ctx->boundaries != boundary) { ++ struct message_boundary *cur = ctx->boundaries; ++ ++ i_assert(cur != NULL); ++ ctx->boundaries = cur->next; ++ message_boundary_free(cur); ++ ++ } + ctx->boundaries = boundary; + } + +@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; + +- b = p_new(ctx->parser_pool, struct message_boundary, 1); ++ b = i_new(struct message_boundary, 1); + b->part = ctx->part; + b->boundary = ctx->last_boundary; ++ ctx->last_boundary = NULL; + b->len = strlen(b->boundary); + + b->next = ctx->boundaries; + ctx->boundaries = b; +- +- ctx->last_boundary = NULL; + } + + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, +@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_block *block_r, bool first_line) + { + size_t line_size; ++ size_t boundary_len = boundary->len; ++ bool boundary_epilogue_found = boundary->epilogue_found; + + i_assert(ctx->last_boundary == NULL); + +@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + i_assert(block_r->data[0] == '\n'); + line_size = 1; + } +- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0); ++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0); + i_assert(block_r->size >= ctx->skip + line_size); + block_r->size = line_size; + parse_body_add_block(ctx, block_r); +@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx, + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { + /* truncate excessively long boundaries */ ++ i_free(ctx->last_boundary); + ctx->last_boundary = +- p_strndup(ctx->parser_pool, results[1], +- BOUNDARY_STRING_MAX_LEN); ++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN); + break; + } + } +@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(!ctx->multipart); + part->flags = 0; + } +- ctx->last_boundary = NULL; ++ i_free(ctx->last_boundary); + + if (!ctx->part_seen_content_type || + (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) { +@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input, + enum message_parser_flags flags) + { + struct message_parser_ctx *ctx; +- pool_t pool; + +- pool = pool_alloconly_create("Message Parser", 1024); +- ctx = p_new(pool, struct message_parser_ctx, 1); +- ctx->parser_pool = pool; ++ ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; + ctx->input = input; +@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; +- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); ++ i_array_init(&ctx->next_part_stack, 4); + return ctx; + } + +@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); ++ boundary_remove_until(ctx, NULL); + i_stream_unref(&ctx->input); +- pool_unref(&ctx->parser_pool); ++ if (array_is_created(&ctx->next_part_stack)) ++ array_free(&ctx->next_part_stack); ++ i_free(ctx->last_boundary); ++ i_free(ctx); + i_assert(ret < 0 || *parts_r != NULL); + return ret; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..ae52544665 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,188 @@ +From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 16:59:40 +0300 +Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number + of nested MIME parts + +The default is to allow 100 nested MIME parts. When the limit is reached, +the innermost MIME part's body contains all the rest of the inner bodies +until a parent MIME part is reached. +--- + src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++------- + src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++ + 2 files changed, 67 insertions(+), 7 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 8970d8e0e..721615f76 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -13,6 +13,8 @@ + #define BOUNDARY_STRING_MAX_LEN (70 + 10) + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + ++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++ + struct message_boundary { + struct message_boundary *next; + +@@ -28,9 +30,11 @@ struct message_parser_ctx { + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; ++ unsigned int nested_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; ++ unsigned int max_nested_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx) + ctx->next_part = &part->children; + + ctx->part = part; ++ ctx->nested_parts_count++; ++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx) + struct message_part **const *parent_next_partp; + unsigned int count = array_count(&ctx->next_part_stack); + ++ i_assert(ctx->nested_parts_count > 0); ++ ctx->nested_parts_count--; ++ + parent_next_partp = array_idx(&ctx->next_part_stack, count-1); + array_delete(&ctx->next_part_stack, count-1, 1); ++ + ctx->next_part = *parent_next_partp; + + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); +@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block) + return FALSE; + } + ++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) ++{ ++ return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++} ++ + #define MUTEX_FLAGS \ + (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART) + +@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx, + "\n--boundary" belongs to us or to a previous boundary. + this is a problem if the boundary prefixes are identical, + because MIME requires only the prefix to match. */ +- parse_next_body_multipart_init(ctx); +- ctx->multipart = TRUE; ++ if (!parse_too_many_nested_mime_parts(ctx)) { ++ parse_next_body_multipart_init(ctx); ++ ctx->multipart = TRUE; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART; ++ } + } + + /* before parsing the header see if we can find a --boundary from here. +@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(ctx->last_boundary == NULL); + ctx->multipart = FALSE; + ctx->parse_next_block = parse_next_body_to_boundary; +- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) ++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 && ++ !parse_too_many_nested_mime_parts(ctx)) { + ctx->parse_next_block = parse_next_body_message_rfc822_init; +- else if (ctx->boundaries != NULL) +- ctx->parse_next_block = parse_next_body_to_boundary; +- else +- ctx->parse_next_block = parse_next_body_to_eof; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822; ++ if (ctx->boundaries != NULL) ++ ctx->parse_next_block = parse_next_body_to_boundary; ++ else ++ ctx->parse_next_block = parse_next_body_to_eof; ++ } + + ctx->want_count = 1; + +@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input, + ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; ++ ctx->max_nested_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); + boundary_remove_until(ctx, NULL); ++ /* caller might have stopped the parsing early */ ++ i_assert(ctx->nested_parts_count == 0 || ++ i_stream_have_bytes_left(ctx->input)); ++ + i_stream_unref(&ctx->input); + if (array_is_created(&ctx->next_part_stack)) + array_free(&ctx->next_part_stack); +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 94aa3eb7c..481d05942 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void) + test_end(); + } + ++static void test_message_parser_stop_early(void) ++{ ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ unsigned int i; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser stop early"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(test_msg); ++ ++ test_istream_set_allow_eof(input, FALSE); ++ for (i = 1; i <= TEST_MSG_LEN+1; i++) { ++ i_stream_seek(input, 0); ++ test_istream_set_size(input, i); ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == 0); ++ message_parser_deinit(&parser, &parts); ++ } ++ ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_truncated_mime_headers(void) + { + static const char input_msg[] = +@@ -740,6 +770,7 @@ int main(void) + { + static void (*test_functions[])(void) = { + test_message_parser_small_blocks, ++ test_message_parser_stop_early, + test_message_parser_truncated_mime_headers, + test_message_parser_truncated_mime_headers2, + test_message_parser_truncated_mime_headers3, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..52848bf3a7 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,87 @@ +From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 17:09:33 +0300 +Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number + of MIME parts + +The default is to allow 10000 MIME parts. When it's reached, no more +MIME boundary lines will be recognized, so the rest of the mail belongs +to the last added MIME part. +--- + src/lib-mail/message-parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 721615f76..646307802 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -14,6 +14,7 @@ + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 + + struct message_boundary { + struct message_boundary *next; +@@ -31,10 +32,12 @@ struct message_parser_ctx { + struct message_part *parts, *part; + const char *broken_reason; + unsigned int nested_parts_count; ++ unsigned int total_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + unsigned int max_nested_mime_parts; ++ unsigned int max_total_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx) + + ctx->part = part; + ctx->nested_parts_count++; ++ ctx->total_parts_count++; + i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); ++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + return -1; + } + ++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) { ++ /* can't add any more MIME parts. just stop trying to find ++ more boundaries. */ ++ return -1; ++ } ++ + /* need to find the end of line */ + data += 2; + size -= 2; +@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input, + ctx->flags = flags; + ctx->max_nested_mime_parts = + MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; ++ ctx->max_total_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ ctx->total_parts_count = 1; + i_array_init(&ctx->next_part_stack, 4); + return ctx; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch new file mode 100644 index 0000000000..a81177d2ba --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch @@ -0,0 +1,133 @@ +From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 2 Jul 2020 17:31:19 +0300 +Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries + +Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab +--- + src/lib-mail/message-parser.c | 14 ++++++++---- + src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 646307802..175d4b488 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx, + + static struct message_boundary * + boundary_find(struct message_boundary *boundaries, +- const unsigned char *data, size_t len) ++ const unsigned char *data, size_t len, bool trailing_dashes) + { + struct message_boundary *best = NULL; + +@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries, + memcmp(boundaries->boundary, data, boundaries->len) == 0 && + (best == NULL || best->len < boundaries->len)) { + best = boundaries; +- if (best->len == len) { ++ /* If we see "foo--", it could either mean that there ++ is a boundary named "foo" that ends now or there's ++ a boundary "foo--" which continues. */ ++ if (best->len == len || ++ (best->len == len-2 && trailing_dashes)) { + /* This is exactly the wanted boundary. There + can't be a better one. */ + break; +@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + return 0; + } + size_t find_size = size; ++ bool trailing_dashes = FALSE; + + if (lf_pos != NULL) { + find_size = lf_pos - data; +@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + find_size--; + if (find_size > 2 && data[find_size-1] == '-' && + data[find_size-2] == '-') +- find_size -= 2; ++ trailing_dashes = TRUE; + } else if (find_size > BOUNDARY_END_MAX_LEN) + find_size = BOUNDARY_END_MAX_LEN; + +- *boundary_r = boundary_find(ctx->boundaries, data, find_size); ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size, ++ trailing_dashes); + if (*boundary_r == NULL) + return -1; + +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 481d05942..113454ea0 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -510,6 +510,51 @@ static const char input_msg[] = + test_end(); + } + ++static void test_message_parser_trailing_dashes(void) ++{ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"a--\"\n" ++"\n" ++"--a--\n" ++"Content-Type: multipart/mixed; boundary=\"a----\"\n" ++"\n" ++"--a----\n" ++"Content-Type: text/plain\n" ++"\n" ++"body\n" ++"--a------\n" ++"Content-Type: text/html\n" ++"\n" ++"body2\n" ++"--a----"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser trailing dashes"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ test_assert(parts->children_count == 2); ++ test_assert(parts->children->next == NULL); ++ test_assert(parts->children->children_count == 1); ++ test_assert(parts->children->children->next == NULL); ++ test_assert(parts->children->children->children_count == 0); ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_continuing_mime_boundary(void) + { + static const char input_msg[] = +@@ -777,6 +822,7 @@ int main(void) + test_message_parser_empty_multipart, + test_message_parser_duplicate_mime_boundary, + test_message_parser_garbage_suffix_mime_boundary, ++ test_message_parser_trailing_dashes, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, + test_message_parser_long_mime_boundary, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch new file mode 100644 index 0000000000..97068345fb --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch @@ -0,0 +1,32 @@ +From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Wed, 27 May 2020 11:35:55 +0300 +Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts() + +This was originally correct, until it was "optimized" wrong and got merged. +--- + src/lib-mail/message-parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 175d4b488..5b11772ff 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block) + + static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) + { +- return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts; + } + + #define MUTEX_FLAGS \ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch new file mode 100644 index 0000000000..44f6564f89 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch @@ -0,0 +1,27 @@ +From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001 +From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi> +Date: Tue, 19 Sep 2017 13:26:57 +0300 +Subject: [PATCH] lib: buffer_free(NULL) should be a no-op + +--- + src/lib/buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib/buffer.c ++++ b/src/lib/buffer.c +@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf) + { + struct real_buffer *buf = (struct real_buffer *)*_buf; + ++ if (buf == NULL) ++ return; ++ + *_buf = NULL; + if (buf->alloced) + p_free(buf->pool, buf->w_buffer); diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index 0f7fad2b24..29905196b6 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://dovecot.service \ file://dovecot.socket \ file://0001-doveadm-Fix-parallel-build.patch \ + file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \ + file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \ + file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \ + file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \ + file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \ + file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \ + file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \ + file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \ + file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \ + file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \ + file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ + file://buffer_free_fix.patch \ + file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ + file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" @@ -67,3 +83,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \ FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a" FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug" + +# CVE-2016-4983 affects only postinstall script on specific distribution +CVE_CHECK_WHITELIST += "CVE-2016-4983" diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb index 5dabdd51d0..cad2fa7d71 100644 --- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb +++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb @@ -8,13 +8,14 @@ SECTION = "admin" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018" -SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \ - git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \ +SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \ + git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \ ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \ " # v9.12.0 SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052" SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66" +SRCREV_FORMAT = "drbd-utils_drbd-headers" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb index ed5c3a9799..8301c65bfa 100644 --- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb +++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250" S = "${WORKDIR}/git" SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa" -SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \ +SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \ file://run-ptest \ " diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 4271c2e155..0efcbec1fc 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -10,7 +10,7 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" -SRC_URI = "git://github.com/maxmind/geoip-api-c.git \ +SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb index 125b59e760..9c15490dcb 100644 --- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb +++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb @@ -9,7 +9,7 @@ inherit manpages MAN_PKG = "${PN}" SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992" -SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https" +SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb index ad0ec27001..59e540a710 100644 --- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb +++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5" SRC_URI = "\ - git://github.com/nmav/ipcalc.git;protocol=https; \ + git://github.com/nmav/ipcalc.git;protocol=https;branch=master \ file://0001-Makefile-pass-extra-linker-flags.patch \ " diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb index 3cabc4ff8d..7a229c7b1e 100644 --- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb +++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb @@ -14,7 +14,7 @@ PV .= "+git${SRCPV}" LK_REL = "1.0.18" SRC_URI = " \ - git://github.com/sctp/lksctp-tools.git \ + git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \ file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \ file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \ file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \ diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb index 5917cfb3e1..e073561655 100644 --- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb +++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "flex-native bison-native libnl python" PV = "0.3.1+git${SRCPV}" -SRC_URI = "git://github.com/linux-wpan/lowpan-tools \ +SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \ file://no-help2man.patch \ file://0001-Fix-build-errors-with-clang.patch \ file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \ diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb index dd150700a9..4db7f7bbf8 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.93.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "304349bad86229aedbc62c07d5e98a8292967991" -SRC_URI = "git://github.com/traviscross/mtr" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb index a63e49ec55..0876c6f354 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf" -SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \ +SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ file://0001-server-Fix-build-when-printf-is-a-macro.patch \ " diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb index 5f866052c6..d359b620b8 100644 --- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb +++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" PV = "1.0.4+git${SRCPV}" SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e" -SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \ +SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \ file://0001-replace-VLAIS-with-malloc-free-pair.patch \ file://0002-Do-not-undef-_GNU_SOURCE.patch \ file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \ diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f820..1e113de519 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb index a180571f2d..af617ce922 100644 --- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb +++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f" SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4" PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/netcf.git;protocol=https \ +SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \ " UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))" diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb index d48f3aeabd..f6ea211f7a 100644 --- a/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-networking/recipes-support/netperf/netperf_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6" PV = "2.7.0+git${SRCPV}" -SRC_URI = "git://github.com/HewlettPackard/netperf.git \ +SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \ file://cpu_set.patch \ file://vfork.patch \ file://init \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch new file mode 100644 index 0000000000..ca181bb4b2 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch @@ -0,0 +1,31 @@ +From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Sun, 19 Apr 2020 09:12:24 -0700 +Subject: [PATCH] Earlier check for settings flood + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch] +Comment: No hunk refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + lib/nghttp2_session.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + break; + } + ++ /* Check the settings flood counter early to be safe */ ++ if (session->obq_flood_counter_ >= session->max_outbound_ack && ++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) { ++ return NGHTTP2_ERR_FLOODED; ++ } ++ + iframe->state = NGHTTP2_IB_READ_SETTINGS; + + if (iframe->payloadleft) { diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch new file mode 100644 index 0000000000..d3c57e9a80 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch @@ -0,0 +1,308 @@ +From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Fri, 17 Apr 2020 16:53:51 -0700 +Subject: [PATCH] Implement max settings option + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch] +Comment: No hunks refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + doc/CMakeLists.txt | 1 + + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++ + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++ + lib/nghttp2_option.h | 5 +++ + lib/nghttp2_session.c | 21 ++++++++++++ + lib/nghttp2_session.h | 2 ++ + tests/main.c | 2 ++ + tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++ + tests/nghttp2_session_test.h | 1 + + 11 files changed, 124 insertions(+) + +Index: nghttp2-1.40.0/doc/CMakeLists.txt +=================================================================== +--- nghttp2-1.40.0.orig/doc/CMakeLists.txt ++++ nghttp2-1.40.0/doc/CMakeLists.txt +@@ -42,6 +42,7 @@ set(APIDOCS + nghttp2_option_set_no_recv_client_magic.rst + nghttp2_option_set_peer_max_concurrent_streams.rst + nghttp2_option_set_user_recv_extension_type.rst ++ nghttp2_option_set_max_settings.rst + nghttp2_pack_settings_payload.rst + nghttp2_priority_spec_check_default.rst + nghttp2_priority_spec_default_init.rst +Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +@@ -229,6 +229,13 @@ typedef struct { + #define NGHTTP2_CLIENT_MAGIC_LEN 24 + + /** ++ * @macro ++ * ++ * The default max number of settings per SETTINGS frame ++ */ ++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32 ++ ++/** + * @enum + * + * Error codes used in this library. The code range is [-999, -500], +@@ -399,6 +406,11 @@ typedef enum { + */ + NGHTTP2_ERR_SETTINGS_EXPECTED = -536, + /** ++ * When a local endpoint receives too many settings entries ++ * in a single SETTINGS frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537, ++ /** + * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is + * under unexpected condition and processing was terminated (e.g., + * out of memory). If application receives this error code, it must +@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m + + /** + * @function ++ * ++ * This function sets the maximum number of SETTINGS entries per ++ * SETTINGS frame that will be accepted. If more than those entries ++ * are received, the peer is considered to be misbehaving and session ++ * will be closed. The default value is 32. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function + * + * Initializes |*session_ptr| for client use. The all members of + * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| +Index: nghttp2-1.40.0/lib/nghttp2_helper.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c ++++ nghttp2-1.40.0/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_SETTINGS: ++ return "SETTINGS frame contained more than the maximum allowed entries"; + default: + return "Unknown error code"; + } +Index: nghttp2-1.40.0/lib/nghttp2_option.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.c ++++ nghttp2-1.40.0/lib/nghttp2_option.c +@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK; + option->max_outbound_ack = val; + } ++ ++void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; ++ option->max_settings = val; ++} +Index: nghttp2-1.40.0/lib/nghttp2_option.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.h ++++ nghttp2-1.40.0/lib/nghttp2_option.h +@@ -67,6 +67,7 @@ typedef enum { + NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9, + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, ++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + } nghttp2_option_flag; + + /** +@@ -86,6 +87,10 @@ struct nghttp2_option { + */ + size_t max_outbound_ack; + /** ++ * NGHTTP2_OPT_MAX_SETTINGS ++ */ ++ size_t max_settings; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -458,6 +458,7 @@ static int session_new(nghttp2_session * + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -521,6 +522,11 @@ static int session_new(nghttp2_session * + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) { + (*session_ptr)->max_outbound_ack = option->max_outbound_ack; + } ++ ++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) && ++ option->max_settings) { ++ (*session_ptr)->max_settings = option->max_settings; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + iframe->max_niv = + iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1; + ++ if (iframe->max_niv - 1 > session->max_settings) { ++ rv = nghttp2_session_terminate_session_with_reason( ++ session, NGHTTP2_ENHANCE_YOUR_CALM, ++ "SETTINGS: too many setting entries"); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ return (ssize_t)inlen; ++ } ++ + iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) * + iframe->max_niv); + +@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter + if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) { + return NGHTTP2_ERR_INVALID_ARGUMENT; + } ++ /* SETTINGS frame contains too many settings */ ++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH ++ > session->max_settings) { ++ return NGHTTP2_ERR_TOO_MANY_SETTINGS; ++ } + rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload, + settings_payloadlen, mem); + if (rv != 0) { +Index: nghttp2-1.40.0/lib/nghttp2_session.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.h ++++ nghttp2-1.40.0/lib/nghttp2_session.h +@@ -267,6 +267,8 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of settings accepted per SETTINGS frame. */ ++ size_t max_settings; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +Index: nghttp2-1.40.0/tests/main.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/main.c ++++ nghttp2-1.40.0/tests/main.c +@@ -315,6 +315,8 @@ int main() { + test_nghttp2_session_set_local_window_size) || + !CU_add_test(pSuite, "session_cancel_from_before_frame_send", + test_nghttp2_session_cancel_from_before_frame_send) || ++ !CU_add_test(pSuite, "session_too_many_settings", ++ test_nghttp2_session_too_many_settings) || + !CU_add_test(pSuite, "session_removed_closed_stream", + test_nghttp2_session_removed_closed_stream) || + !CU_add_test(pSuite, "session_pause_data", +Index: nghttp2-1.40.0/tests/nghttp2_session_test.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c ++++ nghttp2-1.40.0/tests/nghttp2_session_test.c +@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be + nghttp2_session_del(session); + } + ++void test_nghttp2_session_too_many_settings(void) { ++ nghttp2_session *session; ++ nghttp2_option *option; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ ssize_t rv; ++ my_user_data ud; ++ nghttp2_settings_entry iv[3]; ++ nghttp2_mem *mem; ++ nghttp2_outbound_item *item; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.on_frame_recv_callback = on_frame_recv_callback; ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_max_settings(option, 1); ++ ++ nghttp2_session_client_new2(&session, &callbacks, &ud, option); ++ ++ CU_ASSERT(1 == session->max_settings); ++ ++ nghttp2_option_del(option); ++ ++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE; ++ iv[0].value = 3000; ++ ++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; ++ iv[1].value = 16384; ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2), ++ 2); ++ ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf)); ++ ++ ud.frame_recv_cb_called = 0; ++ ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ ++ nghttp2_bufs_reset(&bufs); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_session_del(session); ++} ++ + static void + prepare_session_removed_closed_stream(nghttp2_session *session, + nghttp2_hd_deflater *deflater) { +Index: nghttp2-1.40.0/tests/nghttp2_session_test.h +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h ++++ nghttp2-1.40.0/tests/nghttp2_session_test.h +@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior + void test_nghttp2_session_repeated_priority_submission(void); + void test_nghttp2_session_set_local_window_size(void); + void test_nghttp2_session_cancel_from_before_frame_send(void); ++void test_nghttp2_session_too_many_settings(void); + void test_nghttp2_session_removed_closed_stream(void); + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); +Index: nghttp2-1.40.0/doc/Makefile.am +=================================================================== +--- nghttp2-1.40.0.orig/doc/Makefile.am ++++ nghttp2-1.40.0/doc/Makefile.am +@@ -69,6 +69,7 @@ APIDOCS= \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ ++ nghttp2_option_set_max_settings.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb index 9ed8c56420..b497058ca6 100644 --- a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb +++ b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb @@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases" SRC_URI = "\ https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ + file://CVE-2020-11080-1.patch \ + file://CVE-2020-11080-2.patch \ " SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c" SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073" diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb index bb401666c6..0c67f67d70 100644 --- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb +++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb @@ -14,7 +14,7 @@ and ypdomainname. \ # v4.2.3 SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab" -SRC_URI = "git://github.com/thkukuk/yp-tools \ +SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \ file://domainname.service \ " diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb index a749b16593..43ed1abe38 100644 --- a/meta-networking/recipes-support/ntimed/ntimed_git.bb +++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb @@ -8,7 +8,7 @@ SECTION = "net" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44" -SRC_URI = "git://github.com/bsdphk/Ntimed \ +SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \ file://use-ldflags.patch" PV = "0.0+git${SRCPV}" diff --git a/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch new file mode 100644 index 0000000000..734c6f197b --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch @@ -0,0 +1,340 @@ +ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5 + +Upstream-Status: Backport [https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch] +CVE: CVE-2023-26551 +CVE: CVE-2023-26552 +CVE: CVE-2023-26553 +CVE: CVE-2023-26554 +CVE: CVE-2023-26555 + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/ntp_fp.h | 4 +- + libntp/mstolfp.c | 108 +++++++++++++++------------------------ + ntpd/refclock_palisade.c | 50 +++++++++++++++--- + tests/libntp/strtolfp.c | 33 +++++++----- + 4 files changed, 104 insertions(+), 91 deletions(-) + +diff --git a/include/ntp_fp.h b/include/ntp_fp.h +index afd1f82..fe6e390 100644 +--- a/include/ntp_fp.h ++++ b/include/ntp_fp.h +@@ -195,9 +195,9 @@ typedef u_int32 u_fp; + do { \ + int32 add_f = (int32)(f); \ + if (add_f >= 0) \ +- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \ ++ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \ + else \ +- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \ ++ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \ + } while(0) + + #define M_ISNEG(v_i) /* v < 0 */ \ +diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c +index 3dfc4ef..a906d76 100644 +--- a/libntp/mstolfp.c ++++ b/libntp/mstolfp.c +@@ -14,86 +14,58 @@ mstolfp( + l_fp *lfp + ) + { +- register const char *cp; +- register char *bp; +- register const char *cpdec; +- char buf[100]; ++ int ch, neg = 0; ++ u_int32 q, r; + + /* + * We understand numbers of the form: + * + * [spaces][-|+][digits][.][digits][spaces|\n|\0] + * +- * This is one enormous hack. Since I didn't feel like +- * rewriting the decoding routine for milliseconds, what +- * is essentially done here is to make a copy of the string +- * with the decimal moved over three places so the seconds +- * decoding routine can be used. ++ * This is kinda hack. We use 'atolfp' to do the basic parsing ++ * (after some initial checks) and then divide the result by ++ * 1000. The original implementation avoided that by ++ * hacking up the input string to move the decimal point, but ++ * that needed string manipulations prone to buffer overruns. ++ * To avoid that trouble we do the conversion first and adjust ++ * the result. + */ +- bp = buf; +- cp = str; +- while (isspace((unsigned char)*cp)) +- cp++; + +- if (*cp == '-' || *cp == '+') { +- *bp++ = *cp++; +- } +- +- if (*cp != '.' && !isdigit((unsigned char)*cp)) +- return 0; +- ++ while (isspace(ch = *(const unsigned char*)str)) ++ ++str; + +- /* +- * Search forward for the decimal point or the end of the string. +- */ +- cpdec = cp; +- while (isdigit((unsigned char)*cpdec)) +- cpdec++; +- +- /* +- * Found something. If we have more than three digits copy the +- * excess over, else insert a leading 0. +- */ +- if ((cpdec - cp) > 3) { +- do { +- *bp++ = (char)*cp++; +- } while ((cpdec - cp) > 3); +- } else { +- *bp++ = '0'; ++ switch (ch) { ++ case '-': neg = TRUE; ++ case '+': ++str; ++ default : break; + } + +- /* +- * Stick the decimal in. If we've got less than three digits in +- * front of the millisecond decimal we insert the appropriate number +- * of zeros. +- */ +- *bp++ = '.'; +- if ((cpdec - cp) < 3) { +- size_t i = 3 - (cpdec - cp); +- do { +- *bp++ = '0'; +- } while (--i > 0); +- } ++ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.')) ++ return 0; ++ if (!atolfp(str, lfp)) ++ return 0; + +- /* +- * Copy the remainder up to the millisecond decimal. If cpdec +- * is pointing at a decimal point, copy in the trailing number too. ++ /* now do a chained/overlapping division by 1000 to get from ++ * seconds to msec. 1000 is small enough to go with temporary ++ * 32bit accus for Q and R. + */ +- while (cp < cpdec) +- *bp++ = (char)*cp++; +- +- if (*cp == '.') { +- cp++; +- while (isdigit((unsigned char)*cp)) +- *bp++ = (char)*cp++; +- } +- *bp = '\0'; ++ q = lfp->l_ui / 1000u; ++ r = lfp->l_ui - (q * 1000u); ++ lfp->l_ui = q; + +- /* +- * Check to make sure the string is properly terminated. If +- * so, give the buffer to the decoding routine. +- */ +- if (*cp != '\0' && !isspace((unsigned char)*cp)) +- return 0; +- return atolfp(buf, lfp); ++ r = (r << 16) | (lfp->l_uf >> 16); ++ q = r / 1000u; ++ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu); ++ lfp->l_uf = q << 16; ++ q = r / 1000; ++ lfp->l_uf |= q; ++ r -= q * 1000u; ++ ++ /* fix sign */ ++ if (neg) ++ L_NEG(lfp); ++ /* round */ ++ if (r >= 500) ++ L_ADDF(lfp, (neg ? -1 : 1)); ++ return 1; + } +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..15c21d8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +diff --git a/tests/libntp/strtolfp.c b/tests/libntp/strtolfp.c +index 6855d9b..9090159 100644 +--- a/tests/libntp/strtolfp.c ++++ b/tests/libntp/strtolfp.c +@@ -26,6 +26,13 @@ setUp(void) + return; + } + ++static const char* fmtLFP(const l_fp *e, const l_fp *a) ++{ ++ static char buf[100]; ++ snprintf(buf, sizeof(buf), "e=$%08x.%08x, a=$%08x.%08x", ++ e->l_ui, e->l_uf, a->l_ui, a->l_uf); ++ return buf; ++} + + void test_PositiveInteger(void) { + const char *str = "500"; +@@ -37,8 +44,8 @@ void test_PositiveInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeInteger(void) { +@@ -54,8 +61,8 @@ void test_NegativeInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveFraction(void) { +@@ -68,8 +75,8 @@ void test_PositiveFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeFraction(void) { +@@ -85,8 +92,8 @@ void test_NegativeFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveMsFraction(void) { +@@ -100,9 +107,8 @@ void test_PositiveMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeMsFraction(void) { +@@ -118,9 +124,8 @@ void test_NegativeMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_InvalidChars(void) { +-- +2.25.1 + diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate index 17b64d1335..be3bacfcd1 100755 --- a/meta-networking/recipes-support/ntp/ntp/ntpdate +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate @@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then fi ) & + +# wait for all subprocesses to finish +# this is required when using systemd service as ntpd will start before ntpdate finishes +# and results in a bind error (port 123) +wait diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index 7e168825e0..1a223db6fa 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -22,8 +22,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp.service \ file://sntp \ file://ntpd.list \ + file://CVE-2023-2655x.patch \ " - SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" inherit autotools update-rc.d useradd systemd pkgconfig @@ -61,6 +61,14 @@ PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +do_configure_append() { + # tests are generated but also checked-in to source control + # when CVE-2023-2655x.patch changes timestamp of test source file, Makefile detects it and tries to regenerate it + # however it fails because of missing ruby interpretter; adding ruby-native as dependency fixes it + # since the regenerated file is identical to the one from source control, touch the generated file instead of adding heavy dependency + touch ${S}/tests/libntp/run-strtolfp.c +} + do_install_append() { install -d ${D}${sysconfdir}/init.d install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb index a03b92f5fe..1bf7c48e09 100644 --- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb +++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb @@ -13,7 +13,7 @@ SECTION = "net" DEPENDS = "openssl" -SRC_URI = "git://github.com/open-iscsi/open-isns" +SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https" SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150" diff --git a/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb b/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb index 85634a70eb..6918485870 100644 --- a/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb +++ b/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb @@ -38,7 +38,7 @@ S = "${WORKDIR}/OpenIPMI-${PV}" SRC_URI[md5sum] = "46b452e95d69c92e4172b3673ed88d52" SRC_URI[sha256sum] = "2244124579afb14e569f34393e9ac61e658a28b6ffa8e5c0d2c1c12a8ce695cd" -inherit autotools-brokensep pkgconfig python3native perlnative update-rc.d systemd cpan-base +inherit autotools-brokensep pkgconfig python3native perlnative update-rc.d systemd cpan-base python3targetconfig EXTRA_OECONF = "--disable-static \ --with-perl='${STAGING_BINDIR_NATIVE}/perl-native/perl' \ diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb index 529e3912bb..55e66036b7 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb @@ -14,8 +14,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba" -SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e" +SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc" +SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb index 29499d6d7a..7fde88c447 100644 --- a/meta-networking/recipes-support/phytool/phytool.bb +++ b/meta-networking/recipes-support/phytool/phytool.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" PV = "2+git${SRCPV}" SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c" -SRC_URI = "git://github.com/wkz/phytool.git" +SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb index 15fd7ff663..5cb4e67c28 100644 --- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb +++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS_${PN} = "bash perl" BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}" -SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \ +SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \ file://0001-Remove-man-files-which-cant-be-built.patch \ " SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85" diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb index 0b63f79aca..d8a1f6140f 100644 --- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb +++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5" -SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git" +SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb index 1d56bea17c..ca683bf220 100644 --- a/meta-networking/recipes-support/spice/spice-protocol_git.bb +++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb @@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}" SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice-protocol \ + git://anongit.freedesktop.org/spice/spice-protocol;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb index 9d3a0e6cb5..3d47f5a54a 100644 --- a/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-networking/recipes-support/spice/spice_git.bb @@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671" SRCREV_FORMAT = "spice_spice-common" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice;name=spice \ - git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \ + git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \ + git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \ file://0001-Convert-pthread_t-to-be-numeric.patch \ file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \ " diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb index 9ee43be1ea..f07fb3b50c 100644 --- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb +++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb @@ -10,7 +10,7 @@ DEPENDS = "libusb1" SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092" SRC_URI = " \ - git://anongit.freedesktop.org/spice/usbredir \ + git://anongit.freedesktop.org/spice/usbredir;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch new file mode 100644 index 0000000000..b7118ba1fb --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch @@ -0,0 +1,62 @@ +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 17:52:08 +0200 +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length + +The `salt_len` member in the struct is of type `ssize_t` because we use +negative values for special automatic salt lengths when generating +signatures. + +Not checking this could lead to an integer overflow. The value is assigned +to the `len` field of a chunk (`size_t`), which is further used in +calculations to check the padding structure and (if that is passed by a +matching crafted signature value) eventually a memcpy() that will result +in a segmentation fault. + +Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") +Fixes: CVE-2021-41990 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990] +CVE: CVE-2021-41990 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c +index d89bd2c96bb5..837de8443d43 100644 +--- a/src/libstrongswan/credentials/keys/signature_params.c ++++ b/src/libstrongswan/credentials/keys/signature_params.c +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { +- params->salt_len = (size_t)asn1_parse_integer_uint64(object); ++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); ++ if (params->salt_len < 0) ++ { ++ goto end; ++ } + } + break; + case RSASSA_PSS_PARAMS_TRAILER: +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index f9bd1d314dec..3a775090883e 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + int i; + bool success = FALSE; + +- if (!params) ++ if (!params || params->salt_len < 0) + { + return FALSE; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch new file mode 100644 index 0000000000..2d898fa5cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch @@ -0,0 +1,41 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991] +CVE: CVE-2021-41991 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c +index f1579c60a9bc..ceebb3843725 100644 +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 0000000000..66e5047125 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch new file mode 100644 index 0000000000..c0de1f1588 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch @@ -0,0 +1,46 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch] +CVE: CVE-2023-41913 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(diffie_hellman_t, set_other_public_value, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a8809243a..9f676d0b18 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -11,6 +11,11 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://fix-funtion-parameter.patch \ file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ + file://CVE-2021-41990.patch \ + file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ + file://CVE-2023-41913.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb index 3411e5d0c7..8f6de571f3 100644 --- a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb +++ b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb @@ -6,7 +6,7 @@ SECTION = "net" # a combined work based on stunnel. Thus, the terms and conditions of the GNU # General Public License cover the whole combination. LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING.md;md5=d6d635d290ba1705821254a0278f1ef7" +LIC_FILES_CHKSUM = "file://COPYING.md;md5=6bae28875b3b599f8f621f4335b17955" DEPENDS = "autoconf-archive libnsl2 openssl" @@ -14,8 +14,7 @@ SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz \ file://fix-openssl-no-des.patch \ " -SRC_URI[md5sum] = "01b0ca9e071f582ff803a85d5ed72166" -SRC_URI[sha256sum] = "7384bfb356b9a89ddfee70b5ca494d187605bb516b4fff597e167f97e2236b22" +SRC_URI[sha256sum] = "af5ab973dde11807c38735b87bdd87563a47d2fa1c72a07929fcfce80a600fe1" inherit autotools diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch new file mode 100644 index 0000000000..84d4716f38 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch @@ -0,0 +1,71 @@ +From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Sat, 18 Apr 2020 14:04:59 -0700 +Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer. + +The buffer should be big enough to hold the captured data, but it +doesn't need to be big enough to hold the entire on-the-network packet, +if we haven't captured all of it. + +(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) + +CVE: CVE-2020-8037 +Upstream-Status: Backport +Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> + +--- + print-ppp.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/print-ppp.c b/print-ppp.c +index 89176172..33fb0341 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1367,19 +1367,29 @@ trunc: + return 0; + } + ++/* ++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes. ++ * The length argument is the on-the-wire length, not the captured ++ * length; we can only un-escape the captured part. ++ */ + static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { ++ u_int caplen = ndo->ndo_snapend - p; + u_char *b, *t, c; + const u_char *s; +- int i, proto; ++ u_int i; ++ int proto; + const void *se; + ++ if (caplen == 0) ++ return; ++ + if (length <= 0) + return; + +- b = (u_char *)malloc(length); ++ b = (u_char *)malloc(caplen); + if (b == NULL) + return; + +@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { ++ for (s = p, t = b, i = caplen; i != 0; i--) { + c = *s++; + if (c == 0x7d) { +- if (i <= 1 || !ND_TTEST(*s)) ++ if (i <= 1) + break; + i--; + c = *s++ ^ 0x20; +-- +2.17.1 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch @@ -0,0 +1,111 @@ +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 30 Sep 2020 11:37:30 -0700 +Subject: [PATCH] Handle very large -f files by rejecting them. + +_read(), on Windows, has a 32-bit size argument and a 32-bit return +value, so reject -f files that have more than 2^31-1 characters. + +Add some #defines so that, on Windows, we use _fstati64 to get the size +of that file, to handle large files. + +Don't assume that our definition for ssize_t is the same size as size_t; +by the time we want to print the return value of the read, we know it'll +fit into an int, so just cast it to int and print it with %d. + +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77) + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86] + +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> + +--- + netdissect-stdinc.h | 16 +++++++++++++++- + tcpdump.c | 15 ++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h +index 8282c5846..9941c2a16 100644 +--- a/netdissect-stdinc.h ++++ b/netdissect-stdinc.h +@@ -149,10 +149,17 @@ + #ifdef _MSC_VER + #define stat _stat + #define open _open +-#define fstat _fstat + #define read _read + #define close _close + #define O_RDONLY _O_RDONLY ++ ++/* ++ * We define our_fstat64 as _fstati64, and define our_statb as ++ * struct _stati64, so we get 64-bit file sizes. ++ */ ++#define our_fstat _fstati64 ++#define our_statb struct _stati64 ++ + #endif /* _MSC_VER */ + + /* +@@ -211,6 +218,13 @@ typedef char* caddr_t; + + #include <arpa/inet.h> + ++/* ++ * We should have large file support enabled, if it's available, ++ * so just use fstat as our_fstat and struct stat as our_statb. ++ */ ++#define our_fstat fstat ++#define our_statb struct stat ++ + #endif /* _WIN32 */ + + #ifndef HAVE___ATTRIBUTE__ +diff --git a/tcpdump.c b/tcpdump.c +index 043bda1d7..8f27ba2a4 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n"; + #endif /* HAVE_CAP_NG_H */ + #endif /* HAVE_LIBCAP_NG */ + ++#include "netdissect-stdinc.h" + #include "netdissect.h" + #include "interface.h" + #include "addrtoname.h" +@@ -861,15 +862,22 @@ read_infile(char *fname) + { + register int i, fd, cc; + register char *cp; +- struct stat buf; ++ our_statb buf; + + fd = open(fname, O_RDONLY|O_BINARY); + if (fd < 0) + error("can't open %s: %s", fname, pcap_strerror(errno)); + +- if (fstat(fd, &buf) < 0) ++ if (our_fstat(fd, &buf) < 0) + error("can't stat %s: %s", fname, pcap_strerror(errno)); + ++ /* ++ * Reject files whose size doesn't fit into an int; a filter ++ * *that* large will probably be too big. ++ */ ++ if (buf.st_size > INT_MAX) ++ error("%s is too large", fname); ++ + cp = malloc((u_int)buf.st_size + 1); + if (cp == NULL) + error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, +@@ -878,7 +886,8 @@ read_infile(char *fname) + if (cc < 0) + error("read %s: %s", fname, pcap_strerror(errno)); + if (cc != buf.st_size) +- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); ++ error("short read %s (%d != %d)", fname, (int) cc, ++ (int)buf.st_size); + + close(fd); + /* replace "# comment" with spaces */ diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 94543dd1da..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb @@ -17,6 +17,8 @@ SRC_URI = " \ file://avoid-absolute-path-when-searching-for-libdlpi.patch \ file://add-ptest.patch \ file://run-ptest \ + file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \ + file://CVE-2018-16301.patch \ " SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae" @@ -49,3 +51,8 @@ do_install_append() { do_compile_ptest() { oe_runmake buildtest-TESTS } + +#https://nvd.nist.gov/vuln/detail/CVE-2020-8036 +#Introduce in 4.9 by 246ca110 Autosar SOME/IP protocol support +#which does not exist in 4.9.3 +CVE_CHECK_WHITELIST += "CVE-2020-8036" diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch new file mode 100644 index 0000000000..3ca9a831f4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch @@ -0,0 +1,37 @@ +From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001 +From: Gabriel Ganne <gabriel.ganne@gmail.com> +Date: Mon, 3 Aug 2020 08:26:38 +0200 +Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER + +The test logic on datalen was inverted. + +Processing truncated packats should now raise a warning like the +following: + Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets. + +Fixes #616 #617 + +CVE: CVE-2020-24265 +CVE: CVE-2020-24266 +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d] + +Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com> +Signed-off-by: Akash Hadke <akash.hadke@kpit.com> +Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> +--- + src/common/get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/get.c b/src/common/get.c +index f9ee92d3..0517bf0a 100644 +--- a/src/common/get.c ++++ b/src/common/get.c +@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink) + break; + + case DLT_JUNIPER_ETHER: +- if (datalen >= 5) { ++ if (datalen < 5) { + l2_len = -1; + break; + } diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb index 39be950ad4..557d323311 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb @@ -6,7 +6,8 @@ SECTION = "net" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz" +SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ + file://CVE-2020-24265-and-CVE-2020-24266.patch" SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b" SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde" diff --git a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb index 19bbf03f1d..c1ad203bc0 100644 --- a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb +++ b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb @@ -19,8 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/traceroute/traceroute/${BP}/${BP}.tar.gz \ file://filter-out-the-patches-from-subdirs.patch \ " -SRC_URI[md5sum] = "84d329d67abc3fb83fc8cb12aeaddaba" -SRC_URI[sha256sum] = "3669d22a34d3f38ed50caba18cd525ba55c5c00d5465f2d20d7472e5d81603b6" +SRC_URI[sha256sum] = "05ebc7aba28a9100f9bbae54ceecbf75c82ccf46bdfce8b5d64806459a7e0412" EXTRA_OEMAKE = "VPATH=${STAGING_LIBDIR}" diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb index 6200214acb..f4b3c28ae4 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb @@ -9,7 +9,7 @@ SECTION = "net" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" -SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \ +SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \ file://0001-contrib-add-yocto-compatible-startup-scripts.patch \ " SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5" diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch new file mode 100644 index 0000000000..1fc4a5fe38 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch @@ -0,0 +1,93 @@ +From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f + +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2022-0585 & CVE-2023-2879 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 95fed7e..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -15,6 +15,7 @@ + #include "config.h" + + #include <epan/packet.h> ++#include <epan/expert.h> + + void proto_register_gdsdb(void); + void proto_reg_handoff_gdsdb(void); +@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1; + static int hf_gdsdb_sqlresponse_messages = -1; + #endif + ++static expert_field ei_gdsdb_invalid_length = EI_INIT; ++ + enum + { + op_void = 0, +@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + offset, 4, ENC_ASCII|ENC_BIG_ENDIAN); + length = dword_align(tvb_get_ntohl(tvb, offset))+4; + proto_item_set_len(ti, length); +- return offset + length; ++ int ret_offset = offset + length; ++ if (length < 4 || ret_offset < offset) { ++ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); ++ return tvb_reported_length(tvb); ++ } ++ return ret_offset; + } + + static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset) +@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U + offset, 4, ENC_BIG_ENDIAN); + + /* opcode < op_max */ ++ int old_offset = offset; + offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4); ++ if (offset <= old_offset) { ++ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length); ++ return tvb_reported_length_remaining(tvb, old_offset); ++ } + if (offset < 0) + { + /* But at this moment we don't know how much we will need */ +@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void) + &ett_gdsdb_connect_pref + }; + ++/* Expert info */ ++ static ei_register_info ei[] = { ++ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR, ++ "Invalid length", EXPFILL }}, ++ }; ++ + proto_gdsdb = proto_register_protocol( + "Firebird SQL Database Remote Protocol", + "FB/IB GDS DB", "gdsdb"); + + proto_register_field_array(proto_gdsdb, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); ++ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb); ++ expert_register_field_array(expert_gdsdb, ei, array_length(ei)); + } + + void +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 0000000000..938b7cf772 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch @@ -0,0 +1,52 @@ +From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 1 Dec 2022 20:46:15 -0500 +Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats + +The ofp_stats struct length field includes the fixed 4 bytes. +If the length is smaller than that, report the length error +and break out. In particular, a value of zero can cause +infinite loops if this isn't done. + + +(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f] +CVE: CVE-2022-4345 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + epan/dissectors/packet-openflow_v6.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c +index f3bd0ef..96a3233 100644 +--- a/epan/dissectors/packet-openflow_v6.c ++++ b/epan/dissectors/packet-openflow_v6.c +@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + static int + dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_) + { ++ proto_item *ti; + guint32 stats_length; + int oxs_end; + guint32 padding; + + proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA); + +- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); ++ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); + + oxs_end = offset + stats_length; + offset+=4; + ++ if (stats_length < 4) { ++ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short); ++ return offset; ++ } ++ + while (offset < oxs_end) { + offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset); + } +-- +2.40.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch new file mode 100644 index 0000000000..e6fc158c3a --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch @@ -0,0 +1,153 @@ +From 35418a73f7c9cefebe392b1ea0f012fccaf89801 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 19 Aug 2020 23:58:20 -0700 +Subject: [PATCH] Add format_text_string(), which gets the length with + strlen(). + +format_text(alloc, string, strlen(string)) is a common idiom; provide +format_text_string(), which does the strlen(string) for you. (Any +string used in a %s to set the text of a protocol tree item, if it was +directly extracted from the packet, should be run through a format_text +routine, to ensure that it's valid UTF-8 and that control characters are +handled correctly.) + +Update comments while we're at it. + +Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e +Reviewed-on: https://code.wireshark.org/review/38202 +Petri-Dish: Guy Harris <gharris@sonic.net> +Tested-by: Petri Dish Buildbot +Reviewed-by: Guy Harris <gharris@sonic.net> + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801] +Comment: to backport fix for CVE-2023-0667, add function format_text_string(). +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/strutil.c | 33 ++++++++++++++++++++++++++++---- + epan/strutil.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++---- + 2 files changed, 76 insertions(+), 8 deletions(-) + +diff --git a/epan/strutil.c b/epan/strutil.c +index 347a173..bc3b19e 100644 +--- a/epan/strutil.c ++++ b/epan/strutil.c +@@ -193,10 +193,11 @@ get_token_len(const guchar *linep, const guchar *lineend, + #define UNPOOP 0x1F4A9 + + /* +- * Given a string, expected to be in UTF-8 but possibly containing +- * invalid sequences (as it may have come from packet data), generate +- * a valid UTF-8 string from it, allocated with the specified wmem +- * allocator, that: ++ * Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: + * + * shows printable Unicode characters as themselves; + * +@@ -493,6 +494,30 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len) + return fmtbuf; + } + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ */ ++gchar * ++format_text_string(wmem_allocator_t* allocator, const guchar *string) ++{ ++ return format_text(allocator, string, strlen(string)); ++} ++ + /* + * Given a string, generate a string from it that shows non-printable + * characters as C-style escapes except a whitespace character +diff --git a/epan/strutil.h b/epan/strutil.h +index 2046cb0..705beb5 100644 +--- a/epan/strutil.h ++++ b/epan/strutil.h +@@ -46,18 +46,61 @@ WS_DLL_PUBLIC + int get_token_len(const guchar *linep, const guchar *lineend, + const guchar **next_token); + +-/** Given a string, generate a string from it that shows non-printable +- * characters as C-style escapes, and return a pointer to it. ++/** Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. + * + * @param allocator The wmem scope +- * @param line A pointer to the input string ++ * @param string A pointer to the input string + * @param len The length of the input string + * @return A pointer to the formatted string + * + * @see tvb_format_text() + */ + WS_DLL_PUBLIC +-gchar* format_text(wmem_allocator_t* allocator, const guchar *line, size_t len); ++gchar* format_text(wmem_allocator_t* allocator, const guchar *string, size_t len); ++ ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ * ++ * @param allocator The wmem scope ++ * @param string A pointer to the input string ++ * @return A pointer to the formatted string ++ * ++ * @see tvb_format_text() ++ */ ++WS_DLL_PUBLIC ++gchar* format_text_string(wmem_allocator_t* allocator, const guchar *string); + + /** + * Given a string, generate a string from it that shows non-printable +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..3fc5296073 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index db1d2cc..3d5c7ee 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..42f8108301 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 2d2f4ad..47120f5 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1130,7 +1130,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch new file mode 100644 index 0000000000..2fbef6bae0 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch @@ -0,0 +1,62 @@ +From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sun, 19 Mar 2023 15:16:39 -0400 +Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets + +Add a frame end routine for a global which is assigned to packet +scoped memory. It really should be made proto data, but is used +in a function in the header (that doesn't take the packet info +struct as an argument) and this fix needs to be made in stable +branches. + +Fix #18852 +--- +Upstream-Status: Backport from [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff57413] +CVE: CVE-2023-1992 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c +index 680187b2653..3f250f0ea1c 100644 +--- a/epan/dissectors/packet-rpcrdma.c ++++ b/epan/dissectors/packet-rpcrdma.c +@@ -24,6 +24,7 @@ + #include <epan/addr_resolv.h> + + #include "packet-rpcrdma.h" ++#include "packet-frame.h" + #include "packet-infiniband.h" + #include "packet-iwarp-ddp-rdmap.h" + +@@ -285,6 +286,18 @@ void rpcrdma_insert_offset(gint offset) + wmem_array_append_one(gp_rdma_write_offsets, offset); + } + ++/* ++ * Reset the array of write offsets at the end of the frame. These ++ * are packet scoped, so they don't need to be freed, but we want ++ * to ensure that the global doesn't point to no longer allocated ++ * memory in a later packet. ++ */ ++static void ++reset_write_offsets(void) ++{ ++ gp_rdma_write_offsets = NULL; ++} ++ + /* Get conversation state, it is created if it does not exist */ + static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) + { +@@ -1600,6 +1613,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data + if (write_size > 0 && !pinfo->fd->visited) { + /* Initialize array of write chunk offsets */ + gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); ++ register_frame_end_routine(pinfo, reset_write_offsets); + TRY { + /* + * Call the upper layer dissector to get a list of offsets +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..a6370f91cf --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,117 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 3eb17dd..954b509 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + if (msg->is_fd) + { +- canfd_frame_t canfd_frame; ++ canfd_frame_t canfd_frame = {0}; ++ ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&canfd_frame, 0, sizeof(canfd_frame)); + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + } + else + { +- can_frame_t can_frame; ++ can_frame_t can_frame = {0}; ++ ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&can_frame, 0, sizeof(can_frame)); +- can_frame.can_id = msg->id; ++ can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); + +@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..1fb75353b4 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,68 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 84e3def..fa77689 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..150b4609bb --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,94 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 93da9a2..f835dfa 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch new file mode 100644 index 0000000000..3a81a3c714 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch @@ -0,0 +1,38 @@ +From 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Mon Sep 17 00:00:00 2001 +From: Jaap Keuter <jaap.keuter@xs4all.nl> +Date: Thu, 27 Jul 2023 20:21:19 +0200 +Subject: [PATCH] CP2179: Handle timetag info response without records + +Fixes #19229 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d] +CVE: CVE-2023-2906 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-cp2179.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c +index 142cac3..9fc9a47 100644 +--- a/epan/dissectors/packet-cp2179.c ++++ b/epan/dissectors/packet-cp2179.c +@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int + proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); + + num_records = tvb_get_guint8(tvb, offset) & 0x7F; ++ offset += 1; ++ ++ if (num_records == 0 || numberofcharacters <= 1) ++ break; ++ + recordsize = (numberofcharacters-1) / num_records; + num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ + +- offset += 1; +- + for (x = 0; x < num_records; x++) + { + cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..82098271ec --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,97 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index f59d899..6c1445f 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch new file mode 100644 index 0000000000..5e92bd8a28 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch @@ -0,0 +1,231 @@ +From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 24 Jun 2023 00:34:50 -0400 +Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress + +Use tvb_ functions that do bounds checking when parsing the +TargetAddress string, instead of incrementing a pointer to an +extracted char* and sometimes accidentally overrunning the +string. + +While we're there, go ahead and add support for IPv6 addresses. + +Fix #19164 + +(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c] +CVE: CVE-2023-3649 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- + 1 file changed, 75 insertions(+), 71 deletions(-) + +diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c +index 8a80f49..08f44a8 100644 +--- a/epan/dissectors/packet-iscsi.c ++++ b/epan/dissectors/packet-iscsi.c +@@ -20,8 +20,6 @@ + + #include "config.h" + +-#include <stdio.h> +- + #include <epan/packet.h> + #include <epan/prefs.h> + #include <epan/conversation.h> +@@ -29,6 +27,7 @@ + #include "packet-scsi.h" + #include <epan/crc32-tvb.h> + #include <wsutil/crc32.h> ++#include <wsutil/inet_addr.h> + #include <wsutil/strtoi.h> + + void proto_register_iscsi(void); +@@ -512,70 +511,81 @@ typedef struct _iscsi_conv_data { + dissector for the address/port that TargetAddress points to. + (it starts to be common to use redirectors to point to non-3260 ports) + */ ++static address null_address = ADDRESS_INIT_NONE; ++ + static void +-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) ++iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) + { +- address *addr = NULL; ++ address addr = ADDRESS_INIT_NONE; + guint16 port; +- char *value = wmem_strdup(wmem_packet_scope(), val); +- char *p = NULL, *pgt = NULL; +- +- if (value[0] == '[') { +- /* this looks like an ipv6 address */ +- p = strchr(value, ']'); +- if (p != NULL) { +- *p = 0; +- p += 2; /* skip past "]:" */ +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } ++ int colon_offset; ++ int end_offset; ++ char *ip_str, *port_str; ++ ++ colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); ++ if (colon_offset == -1) { ++ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, ++ * it is assumed to be the IANA-assigned default port for iSCSI", ++ * so nothing to do here. ++ */ ++ return; ++ } + +- /* can't handle ipv6 yet */ ++ /* We found a colon, so there's at least one byte and this won't fail. */ ++ if (tvb_get_guint8(tvb, offset) == '[') { ++ offset++; ++ /* could be an ipv6 address */ ++ end_offset = tvb_find_guint8(tvb, offset, -1, ']'); ++ if (end_offset == -1) { ++ return; + } +- } else { +- /* This is either a ipv4 address or a dns name */ +- int i0,i1,i2,i3; +- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { +- /* looks like a ipv4 address */ +- p = strchr(value, ':'); +- if (p != NULL) { +- char *addr_data; +- +- *p++ = 0; +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } + +- addr_data = (char *) wmem_alloc(wmem_packet_scope(), 4); +- addr_data[0] = i0; +- addr_data[1] = i1; +- addr_data[2] = i2; +- addr_data[3] = i3; +- +- addr = wmem_new(wmem_packet_scope(), address); +- addr->type = AT_IPv4; +- addr->len = 4; +- addr->data = addr_data; ++ /* look for the colon before the port, if any */ ++ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); ++ if (colon_offset == -1) { ++ return; ++ } + +- if (!ws_strtou16(p, NULL, &port)) { +- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, +- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); +- } +- } ++ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); ++ if (ws_inet_pton6(ip_str, ip6_addr)) { ++ /* looks like a ipv6 address */ ++ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); ++ } + ++ } else { ++ /* This is either a ipv4 address or a dns name */ ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); ++ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); ++ if (ws_inet_pton4(ip_str, ip4_addr)) { ++ /* looks like a ipv4 address */ ++ set_address(&addr, AT_IPv4, 4, ip4_addr); + } ++ /* else a DNS host name; we could, theoretically, try to use ++ * name resolution information in the capture to lookup the address. ++ */ + } + ++ /* Extract the port */ ++ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); ++ int port_len; ++ if (end_offset == -1) { ++ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); ++ } else { ++ port_len = end_offset - (colon_offset + 1); ++ } ++ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); ++ if (!ws_strtou16(port_str, NULL, &port)) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, ++ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); ++ return; ++ } + + /* attach a conversation dissector to this address/port tuple */ +- if (addr && !pinfo->fd->visited) { ++ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { + conversation_t *conv; + +- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); ++ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); + if (conv == NULL) { + return; + } +@@ -587,30 +597,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, + static gint + addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { + const gint limit = offset + text_len; ++ tvbuff_t *keyvalue_tvb; ++ int len, value_offset; + + while(offset < limit) { +- char *key = NULL, *value = NULL; +- gint len = tvb_strnlen(tvb, offset, limit - offset); +- +- if(len == -1) { +- len = limit - offset; +- } else { +- len = len + 1; +- } +- +- key = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII); +- if (key == NULL) { +- break; +- } +- value = strchr(key, '='); +- if (value == NULL) { ++ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the ++ * last or only pair in a LTDS, MUST be followed by one null (0x00) ++ * delimiter. ++ */ ++ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); ++ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); ++ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); ++ if (value_offset == -1) { + break; + } +- *value++ = 0; ++ value_offset++; + +- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); +- if (!strcmp(key, "TargetAddress")) { +- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); ++ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { ++ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); + } + + offset += len; +@@ -2941,7 +2945,7 @@ proto_register_iscsi(void) + }, + { &hf_iscsi_KeyValue, + { "KeyValue", "iscsi.keyvalue", +- FT_STRING, BASE_NONE, NULL, 0, ++ FT_STRINGZ, BASE_NONE, NULL, 0, + "Key/value pair", HFILL } + }, + { &hf_iscsi_Text_F, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 0000000000..fbbdf0cfc3 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch @@ -0,0 +1,81 @@ +From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 10 Aug 2023 05:29:09 -0400 +Subject: [PATCH] btsdp: Keep offset advancing + +hf_data_element_value is a FT_NONE, so we can add the item with +the expected length and get_hfi_length() will adjust the length +without throwing an exception. There's no need to add it with +zero length and call proto_item_set_len. Also, don't increment +the offset by 0 instead of the real length when there isn't +enough data in the packet, as that can lead to failing to advance +the offset. + +When dissecting a sequence type (sequence or alternative) and +recursing into the sequence member, instead of using the main +packet tvb directly, create a subset using the indicated length +of the sequence. That will properly throw an exception if a +contained item is larger than the containing sequence, instead of +dissecting the same bytes as several different items (inside +the sequence recursively, as well in the outer loop.) + +Fix #19258 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9] +CVE: CVE-2023-4511 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + epan/dissectors/packet-btsdp.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c +index 529bb71..f18d531 100644 +--- a/epan/dissectors/packet-btsdp.c ++++ b/epan/dissectors/packet-btsdp.c +@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree, + offset += len - length; + } + +- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA); ++ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA); + if (length > tvb_reported_length_remaining(tvb, offset)) { + expert_add_info(pinfo, pitem, &ei_data_element_value_large); +- length = 0; +- } +- proto_item_set_len(pitem, length); +- if (length == 0) ++ proto_item_append_text(pitem, ": MISSING"); ++ } else if (length == 0) + proto_item_append_text(pitem, ": MISSING"); + + if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value); +@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + gint bytes_to_go = size; + gint first = 1; + wmem_strbuf_t *substr; ++ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size); ++ gint next_offset = 0; + + ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative, + tvb, offset, size, ENC_NA); +@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + first = 0; + } + +- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid, ++ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, ++ attribute, service_uuid, + service_did_vendor_id, service_did_vendor_id_source, + service_hdp_data_exchange_specification, service_info, &substr); + if (size < 1) { + break; + } + wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr)); +- offset += size ; ++ next_offset += size; + bytes_to_go -= size; + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch new file mode 100644 index 0000000000..a08610f8d2 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch @@ -0,0 +1,246 @@ +From 2d59b26d3b554960c777003c431add89d018b0a6 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 17 Oct 2023 22:08:42 -0700 +Subject: [PATCH] netscreen: do bounds checking for each byte of packet data. + +Make sure each byte we add to the packet data from the file fits in the +buffer, rather than stuffing bytes into the buffer and checking +afterwards. + +This prevents a buffer overflow. + +Fixes #19404, which was filed as part of Trend Micro's Zero Day +Initiative as ZDI-CAN-22164. + +While we're at it, expand a comment and make error messages give some +more detail. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/3be1c99180a6fc48c34ae4bfc79bfd840b29ae3e] +CVE: CVE-2023-6175 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscreen.c | 125 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 94 insertions(+), 31 deletions(-) + +diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c +index 9ad825f..ffcb689 100644 +--- a/wiretap/netscreen.c ++++ b/wiretap/netscreen.c +@@ -59,7 +59,12 @@ static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off, + static gboolean parse_netscreen_packet(FILE_T fh, wtap_rec *rec, + Buffer* buf, char *line, int *err, gchar **err_info); + static int parse_single_hex_dump_line(char* rec, guint8 *buf, +- guint byte_offset); ++ guint byte_offset, guint pkt_len); ++ ++/* Error returns from parse_single_hex_dump_line() */ ++#define PARSE_LINE_INVALID_CHARACTER -1 ++#define PARSE_LINE_NO_BYTES_SEEN -2 ++#define PARSE_LINE_TOO_MANY_BYTES_SEEN -3 + + /* Returns TRUE if the line appears to be a line with protocol info. + Otherwise it returns FALSE. */ +@@ -241,13 +246,40 @@ netscreen_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec, Buffer *buf, + 2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9 ,!...`..5....... + 1d 0b .. + ++ * The first line of a packet is in the form ++ ++<secs>.<dsecs>: <iface>({i,o}) len=<length>:<llinfo>> + ++ * where: ++ * ++ * <secs> and <dsecs> are a time stamp in seconds and deciseconds, ++ * giving the time since the firewall was booted; ++ * ++ * <iface> is the name of the interface on which the packet was ++ * received or on which it was transmitted; ++ * ++ * {i,o} is i for a received packet and o for a transmitted packet; ++ * ++ * <length> is the length of the packet on the network; ++ * ++ * <llinfo>, at least for Ethernet, appears to be a source MAC ++ * address, folowed by "->", folowed by a destination MAC ++ * address, followed by a sequence of Ethertypes, each ++ * preceded by a "/" (multiple Ethertypes if there are VLAN ++ * tags and the like), possibly followed by ", tag <tag>". ++ * ++ * Following that may be some "info lines", each of which is indented ++ * by 14 spaces, giving a dissection of the payload after the ++ * link-layer header. ++ * ++ * Following that is a hex/ASCII dump of the contents of the ++ * packet, with 16 octets per line. + */ + static gboolean + parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + char *line, int *err, gchar **err_info) + { +- int pkt_len; ++ guint pkt_len; + int sec; + int dsec; + char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH]; +@@ -266,17 +298,12 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + memset(cap_int, 0, sizeof(cap_int)); + memset(cap_dst, 0, sizeof(cap_dst)); + +- if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/", ++ if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/", + &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup("netscreen: Can't parse packet-header"); + return -1; + } +- if (pkt_len < 0) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: packet header has a negative packet length"); +- return FALSE; +- } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; don't blow up trying +@@ -323,44 +350,71 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + break; + } + +- n = parse_single_hex_dump_line(p, pd, offset); ++ n = parse_single_hex_dump_line(p, pd, offset, pkt_len); + +- /* the smallest packet has a length of 6 bytes, if +- * the first hex-data is less then check whether +- * it is a info-line and act accordingly ++ /* ++ * The smallest packet has a length of 6 bytes. ++ * If the first line either gets an error when ++ * parsed as hex data, or has fewer than 6 ++ * bytes of hex data, check whether it's an ++ * info line by see if it has at least ++ * NETSCREEN_SPACES_ON_INFO_LINE spaces at the ++ * beginning. ++ * ++ * If it does, count this line and, if we have, ++ * so far, skipped no more than NETSCREEN_MAX_INFOLINES ++ * lines, skip this line. + */ + if (offset == 0 && n < 6) { + if (info_line(line)) { ++ /* Info line */ + if (++i <= NETSCREEN_MAX_INFOLINES) { ++ /* Skip this line */ + continue; + } + } else { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: cannot parse hex-data"); +- return FALSE; ++ if (n >= 0) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: first line of packet data has only %d hex bytes, < 6"); ++ return FALSE; ++ } ++ /* Otherwise, fall through to report error */ + } + } + + /* If there is no more data and the line was not empty, + * then there must be an error in the file + */ +- if (n == -1) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: cannot parse hex-data"); ++ if (n < 0) { ++ switch (n) { ++ ++ case PARSE_LINE_INVALID_CHARACTER: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: invalid character in hex data"); ++ break; ++ ++ case PARSE_LINE_NO_BYTES_SEEN: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: no hex bytes seen in hex data"); ++ break; ++ ++ case PARSE_LINE_TOO_MANY_BYTES_SEEN: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: number of hex bytes seen in hex data is greater than the packet length"); ++ break; ++ ++ default: ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("netscreen: unknown error %d from parse_single_hex_dump_line()", n); ++ break; ++ } ++ + return FALSE; + } + + /* Adjust the offset to the data that was just added to the buffer */ + offset += n; + +- /* If there was more hex-data than was announced in the len=x +- * header, then then there must be an error in the file +- */ +- if (offset > pkt_len) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: too much hex-data"); +- return FALSE; +- } + } + + /* +@@ -400,7 +454,7 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + * + * Returns number of bytes successfully read, -1 if bad. */ + static int +-parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) ++parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset, guint pkt_len) + { + int num_items_scanned; + guint8 character; +@@ -419,7 +473,7 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + /* Nothing more to parse */ + break; + } else +- return -1; /* not a hex digit, space before ASCII dump, or EOL */ ++ return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit, space before ASCII dump, or EOL */ + byte <<= 4; + character = *rec++ & 0xFF; + if (character >= '0' && character <= '9') +@@ -429,7 +483,16 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + else if (character >= 'a' && character <= 'f') + byte += character - 'a' + 0xa; + else +- return -1; /* not a hex digit */ ++ return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit */ ++ ++ /* If there was more hex-data than was announced in the len=x ++ * header, then there must be an error in the file; quit ++ * now, as adding this byte will overflow the buffer. ++ */ ++ if (byte_offset + num_items_scanned >= pkt_len) { ++ return PARSE_LINE_TOO_MANY_BYTES_SEEN; ++ } ++ + buf[byte_offset + num_items_scanned] = byte; + character = *rec++ & 0xFF; + if (character == '\0' || character == '\r' || character == '\n') { +@@ -437,11 +500,11 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + break; + } else if (character != ' ') { + /* not space before ASCII dump */ +- return -1; ++ return PARSE_LINE_INVALID_CHARACTER; + } + } + if (num_items_scanned == 0) +- return -1; ++ return PARSE_LINE_NO_BYTES_SEEN; + + return num_items_scanned; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch new file mode 100644 index 0000000000..c4dfb6c37d --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch @@ -0,0 +1,42 @@ +From a8586fde3a6512466afb2a660538ef3fe712076b Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 23 Nov 2023 13:47:51 -0500 +Subject: [PATCH] gvcp: Don't try to add a NULL string to a column + +This was caught as an invalid argument by g_strlcpy before 4.2, +but it was never a good idea. + +Fix #19496 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b] +CVE: CVE-2024-0208 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gvcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c +index 2de4552..b94ddea 100644 +--- a/epan/dissectors/packet-gvcp.c ++++ b/epan/dissectors/packet-gvcp.c +@@ -2222,15 +2222,12 @@ static void dissect_readreg_ack(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb, p + if (addr_list_size > 0) + { + address_string = get_register_name_from_address(*((guint32*)wmem_array_index(gvcp_trans->addr_list, 0)), gvcp_info, &is_custom_register); ++ col_append_str(pinfo->cinfo, COL_INFO, address_string); + } + + if (num_registers) + { +- col_append_fstr(pinfo->cinfo, COL_INFO, "%s Value=0x%08X", address_string, tvb_get_ntohl(tvb, offset)); +- } +- else +- { +- col_append_str(pinfo->cinfo, COL_INFO, address_string); ++ col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Value=0x%08X", tvb_get_ntohl(tvb, offset)); + } + } + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch new file mode 100644 index 0000000000..347943d422 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch @@ -0,0 +1,52 @@ +From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Wed, 6 Mar 2024 20:40:42 -0500 +Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope + +Fragment data can't be allocated in pinfo->pool scope, as it +outlives the frame. Set it to be freed when the associated tvb +is freed, as done in the main reassemble.c code. + +Fix #19695 + +CVE: CVE-2024-2955 +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++- + epan/dissectors/packet-t38.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c +index 7b856626865..526b313d054 100644 +--- a/epan/dissectors/asn1/t38/packet-t38-template.c ++++ b/epan/dissectors/asn1/t38/packet-t38-template.c +@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c +index ca95ae8b64e..5083c936c5a 100644 +--- a/epan/dissectors/packet-t38.c ++++ b/epan/dissectors/packet-t38.c +@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch new file mode 100644 index 0000000000..54438dd870 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch @@ -0,0 +1,22 @@ +Fix update to build for alt arch machine. + +Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use +the target lemon built by the target wireshark. Revert to use the one built by +wireshark-native. + +Upstream-Status: Inappropriate [configuration] +Signed-off: Armin Kuster <akuster@mvista.com> + +Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake +=================================================================== +--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake ++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake +@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated + # These files are generated as side-effect + ${_out}.h + ${_out}.out +- COMMAND $<TARGET_FILE:lemon> ++ COMMAND lemon + -T${_lemonpardir}/lempar.c + -d. + ${_in} diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.5.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index a6c09d47ba..4e48d5294c 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.5.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -8,11 +8,28 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" - +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \ + file://fix_lemon_path.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0667-pre1.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ + file://CVE-2023-2906.patch \ + file://CVE-2023-3649.patch \ + file://CVE-2022-0585-CVE-2023-2879.patch \ + file://CVE-2022-4345.patch \ + file://CVE-2024-0208.patch \ + file://CVE-2023-1992.patch \ + file://CVE-2023-4511.patch \ + file://CVE-2024-2955.patch \ + file://CVE-2023-6175.patch \ + " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "bd89052a5766cce08b1090df49628567e48cdd24bbaa47667c851bac6aaac940" +SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887" PE = "1" diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb index bab75fee3f..6b83cbd522 100644 --- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb +++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d" DEPENDS = "libnl" -SRC_URI = "git://github.com/linux-wpan/wpan-tools" +SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https" SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273" S = "${WORKDIR}/git" |