different response to "deny routed" in almost identical systems

Asked by My name on 2014-06-25

I have 2 extremely similar installations of Ubuntu 14.04, 32 bit, built
from the minimalist mini.iso with Openbox as both WM and DE, on different partitions of the same drive of the same machine. So the hardware is identical in the most literal sense. Both systems start ufw the same way, with
these 4 lines in /etc/rc.local:

ufw enable
ufw default deny incoming
ufw default allow outgoing
ufw default deny routed

Both systems access the internet the same way, through the same ethernet
cable to the same wireless router.

But the 2 systems do NOT give the same ufw report.

One gives what I'd expect:

me@ubuntwo:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

The other doesn't sound as quite as good:

me@ubuntu:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

So what does this difference, "deny (routed)" vs. "disabled (routed)"
mean? What consequence does it have and how could I figure out the reason
there is a difference?

Both systems seem to work the same way as far as
any effect of the firewall is concerned that I've been able to determine.
I'm guessing the "routed" item, which only showed up in ufw reports
recently, pertains to controlling traffic with other machines connecting to the
same router. Is that correct?

I don't at the moment have any need to exchange data through the router with other devices using it wirelessly, although I might want to fiddle with that in the future.

Thanks for reading.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Solved by:
Thomas Krüger
Solved:
2014-06-26
Last query:
2014-06-26
Last reply:
2014-06-26
Thomas Krüger (thkrueger) said : #1

Is IP forwarding (routing) enabled on both machines?
See cat /proc/sys/net/ipv4/ip_forward

My name (plmalternate) said : #2

If that file is an indication, I guess not, because:
-------------------------------------------------------------------------------------
sda5:

cat /proc/sys/net/ipv4/ip_forward
0

sudo ufw status verbose
. . .
Default: deny (incoming), allow (outgoing), disabled (routed)

######################################

sda6:

cat /proc/sys/net/ipv4/ip_forward
1

sudo ufw status verbose
. . .
Default: deny (incoming), allow (outgoing), deny (routed)
---------------------------------------------------------------------------------------
I just read the wikipedia article on ip forwarding. I confess I don't feel very much enlightened by it. Sounds like something that goes on elsewhere, like at isps and machines managing traffic between them.

My name (plmalternate) said : #3

This article:
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=9&style=printable
seems to be saying ip forwarding is a Bad Thing unless, maybe, if you have a "multi-homed host", implied to be unusual. I read some stuff startpage turned up searching "multi-homed host" but I haven't figured out yet if I have one or if I should want one. I do recall seeing some dialogue where I was to choose between "eth0" and "eth1", maybe during an OS installation, but I'm not sure that was on this machine.

I'm beginning to suspect that "disabled" is the safer, and default, setting, and that it remains that way until I install something that needs it to be otherwise. That might account for the difference because I believe the only internet-using applications that have been on sda5, the 0/disabled system, are aptitude, apt-get, synaptic, firefox, and maybe wget. I've used sda6 more and may have installed something on it that needed ip forwarding although I'm not sure what that would have been. All I see on there that looks like an internet-using ap beyond those on sda5 is midori. Does any of that sound sensible?

Best Thomas Krüger (thkrueger) said : #4

The ip_forward setting enables internet protocol routing on the system. That means, if the system receives an IP packet that is not addressed to the system itself, it will send it out again (forward it) according to it's routing table. This setting is requires for several setups, like virtual machines networking or tethering, and obviously if you use your box as a router.

It also explains the display of "disabled (routed)" where ip_forward is off, since it is disabled.

My name (plmalternate) said : #5

Thanks Thomas Krüger, that solved my question.

My name (plmalternate) said : #6

Thanks. You totally clarified the UFW aspects of this and shed a good deal of light on the others. For now I'm going to try to set this pref to 0 (disabled) and if I have problems, like with VMs, that could conceivably be traced to this, I'll test it. So far I haven't been able to make the 0 setting persistent across rebooting on the system where it is set to 1. I've tried

net.ipv4.ip_forward = 0
and alternately
net.ipv4.ip_forward=0

in /etc/sysctl.conf.

Niether seems to work. But that is outside the scope of ufw function anyway.

Thanks.