← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #09786

[Bug 2128668] Re: Wi-Fi hotspot startup does not configure firewall as needed for internet sharing

  Thread PreviousDate PreviousThread Next 
Save this as `/etc/NetworkManager/conf.d/default-firewall-use-
iptables.conf`, then run `sudo systemctl restart NetworkManager`.

This will configure NetworkManager to use `iptables` as its default
firewall backend, which should resolve the issue in this bug when
starting the hotspot in the future.

** Attachment added: "default-firewall-use-iptables.conf"
   https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+attachment/5920785/+files/default-firewall-use-iptables.conf

** Description changed:

  SRU Justification:
  
  [ Impact ]
  
  When a wi-fi hotspot is being broadcast, NetworkManager does not
  automatically configure all firewall rules as needed for clients to
  access the internet.
  
  [ Test Plan ]
  
  Start wi-fi hotspot on device running ufw that is connected to the
  internet
  
  [ Actual result ]
  Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet.
  
  [ Expected result ]
  Clients can connect to the internet via the hotspot
  
  [ Fix ]
  
  At minimum, the following is needed to enable this:
  
  1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names))
  2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT)
  3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall
  
  This is already implemented by NetworkManager. However, since
  applications like UFW configure firewall rules directly through
  /etc/sbin/iptables, NetworkManager needs to be configured to do so as
  well. Since we don't explicitly set a firewall backend to use in our
  config, NM checks for the existence of nftables and uses it since it is
  installed on Ubuntu, which is not sufficient to override the rules set
  via iptables by UFW and Docker.
  
  Therefore, the most straightforward solution is to configure Ubuntu's
  NetworkManager to use iptables as its firewall backend, bringing it in
  line with how UFW orchestrates its firewall rules.
  
+ (Apply this config change to set iptables as the default backend for NM:
+ https://bugs.launchpad.net/ubuntu/+source/network-
+ manager/+bug/2128668/comments/6)
+ 
  [ Where problems could occur ]
  
  While NetworkManager should be configuring the same rules regardless of
  the firewall backend used, any differences that might exist between how
  /usr/sbin/iptables and /usr/sbin/nftables handles the setup could
  manifest as user-visible differences in firewall behavior. Additionally,
  since /usr/sbin/iptables is a symlink to /etc/alternatives/iptables, a
  user who has changed their /etc/alternatives/iptables target could also
  deviate from the behavior of a default Ubuntu configuration.
  
  With that said, keeping this configuration as-is may also have risks
  beyond the hotspot sharing use-case, since even the default firewall
  profiles in NM are currently set via the nftables interface, which I've
  observed is not always in sync with the UFW-enforced rules set via
  /usr/sbin/iptables.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2128668

Title:
  Wi-Fi hotspot startup does not configure firewall as needed for
  internet sharing

Status in network-manager package in Ubuntu:
  In Progress
Status in network-manager source package in Jammy:
  In Progress
Status in network-manager source package in Noble:
  In Progress
Status in network-manager source package in Plucky:
  Won't Fix
Status in network-manager source package in Questing:
  In Progress
Status in network-manager source package in Resolute:
  In Progress

Bug description:
  SRU Justification:

  [ Impact ]

  When a wi-fi hotspot is being broadcast, NetworkManager does not
  automatically configure all firewall rules as needed for clients to
  access the internet.

  [ Test Plan ]

  Start wi-fi hotspot on device running ufw that is connected to the
  internet

  [ Actual result ]
  Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet.

  [ Expected result ]
  Clients can connect to the internet via the hotspot

  [ Fix ]

  At minimum, the following is needed to enable this:

  1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names))
  2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT)
  3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall

  This is already implemented by NetworkManager. However, since
  applications like UFW configure firewall rules directly through
  /etc/sbin/iptables, NetworkManager needs to be configured to do so as
  well. Since we don't explicitly set a firewall backend to use in our
  config, NM checks for the existence of nftables and uses it since it
  is installed on Ubuntu, which is not sufficient to override the rules
  set via iptables by UFW and Docker.

  Therefore, the most straightforward solution is to configure Ubuntu's
  NetworkManager to use iptables as its firewall backend, bringing it in
  line with how UFW orchestrates its firewall rules.

  (Apply this config change to set iptables as the default backend for
  NM: https://bugs.launchpad.net/ubuntu/+source/network-
  manager/+bug/2128668/comments/6)

  [ Where problems could occur ]

  While NetworkManager should be configuring the same rules regardless
  of the firewall backend used, any differences that might exist between
  how /usr/sbin/iptables and /usr/sbin/nftables handles the setup could
  manifest as user-visible differences in firewall behavior.
  Additionally, since /usr/sbin/iptables is a symlink to
  /etc/alternatives/iptables, a user who has changed their
  /etc/alternatives/iptables target could also deviate from the behavior
  of a default Ubuntu configuration.

  With that said, keeping this configuration as-is may also have risks
  beyond the hotspot sharing use-case, since even the default firewall
  profiles in NM are currently set via the nftables interface, which
  I've observed is not always in sync with the UFW-enforced rules set
  via /usr/sbin/iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions

References

  Thread PreviousDate PreviousThread Next