Which port is APT using?

I've just setup my first Linode (using Ubuntu 11.04) and everything is working fine so far, except for one thing. I've configured ufw to deny everything except 80/tcp, 443/tcp and 22/tcp. This seems to work as it should.

Problem is: now I can't use apt-get anymore, because it can't reach the server: Temporary failure resolving 'us.archive.ubuntu.com'

I was under the impression that APT uses port 80, isn't that correct?

If I turn ufw off, everything works fine. Of course that's not really an option.

The server seems to be much slower (writing to disk etc.) when ufw is on, I suppose it shouldn't be that way, too?

Thanks for any help.

21 Replies

I don't know what port apt uses, but it says the error is in resolving it, not connecting to the server. Sounds like DNS is broken. Try 'dig www.linode.com' or 'host www.linode.com' from the command line. What happens? If it is broken, does it work when ufw is disabled? If not, what does your /etc/resolv.conf say, and which data center are you in?

With ufw on:

; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; connection timed out; no servers could be reached

With ufw off:

; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49422
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;www.linode.com.            IN  A

;; ANSWER SECTION:
www.linode.com.        86323   IN  A   69.164.200.202
www.linode.com.        86323   IN  A   72.14.180.202
www.linode.com.        86323   IN  A   72.14.191.202

;; AUTHORITY SECTION:
linode.com.        56421   IN  NS  ns2.linode.com.
linode.com.        56421   IN  NS  ns5.linode.com.
linode.com.        56421   IN  NS  ns4.linode.com.
linode.com.        56421   IN  NS  ns3.linode.com.
linode.com.        56421   IN  NS  ns1.linode.com.

;; ADDITIONAL SECTION:
ns1.linode.com.        12921   IN  A   69.93.127.10
ns2.linode.com.        12921   IN  A   65.19.178.10
ns3.linode.com.        12915   IN  A   75.127.96.10
ns4.linode.com.        12915   IN  A   207.192.70.10
ns5.linode.com.        12915   IN  A   109.74.194.10

;; Query time: 1 msec
;; SERVER: 109.74.192.20#53(109.74.192.20)
;; WHEN: Sat May 28 11:37:20 2011
;; MSG SIZE  rcvd: 250

My /etc/resolv.conf:

# Generated by dhcpcd for interface eth0
search members.linode.com
nameserver 109.74.192.20
nameserver 109.74.193.20
nameserver 109.74.194.20

I'm in the London data center.

Thanks! :)

OK, so your DNS setup is fine, but ufw is blocking it. Nice.

I don't have much else to say to help debug it. It looks like ufw bug 713788 covers the same issue, with a comment summarizing everything I could say.

You probably have ufw blocking traffic going out, run ufw default allow outgoing

@obs:

You probably have ufw blocking traffic going out, run ufw default allow outgoing

OK, stuff feels much more responsive now. APT still doesn't want to play with me though, when I run

sudo apt-get update

it will output

Err http://us.archive.ubuntu.com natty InRelease                            

Err http://security.ubuntu.com natty-security InRelease                     

Err http://us.archive.ubuntu.com natty-updates InRelease                    

Err http://security.ubuntu.com natty-security Release.gpg                   
  Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com natty Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Err http://us.archive.ubuntu.com natty-updates Release.gpg
  Temporary failure resolving 'us.archive.ubuntu.com'
Reading package lists... Done           
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/InRelease  

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/InRelease  

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/InRelease  

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/Release.gpg  Temporary failure resolving 'security.ubuntu.com'

W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/Release.gpg  Temporary failure resolving 'us.archive.ubuntu.com'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Works fine when I disable ufw.

Verbose ufw status looks like this now:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere

Odd, try specifically allowing port 53 outgoing

No change, unfortunately.

Verbose status is now:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere

53/tcp                     ALLOW OUT   Anywhere

Still shows the "Temporary failure resolving …" error.

Edit: tried adding 53/udp as well, didn't help :(

Looks like it's working now. Out of sheer frustration I've just removed the whole ufw package and installed it again.

Anyway, thanks for your help guys!

You might want to investigate shorewall it's a darn sight easier to get your head around once you know how the configuration files work, in my opinion it's less complicated than ufw (uncomplicated firewall)

When I activated ufw it destroyed my iptables restore file. Man, I wish it would be always this uncomplicated to do such stuff. :wink:

Well, I don't know if it's available in the distro… but I really like the ultrasimple firewall described here:

http://library.linode.com/security/fire … an-5-lenny">http://library.linode.com/security/firewalls/arno-iptables-debian-5-lenny

One of the nice parts is that is has a custom rules file so I could drop in that one "special" iptables line into it without hacking into rc.local. ;)

````
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -P OUTPUT ACCEPT

````

It's really not that hard to just use iptables itself, you know.

Well, turned out that ufw went back to its deny-all state after a reboot. So I've removed it and use shorewall instead now, which works great.

I know I could use iptables directly, but it's just way more convenient to use a frontend (yes, I am lazy).

> iptables -m state –state RELATED,ESTABLISHED -j ACCEPT

$10 says that was the issue.

Edit: not having it, that is.

Were you using 2.6.39, perchance?

I just found that ufw + 2.6.39 == b0rked IPv4 connectivity.

@JshWright:

Were you using 2.6.39, perchance?

Yes I am.

Having exactly the same problem as OP… rebooted linode last Thursday and now all dns(? just dns?) traffic blocked by ufw. Last reboot was 3 months ago, and it was working fine after this until latest reboot. Something must have changed in an update.

(Oh, and 2.3.69)

Strange, did a reboot with ufw disabled, rebooted, enabled it, and it's working fine.

````
$ uname -a
Linux hansel 2.6.39-linode33 #5 SMP Sun May 29 02:01:17 UTC 2011 i686 GNU/Linux

````

That probably has something to do with it. :-)

@hoopycat:

$ uname -a
Linux hansel 2.6.39-linode33 #5 SMP Sun May 29 02:01:17 UTC 2011 i686 GNU/Linux

That probably has something to do with it. :-)

It did, there was an issue which was brought to our attention in a ticket and corrected very shortly after.

Just for anyone that's following along, 2.6.39-linode33 broke ufw. We then corrected the problem. 2.6.39-linode33 #5 (build #5 as shown in uname -a) has the fix.

-Chris

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct