Which port is APT using?
Problem is: now I can't use apt-get anymore, because it can't reach the server:
Temporary failure resolving 'us.archive.ubuntu.com'
I was under the impression that APT uses port 80, isn't that correct?
If I turn ufw off, everything works fine. Of course that's not really an option.
The server seems to be much slower (writing to disk etc.) when ufw is on, I suppose it shouldn't be that way, too?
Thanks for any help.
21 Replies
; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; connection timed out; no servers could be reached
With ufw off:
; <<>> DiG 9.7.3 <<>> www.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49422
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.linode.com. IN A
;; ANSWER SECTION:
www.linode.com. 86323 IN A 69.164.200.202
www.linode.com. 86323 IN A 72.14.180.202
www.linode.com. 86323 IN A 72.14.191.202
;; AUTHORITY SECTION:
linode.com. 56421 IN NS ns2.linode.com.
linode.com. 56421 IN NS ns5.linode.com.
linode.com. 56421 IN NS ns4.linode.com.
linode.com. 56421 IN NS ns3.linode.com.
linode.com. 56421 IN NS ns1.linode.com.
;; ADDITIONAL SECTION:
ns1.linode.com. 12921 IN A 69.93.127.10
ns2.linode.com. 12921 IN A 65.19.178.10
ns3.linode.com. 12915 IN A 75.127.96.10
ns4.linode.com. 12915 IN A 207.192.70.10
ns5.linode.com. 12915 IN A 109.74.194.10
;; Query time: 1 msec
;; SERVER: 109.74.192.20#53(109.74.192.20)
;; WHEN: Sat May 28 11:37:20 2011
;; MSG SIZE rcvd: 250
My /etc/resolv.conf:
# Generated by dhcpcd for interface eth0
search members.linode.com
nameserver 109.74.192.20
nameserver 109.74.193.20
nameserver 109.74.194.20
I'm in the London data center.
Thanks!
I don't have much else to say to help debug it. It looks like ufw bug 713788
@obs:
You probably have ufw blocking traffic going out, run
ufw default allow outgoing
OK, stuff feels much more responsive now. APT still doesn't want to play with me though, when I run
sudo apt-get update
it will output
Err http://us.archive.ubuntu.com natty InRelease
Err http://security.ubuntu.com natty-security InRelease
Err http://us.archive.ubuntu.com natty-updates InRelease
Err http://security.ubuntu.com natty-security Release.gpg
Temporary failure resolving 'security.ubuntu.com'
Err http://us.archive.ubuntu.com natty Release.gpg
Temporary failure resolving 'us.archive.ubuntu.com'
Err http://us.archive.ubuntu.com natty-updates Release.gpg
Temporary failure resolving 'us.archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/InRelease
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/InRelease
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/InRelease
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty/Release.gpg Temporary failure resolving 'us.archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/natty-security/Release.gpg Temporary failure resolving 'security.ubuntu.com'
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/natty-updates/Release.gpg Temporary failure resolving 'us.archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Works fine when I disable ufw.
Verbose ufw status looks like this now:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
Verbose status is now:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
53/tcp ALLOW OUT Anywhere
Still shows the "Temporary failure resolving …" error.
Edit: tried adding 53/udp as well, didn't help
Anyway, thanks for your help guys!
One of the nice parts is that is has a custom rules file so I could drop in that one "special" iptables line into it without hacking into rc.local.
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -P OUTPUT ACCEPT
````
It's really not that hard to just use iptables itself, you know.
I know I could use iptables directly, but it's just way more convenient to use a frontend (yes, I am lazy).
> iptables -m state –state RELATED,ESTABLISHED -j ACCEPT
$10 says that was the issue.
Edit: not having it, that is.
I just found that ufw + 2.6.39 == b0rked IPv4 connectivity.
@JshWright:
Were you using 2.6.39, perchance?
Yes I am.
(Oh, and 2.3.69)
$ uname -a
Linux hansel 2.6.39-linode33 #5 SMP Sun May 29 02:01:17 UTC 2011 i686 GNU/Linux
````
That probably has something to do with it.
@hoopycat:
$ uname -a Linux hansel 2.6.39-linode33 #5 SMP Sun May 29 02:01:17 UTC 2011 i686 GNU/Linux
That probably has something to do with it.
:-)
It did, there was an issue which was brought to our attention in a ticket and corrected very shortly after.