hi,
> It seems that ufw destroys all iptable rules on purging.
> This breaks rules given by fail2ban package.
Not only fail2ban, but also "other" package which touch iptables.
Indeed, ufw postrm script does:
$exe -P INPUT ACCEPT 2>/dev/null || true
$exe -P OUTPUT ACCEPT 2>/dev/null || true
$exe -P FORWARD ACCEPT 2>/dev/null || true
$exe -F 2>/dev/null || true
$exe -X 2>/dev/null || true
This clears all iptables rules, and is very bad manner for a package
to remove their rules from iptables.
> using two different packages that try to manage the firewall rules at
> the same time is inherently difficult. I'm not sure if there can be a
> good solution to this bug at all.
It is fortunate that ufw uses prefix for its own chain, so it should remove
only these chains, like:
for CHAIN in INPUT FORWARD OUTPUT
do
iptables -L $CHAIN | tail -n +3 | nl | awk '/ufw-/{print $1}' | sort
-r | while read NUM
do
iptables -D $CHAIN $NUM
done
done
iptables -L | awk '/^Chain ufw-/{print $2}' | while read CHAIN
do
iptables -F $CHAIN || true
iptables -X $CHAIN || true
done 2>/dev/null
Anyway ipchains policies controling which are global state parameters
may have trouble...
regards,
--
KURASHIKI Satoru
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
