Bug#931125: ufw: Rules disappear when updating task list

Wed, 26 Jun 2019 10:09:27 -0700 

Package: ufw
Version: 0.35-4
Severity: important

Dear Maintainer,

I configured ufw with a DENY IN and DENY OUT default position. To ease
the configuration, I created new apps placed in
/etc/ufw/applications.d/custom, as well as used some existing apps, then
allowed in and out the desired apps.

Unfortunately, some ALLOW OUT rules disappear after installing new packages 
when dpkg triggers... trigger. I traced that back to the "ufw app update all" 
command, which effectively disable some outgoing rules for no apparent reason.

While some rules are not as important, it is problematic to lose
outgoing traffic for a mail server because we updated some other
packages...

Here are the lines deleted in the rules file after ufw app update all:
< ### tuple ### allow tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Nginx%20Full - out     
                    
< -A ufw-user-output -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment 
--comment 'dapp_Nginx% 20Full'                                                  
                                           
<                                                                               
                    
< ### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 DNS - out                  
                    
< -A ufw-user-output -p tcp --dport 53 -j ACCEPT -m comment --comment 
'dapp_DNS'                    
< -A ufw-user-output -p udp --dport 53 -j ACCEPT -m comment --comment 
'dapp_DNS'                    
<                                                                               
                    
< ### tuple ### allow tcp 25,143,465,587,993,4190 0.0.0.0/0 any 0.0.0.0/0 Mail 
- out                
< -A ufw-user-output -p tcp -m multiport --dports 25,143,465,587,993,4190 -j 
ACCEPT -m comment --com ment 'dapp_Mail'                                        
                                            

Some of the app are custom (the "Mail" one), others are provided by ufw
or package maintainer ('Nginx Full' or 'DNS').

Please do not hesitate to ask for further information. I think this bug
is quite critical as we really shouldn't have changes in rules not
explicitely provided by the administrator.

Regards,
Eloi

-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufw depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iptables               1.6.0+snapshot20161117-6
ii  lsb-base               9.20161125
ii  python3                3.5.3-1
ii  ucf                    3.0036

ufw recommends no packages.

Versions of packages ufw suggests:
ii  rsyslog  8.24.0-1

-- Configuration Files:
/etc/default/ufw changed:
IPV6=no
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="DROP"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"


-- debconf-show failed

Reply via email to