On Thu, 10 Oct 2019, Jonathan Dowland wrote: > Package: ufw > Version: 0.36-1 > Severity: important > > Dear Maintainer, > > Post-buster upgrade, and ufw is no longer functioning correctly. I'm using > ip(6)tables-legacy, rather than the newer xtables stuff, for interoperability > with docker. My ufw ruleset has several ALLOWs, e.g. > > # ufw status | grep 22 > 22 ALLOW Anywhere > > (taken when ufw is "running"). > > However upon first starting ufw ("ufw enable"), all incoming traffic to the > host is dropped. Via the console I can see that this is because the INPUT > chain policy has been set to DENY, and the ufw tables are not hooked in > properly. Excerpts from "iptables-save" after "ufw enable": > > *filter > :INPUT DROP [2943:317505] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [80:9298] > … > -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT > … > > So great, my rules are encoded into the ufw-user-input table fine, but that > table is not hooked into INPUT : iptables-save | grep "^-A INPUT" is empty. >
I cannot reproduce on an up to date buster system: $ sudo update-alternatives --config iptables There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/sbin/iptables-nft 20 auto mode 1 /usr/sbin/iptables-legacy 10 manual mode 2 /usr/sbin/iptables-nft 20 manual mode Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode $ sudo ufw allow 22 $ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup $ sudo iptables-save |grep '\-A INPUT' -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input (note the user chains are added to the end of the before chains with '-A ufw-before-input -j ufw-user-input') So everything is working ok. Do you have other firewall software installed? Eg, iptables-persistent or similar? Is it possible that you have software that is using the nft backend and not legacy? Is something calling iptables-legacy* directly but alternatives aren't setup correctly? -- Email: ja...@strandboge.com IRC: jdstrand