Bug#942108: ufw: enabling ufw is breaking the INPUT chain

Fri, 13 Dec 2019 15:27:41 -0800 

On Thu, 10 Oct 2019, Jonathan Dowland wrote:

> Package: ufw
> Version: 0.36-1
> Severity: important
> 
> Dear Maintainer,
> 
> Post-buster upgrade, and ufw is no longer functioning correctly. I'm using
> ip(6)tables-legacy, rather than the newer xtables stuff, for interoperability
> with docker. My ufw ruleset has several ALLOWs, e.g.
> 
>     # ufw status | grep 22
>     22                         ALLOW       Anywhere
> 
> (taken when ufw is "running").
> 
> However upon first starting ufw ("ufw enable"), all incoming traffic to the
> host is dropped. Via the console I can see that this is because the INPUT
> chain policy has been set to DENY, and the ufw tables are not hooked in
> properly. Excerpts from "iptables-save" after "ufw enable":
> 
> *filter
> :INPUT DROP [2943:317505]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [80:9298]
> …
> -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
> …
> 
> So great, my rules are encoded into the ufw-user-input table fine, but that
> table is not hooked into INPUT : iptables-save | grep "^-A INPUT" is empty.
> 

I cannot reproduce on an up to date buster system:

$ sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing
/usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/sbin/iptables-legacy to provide
/usr/sbin/iptables (iptables) in manual mode


$ sudo ufw allow 22
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

$ sudo iptables-save |grep '\-A INPUT'
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input

(note the user chains are added to the end of the before chains with '-A
ufw-before-input -j ufw-user-input')

So everything is working ok. Do you have other firewall software
installed? Eg, iptables-persistent or similar?

Is it possible that you have software that is using the nft backend and
not legacy? Is something calling iptables-legacy* directly but
alternatives aren't setup correctly?

-- 
Email: ja...@strandboge.com
IRC:   jdstrand

Reply via email to