Bug#909163: Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable
On Tue, 20 Nov 2018 15:40:04 -0600 Jamie Strandboge wrote: > This issue is caused be a regression in iptables 1.8.1: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 > > This is now addressed in iptables. Please upgrade to iptables 1.8.2-2 and ufw > should start work again. If not, please file a new bug. This does not work, even with iptables 1.8.2-2 on a Debian sid system. Nor would I expect it to; ufw has explicit code to reject this scenario. See also Launchpad #1368411, and specifically this comment from me with a patch (which I have also attached): https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/comments/10 -- Richard Author: Richard Laager Description: Fix inserting IPv6 rules The list of ufw rules is a single list, with IPv4 rules before IPv6 rules. When inserting an IPv6 rule, the ufw code converts the position from the overall list containing both IPv4 and IPv6 rules into a position in the subset of IPv6 rules only. If the specified position falls inside the IPv4 rules, then by definition, the desired IPv6 position is 1, but the current code needlessly rejects that. This breaks fail2ban, which always uses: ufw insert 1 reject from ADDRESS to any Forwarded: no Last-Update: 2018-10-08 Bug-Ubuntu: https://launchpad.net/bugs/1368411 --- a/src/frontend.py +++ b/src/frontend.py @@ -454,8 +454,7 @@ if r.position > num_v4: r.set_position(r.position - num_v4) elif r.position != 0 and r.position <= num_v4: -pos_err_msg += str(r.position) + "'" -raise UFWError(pos_err_msg) +r.set_position(1) r.set_v6(True) tmp = self.backend.set_rule(r) elif ip_version == "both": --- a/tests/ipv6/rules64/runtest.sh +++ b/tests/ipv6/rules64/runtest.sh @@ -156,7 +156,7 @@ echo "ipv6 rule in ipv4 section" >> $TESTTMP/result do_cmd "0" null delete allow to ::1 port -do_cmd "1" null insert 2 allow to ::1 port +do_cmd "0" null insert 2 allow to ::1 port echo "ipv4 rule in ipv6 section" >> $TESTTMP/result do_cmd "0" null delete allow to ::1 port
Bug#913112: Info received (Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable)
Fyi, I reopened this since it was accidentally closed. I plan on looking at this bug, so hopefully we can close it for real soon. :) -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable
reopen 909163 = signature.asc Description: PGP signature
Bug#911986: closed by Jamie Strandboge (Re: Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable)
I can confirm that the issue has been resolved in the latest release. Thanks for the help On Wed, 21 Nov 2018, 03:12 Debian Bug Tracking System This is an automatic notification regarding your Bug report > which was filed against the ufw package: > > #911986: ufw is disabled on startup after the most recent update. also ufw > enable returns "ERROR: could nkt load logging rules". ufw reload tells me > that the firewall is inactive. if i run ufw status after the failed ufw > command it does show that the firewall is active but ufw reload still fails > > It has been closed by Jamie Strandboge . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Jamie Strandboge < > ja...@canonical.com> by > replying to this email. > > > -- > 911986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911986 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > -- Forwarded message -- > From: Jamie Strandboge > To: 913112-d...@bugs.debian.org, 909163-d...@bugs.debian.org, > 911986-d...@bugs.debian.org, 912418-d...@bugs.debian.org > Cc: Debian Bug Tracking System > Bcc: > Date: Tue, 20 Nov 2018 15:40:04 -0600 > Subject: Re: Bug#913112: ufw all traffic blocked, icmp-type + logging > error on enable > This issue is caused be a regression in iptables 1.8.1: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 > > This is now addressed in iptables. Please upgrade to iptables 1.8.2-2 and > ufw > should start work again. If not, please file a new bug. > > Thanks! > > -- > Jamie Strandboge | http://www.canonical.com > > > > -- Forwarded message -- > From: Aryan > To: Debian Bug Tracking System > Cc: > Bcc: > Date: Fri, 26 Oct 2018 21:23:54 +0100 > Subject: ufw is disabled on startup after the most recent update. also ufw > enable returns "ERROR: could nkt load logging rules". ufw reload tells me > that the firewall is inactive. if i run ufw status after the failed ufw > command it does show that the firewall is active but ufw reload still fails > Package: ufw > Version: 0.35-6 > Severity: important > Tags: a11y > > > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386, i686 > > Kernel: Linux 4.19.0+ (SMP w/4 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages ufw depends on: > ii debconf [debconf-2.0] 1.5.69 > ii iptables 1.8.1-2 > ii lsb-base 9.20170808 > ii python33.6.7-1 > ii ucf3.0038 > > ufw recommends no packages. > > Versions of packages ufw suggests: > ii rsyslog 8.38.0-1+b1 > > -- Configuration Files: > /etc/default/ufw changed: > IPV6=yes > DEFAULT_INPUT_POLICY="REJECT" > DEFAULT_OUTPUT_POLICY="ACCEPT" > DEFAULT_FORWARD_POLICY="DROP" > DEFAULT_APPLICATION_POLICY="SKIP" > MANAGE_BUILTINS=no > IPT_SYSCTL=/etc/ufw/sysctl.conf > IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" > > > -- debconf information: > ufw/allow_known_ports: > ufw/allow_custom_ports: > ufw/enable: true > * ufw/existing_configuration: >
Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable
This issue is caused be a regression in iptables 1.8.1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 This is now addressed in iptables. Please upgrade to iptables 1.8.2-2 and ufw should start work again. If not, please file a new bug. Thanks! -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable
Package: ufw Version: 0.35-6 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages ufw depends on: ii debconf [debconf-2.0] 1.5.69 ii iptables 1.8.1-2 ii lsb-base 9.20170808 ii python33.6.7-1 ii ucf3.0038 ufw recommends no packages. Versions of packages ufw suggests: ii rsyslog 8.39.0-1 -- debconf information: ufw/existing_configuration: ufw/allow_custom_ports: ufw/allow_known_ports: ufw/enable: false # Log: Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init iptables-restore v1.8.1 (nf_tables): unknown option "--icmp-type" Error occurred at line: 35 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ip6tables-restore v1.8.1 (nf_tables): unknown option "--icmpv6-type" Error occurred at line: 38 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Problem running '/etc/ufw/before.rules' Problem running '/etc/ufw/before6.rules' ufw on boot OFF !!! after remove all icmp entrys ufw enable echos logging error but clean set! to low Need a urgent fix!
