[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
This bug was fixed in the package ufw - 0.36-0ubuntu0.18.10.1 --- ufw (0.36-0ubuntu0.18.10.1) cosmic-proposed; urgency=medium * Backport to cosmic addressing the following SRU bugs: - LP: #1811129 - master SRU bug - LP: #1664133 - before6.rules: echo-reply needs to be before INVALID - LP: #1719211 - improve interface name checks - LP: #1775043 - shell-completion/bash: adjust for modern bash - LP: #1204579 - support concurrent updates - LP: #1368411 - add 'prepend' command -- Jamie Strandboge Mon, 25 Mar 2019 20:46:10 + ** Changed in: ufw (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Released Status in ufw source package in Cosmic: Fix Released Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
This bug was fixed in the package ufw - 0.36-0ubuntu0.18.04.1 --- ufw (0.36-0ubuntu0.18.04.1) bionic-proposed; urgency=medium * Backport to bionic addressing the following SRU bugs: - LP: #1811129 - master SRU bug - LP: #1664133 - before6.rules: echo-reply needs to be before INVALID - LP: #1719211 - improve interface name checks - LP: #1775043 - shell-completion/bash: adjust for modern bash - LP: #1204579 - support concurrent updates - LP: #1368411 - add 'prepend' command -- Jamie Strandboge Mon, 25 Mar 2019 21:14:25 + ** Changed in: ufw (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Released Status in ufw source package in Cosmic: Fix Released Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
The fix works as expected in B/C: #COSMIC ubuntu@c-ufw:~$ dpkg -l | grep ufw ii ufw 0.36-0ubuntu0.18.10.1 all program for managing a Netfilter firewall ubuntu@c-ufw:~$ sudo ufw status numbered Status: active To Action From -- -- [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 ubuntu@c-ufw:~$ sudo ufw prepend deny from 6.7.8.9 Rule inserted ubuntu@c-ufw:~$ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 Rule inserted (v6) ubuntu@c-ufw:~$ sudo ufw status numbered Status: active To Action From -- -- [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 #BIONIC ubuntu@b-ufw:~$ dpkg -l | grep ufw ii ufw 0.36-0ubuntu0.18.04.1 all program for managing a Netfilter firewall ubuntu@b-ufw:~$ sudo ufw status numbered Status: active To Action From -- -- [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 ubuntu@b-ufw:~$ sudo ufw prepend allow from 2001:db8::/32 Skipping inserting existing rule (v6) ubuntu@b-ufw:~$ sudo ufw status numbered Status: active To Action From -- -- [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 ubuntu@b-ufw:~$ sudo ufw prepend deny from 6.7.8.9 Rule inserted ubuntu@b-ufw:~$ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 Rule inserted (v6) ubuntu@b-ufw:~$ sudo ufw status numbered Status: active To Action From -- -- [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Committed Status in ufw source package in Cosmic: Fix Committed Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Tested this is fixed in cosmic: $ apt-cache policy ufw ufw: Installed: 0.36-0ubuntu0.18.10.1 Candidate: 0.36-0ubuntu0.18.10.1 Version table: *** 0.36-0ubuntu0.18.10.1 500 500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main i386 Packages 100 /var/lib/dpkg/status 0.35-6 500 500 http://us.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu cosmic/main i386 Packages ** Tags removed: verification-needed verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done verification-done-bionic verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Committed Status in ufw source package in Cosmic: Fix Committed Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list:
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Verified this is fixed in bionic: $ apt-cache policy ufw ufw: Installed: 0.36-0ubuntu0.18.04.1 Candidate: 0.36-0ubuntu0.18.04.1 Version table: *** 0.36-0ubuntu0.18.04.1 500 500 http://us.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu bionic-proposed/main i386 Packages 100 /var/lib/dpkg/status 0.35-5 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu bionic/main i386 Packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Committed Status in ufw source package in Cosmic: Fix Committed Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Hello babipanghang, or anyone else affected, Accepted ufw into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ufw/0.36-0ubuntu0.18.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ufw (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-cosmic ** Changed in: ufw (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Committed Status in ufw source package in Cosmic: Fix Committed Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
FYI, I've reuploaded 0.36 to bionic-proposed and cosmic-proposed after updating the master bug's description. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: In Progress Status in ufw source package in Cosmic: In Progress Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: ufw (Ubuntu Cosmic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: In Progress Status in ufw source package in Cosmic: In Progress Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW INAnywhere [ 2] Anywhere ALLOW IN1.2.3.4 [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW INAnywhere [ 3] Anywhere ALLOW IN1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Description changed: + [Impact] + + ufw's 'insert' command is designed to work with 'ufw status numbered' to + insert rules in specific places in the ruleset. This makes it more + difficult than it should be for using ufw as part of an IPS/dynamic + firewall (eg, fail2ban) since if the firewall already has an IPv4 rule + then the user/IPS must calculate the position of an IPv6-only rule + before inserting it. + + From the git commit: + + " + add 'prepend' command + + Introduce 'prepend' command to add rules to the top of the IPv4 and/or + IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, + fail2ban). Unlike 'insert', 'prepend' does not require knowledge about + the IPv6 rule number so integration into IPS is much easier. + " + + [Test Case] + + $ sudo ufw allow 22/tcp + $ sudo ufw allow from 1.2.3.4 + $ sudo ufw allow from 2001:db8::/32 + $ sudo ufw enable + $ sudo ufw status numbered + ... + [ 1] 22/tcp ALLOW INAnywhere + [ 2] Anywhere ALLOW IN1.2.3.4 + [ 3] 22/tcp (v6)ALLOW INAnywhere (v6) + [ 4] Anywhere (v6) ALLOW IN2001:db8::/32 + + # unchanged from 0.35 + $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 + ERROR: Invalid position '1' + + # new in 0.36 + $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 + $ sudo ufw prepend deny from 6.7.8.9 + $ sudo ufw status numbered + ... + [ 1] Anywhere DENY IN 6.7.8.9 + [ 2] 22/tcp ALLOW INAnywhere + [ 3] Anywhere ALLOW IN1.2.3.4 + [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 + [ 5] 22/tcp (v6)ALLOW INAnywhere (v6) + [ 6] Anywhere (v6) ALLOW IN2001:db8::/32 + + [Regression Potential] + + ufw has a clean methodology for adding new commands so while frontend.py + necessarily has some logic changes to calculate where to insert the rule + (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, + both), the changes were minimal and only are used if 'prepend' is + specified (so people only using the previous command set should be + fine). + + [Other Info] + + The ufw prepend command is new in 0.36 and thus only available in + Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known + to work with fail2ban and the prepend command in production environments + since it was available. + + + = Original description = + I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
This bug was fixed in the package ufw - 0.36-1 --- ufw (0.36-1) unstable; urgency=medium * New upstream release (LP: #1782384, LP: #1664133, LP: #1509725, LP: #1695718, LP: #1719211, LP: #1775043, LP: #1204579, LP: #1652163, LP: #1377600, Closes: 686248, LP: #1368411, LP: #1586258, Closes: 909163, Closes: 884932, LP: #1558068) - drop 0002-bug849628.patch (included upstream) - drop 0003-use-default-tcp-syncookies.patch (included upstream) - drop 0004-lp1633698.patch (included upstream) * Remaining changes: - 0001-optimize-boot.patch * debian/ufw.maintscript: remove /etc/bash_completion.d/ufw on upgrade (LP: #1602834) * debian/control: remove no longer needed xs-python-version and x-python3-version fields * update debian/before6.rules.md5sum for file shipped in 0.35-6. While both before.rules and before6.rules were updated in this new upstream release, 0.35-6 mistakenly already had its own md5sum for before.rules, so we don't need to add it now. -- Jamie Strandboge Fri, 14 Dec 2018 17:50:47 + ** Changed in: ufw (Ubuntu Disco) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
This is fixed in the new 0.36 release. ** Changed in: ufw Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: In Progress Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: In Progress Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw Importance: Undecided => Low ** Changed in: ufw Importance: Low => Medium ** Changed in: ufw (Ubuntu Disco) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Committed Status in ufw package in Ubuntu: In Progress Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: In Progress Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Ubuntu) Status: Confirmed => Triaged ** Changed in: ufw (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Also affects: ufw (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: ufw (Ubuntu Disco) Importance: Medium Assignee: Jamie Strandboge (jdstrand) Status: Triaged ** Also affects: ufw (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: ufw (Ubuntu Bionic) Status: New => Triaged ** Changed in: ufw (Ubuntu Cosmic) Status: New => Triaged ** Changed in: ufw (Ubuntu Cosmic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: ufw (Ubuntu Bionic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: ufw (Ubuntu Cosmic) Importance: Undecided => Medium ** Changed in: ufw (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Committed Status in ufw package in Ubuntu: Triaged Status in ufw source package in Bionic: Triaged Status in ufw source package in Cosmic: Triaged Status in ufw source package in Disco: Triaged Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Committed Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Thanks for all the feedback! FYI, since '1' in ufw corresponds to the literal rule number '1', this is going to be implemented with a new 'prepend' command. Eg: $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw status numbered ... [1] 22/tcpALLOW IN Anywhere [2] Anywhere ALLOW IN 1.2.3.4 [3] 22/tcp (v6) ALLOW IN Anywhere (v6) [4] Anywhere (v6) ALLOW IN 2001:db8::/32 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [1] Anywhere DENY IN 6.7.8.9 [2] 22/tcpALLOW IN Anywhere [3] Anywhere ALLOW IN 1.2.3.4 [4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [5] 22/tcp (v6) ALLOW IN Anywhere (v6) [6] Anywhere (v6) ALLOW IN 2001:db8::/32 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: In Progress Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw Status: New => In Progress ** Changed in: ufw Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: In Progress Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Debian) Status: Fix Released => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: Fix Released Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: New Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Bug watch added: Debian Bug tracker #909163 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909163 ** Also affects: ufw (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909163 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: Unknown Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Attached is an updated version of the patch that builds. The previous one was failing because there's a test case that makes sure an "insert 2" of an IPv6 rule fails. That's enforcing the existence of the behavior that here we are arguing is a bug. ** Patch added: "Updated patch" https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+attachment/5198885/+files/0005-lp1368411.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
The attachment "0005-lp1368411.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Taking into account the two proposed patches, and what I believe the code to be doing, attached is a patch I believe is suitable for inclusion. ** Patch added: "0005-lp1368411.patch" https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+attachment/5198539/+files/0005-lp1368411.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Tags removed: upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
That ppa can be helpful to get feedback ppa:jdstrand/ufw-daily -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Please upgrade https://bazaar.launchpad.net/~jdstrand/ufw/ufw-master-import/view/head:/ChangeLog?sort=date ** Tags added: artful bionic trusty upgrade-software-version xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Over three years, actually. Coming up on four. Wow. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Given the growing prevalence of IPv6 connectivity, this is a huge problem for this package. This bug has been open for nearly three years. Why is this still here? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Also affects: ufw Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
How is this still an issue? I tried the patch with 0.35-0ubuntu2 in xenial: + if r.position != 0 and r.position <= num_v4: + r.position = num_v4 + 1 And it works perfectly. Couldn't this be merged as there is no obvious downside on recalculating the rule position for IPv6 addresses? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Ubuntu) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
Hi Frank, your patch did not work for me. I did it this way: --- frontend.bak2016-03-01 16:21:22.0 +0100 +++ frontend.py 2016-03-01 16:26:23.0 +0100 @@ -403,6 +403,8 @@ r.set_v6(False) tmp = self.backend.set_rule(r) elif ip_version == "v6": +if r.position != 0 and r.position <= num_v4: +r.position = num_v4 + 1 if r.position > num_v4: r.set_position(r.position - num_v4) elif r.position != 0 and r.position <= num_v4: -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Triaged Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
This is my solution. --- ufw-0.34/src/frontend.py2015-08-20 20:10:26.0 +0200 +++ ufw-0.34/src/frontend.py2015-12-21 09:46:25.311587993 +0100 @@ -451,7 +451,7 @@ class UFWFrontend: elif ip_version == "v6": if r.position > num_v4: r.set_position(r.position - num_v4) -elif r.position != 0 and r.position <= num_v4: +elif r.position != 0 and r.position > num_v4+num_v6: pos_err_msg += str(r.position) + "'" raise UFWError(pos_err_msg) r.set_v6(True) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Triaged Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Triaged Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with ERROR: Invalid position '1'. However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1. BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules
** Changed in: ufw (Ubuntu) Status: New = Confirmed ** Changed in: ufw (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw package in Ubuntu: Confirmed Bug description: I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with ERROR: Invalid position '1'. However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1. BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
