Public bug reported:
The default before6.rules file that is installed with the ufw package
contains a copy/paste error. It is apparent that the intention is to add
rules for echo-request and echo-response to the following chains:
ufw6-before-input
ufw6-before-output
ufw6-before-forward
However there is a copy/paste error and instead of adding the rules to
ufw6-before-output, it adds it to ufw6-before-input a second time. The
result is that the rules are absent from ufw6-before-output.
The file that needs to be fixed in the package is:
/usr/share/ufw/iptables/before6.rules
Here is what diff -u shows if I compare the original file to the
corrected version:
--- /usr/share/ufw/iptables/before6.rules 2016-04-15 17:16:29.000000000
+1200
+++ ufw_fixed_before6.rules 2016-10-15 23:00:57.763041239 +1300
@@ -77,8 +77,8 @@
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl
--hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl
--hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl
--hl-eq 255 -j ACCEPT
The impact of this error is minor because the ufw.conf file sets the default
outbound policy to accept:
DEFAULT_OUTPUT_POLICY="ACCEPT"
Of course if anyone changed the default outbound policy then the error
would mean that pings made from the server to other machines would be
blocked.
I will attach the original and my fixed version of before6.rules to this
bug report.
Thanks for taking the time to look at this issue.
Nick.
ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: ufw 0.35-2
ProcVersionSignature: Ubuntu 4.8.0-22.24-generic 4.8.0
Uname: Linux 4.8.0-22-generic i686
ApportVersion: 2.20.3-0ubuntu8
Architecture: i386
Date: Sat Oct 15 23:09:04 2016
InstallationDate: Installed on 2016-10-14 (1 days ago)
InstallationMedia: Ubuntu-Server 16.10 "Yakkety Yak" - Release i386 (20161012.1)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: ufw (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 yakkety
** Attachment added: "Original and fixed versions of before6.rules"
https://bugs.launchpad.net/bugs/1633698/+attachment/4761441/+files/ufw_original_and_fixed_before6.rules.tar.gz
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1633698
Title:
ufw before6.rules adds echo-request and echo-response rules to wrong
chain
Status in ufw package in Ubuntu:
New
Bug description:
The default before6.rules file that is installed with the ufw package
contains a copy/paste error. It is apparent that the intention is to
add rules for echo-request and echo-response to the following chains:
ufw6-before-input
ufw6-before-output
ufw6-before-forward
However there is a copy/paste error and instead of adding the rules to
ufw6-before-output, it adds it to ufw6-before-input a second time. The
result is that the rules are absent from ufw6-before-output.
The file that needs to be fixed in the package is:
/usr/share/ufw/iptables/before6.rules
Here is what diff -u shows if I compare the original file to the
corrected version:
--- /usr/share/ufw/iptables/before6.rules 2016-04-15 17:16:29.000000000
+1200
+++ ufw_fixed_before6.rules 2016-10-15 23:00:57.763041239 +1300
@@ -77,8 +77,8 @@
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl
--hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl
--hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl
--hl-eq 255 -j ACCEPT
The impact of this error is minor because the ufw.conf file sets the default
outbound policy to accept:
DEFAULT_OUTPUT_POLICY="ACCEPT"
Of course if anyone changed the default outbound policy then the error
would mean that pings made from the server to other machines would be
blocked.
I will attach the original and my fixed version of before6.rules to
this bug report.
Thanks for taking the time to look at this issue.
Nick.
ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: ufw 0.35-2
ProcVersionSignature: Ubuntu 4.8.0-22.24-generic 4.8.0
Uname: Linux 4.8.0-22-generic i686
ApportVersion: 2.20.3-0ubuntu8
Architecture: i386
Date: Sat Oct 15 23:09:04 2016
InstallationDate: Installed on 2016-10-14 (1 days ago)
InstallationMedia: Ubuntu-Server 16.10 "Yakkety Yak" - Release i386
(20161012.1)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1633698/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
