Hello babipanghang, or anyone else affected, Accepted ufw into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ufw/0.36-0ubuntu0.18.10.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ufw (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-cosmic ** Changed in: ufw (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1368411 Title: Cannot insert IPV6 rule before IPV4 rules Status in ufw: Fix Released Status in ufw package in Ubuntu: Fix Released Status in ufw source package in Bionic: Fix Committed Status in ufw source package in Cosmic: Fix Committed Status in ufw source package in Disco: Fix Released Status in ufw package in Debian: Fix Released Bug description: [Impact] ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it. From the git commit: " add 'prepend' command Introduce 'prepend' command to add rules to the top of the IPv4 and/or IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg, fail2ban). Unlike 'insert', 'prepend' does not require knowledge about the IPv6 rule number so integration into IPS is much easier. " [Test Case] $ sudo ufw allow 22/tcp $ sudo ufw allow from 1.2.3.4 $ sudo ufw allow from 2001:db8::/32 $ sudo ufw enable $ sudo ufw status numbered ... [ 1] 22/tcp ALLOW IN Anywhere [ 2] Anywhere ALLOW IN 1.2.3.4 [ 3] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 4] Anywhere (v6) ALLOW IN 2001:db8::/32 # unchanged from 0.35 $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 ERROR: Invalid position '1' # new in 0.36 $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1 $ sudo ufw prepend deny from 6.7.8.9 $ sudo ufw status numbered ... [ 1] Anywhere DENY IN 6.7.8.9 [ 2] 22/tcp ALLOW IN Anywhere [ 3] Anywhere ALLOW IN 1.2.3.4 [ 4] Anywhere (v6) DENY IN 2a02:2210:12:a:b820:fff:fea2:25d1 [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 6] Anywhere (v6) ALLOW IN 2001:db8::/32 [Regression Potential] ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine). [Other Info] The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available. = Original description = I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command: [code] ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] errors with "ERROR: Invalid position '1'". However, the command [code] ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1 [/code] succeeds. In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine. Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1". BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS, To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
