[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules

Jamie Strandboge Thu, 28 Mar 2019 04:32:20 -0700

Tested this is fixed in cosmic:

$ apt-cache policy ufw
ufw:
  Installed: 0.36-0ubuntu0.18.10.1
  Candidate: 0.36-0ubuntu0.18.10.1
  Version table:
 *** 0.36-0ubuntu0.18.10.1 500
        500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 
Packages
        500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main i386 
Packages
        100 /var/lib/dpkg/status
     0.35-6 500
        500 http://us.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu cosmic/main i386 Packages



** Tags removed: verification-needed verification-needed-bionic 
verification-needed-cosmic
** Tags added: verification-done verification-done-bionic 
verification-done-cosmic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1368411

Title:
  Cannot insert IPV6 rule before IPV4 rules

Status in ufw:
  Fix Released
Status in ufw package in Ubuntu:
  Fix Released
Status in ufw source package in Bionic:
  Fix Committed
Status in ufw source package in Cosmic:
  Fix Committed
Status in ufw source package in Disco:
  Fix Released
Status in ufw package in Debian:
  Fix Released

Bug description:
  [Impact]

  ufw's 'insert' command is designed to work with 'ufw status numbered'
  to insert rules in specific places in the ruleset. This makes it more
  difficult than it should be for using ufw as part of an IPS/dynamic
  firewall (eg, fail2ban) since if the firewall already has an IPv4 rule
  then the user/IPS must calculate the position of an IPv6-only rule
  before inserting it.

  From the git commit:

  "
  add 'prepend' command

  Introduce 'prepend' command to add rules to the top of the IPv4 and/or
  IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg,
  fail2ban). Unlike 'insert', 'prepend' does not require knowledge about
  the IPv6 rule number so integration into IPS is much easier.
  "

  [Test Case]

  $ sudo ufw allow 22/tcp
  $ sudo ufw allow from 1.2.3.4
  $ sudo ufw allow from 2001:db8::/32
  $ sudo ufw enable
  $ sudo ufw status numbered
  ...
  [ 1] 22/tcp                     ALLOW IN    Anywhere
  [ 2] Anywhere                   ALLOW IN    1.2.3.4
  [ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
  [ 4] Anywhere (v6)              ALLOW IN    2001:db8::/32

  # unchanged from 0.35
  $ sudo ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1
  ERROR: Invalid position '1'

  # new in 0.36
  $ sudo ufw prepend deny from 2a02:2210:12:a:b820:fff:fea2:25d1
  $ sudo ufw prepend deny from 6.7.8.9
  $ sudo ufw status numbered
  ...
  [ 1] Anywhere                   DENY IN     6.7.8.9
  [ 2] 22/tcp                     ALLOW IN    Anywhere
  [ 3] Anywhere                   ALLOW IN    1.2.3.4
  [ 4] Anywhere (v6)              DENY IN     2a02:2210:12:a:b820:fff:fea2:25d1
  [ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
  [ 6] Anywhere (v6)              ALLOW IN    2001:db8::/32

  [Regression Potential]

  ufw has a clean methodology for adding new commands so while
  frontend.py necessarily has some logic changes to calculate where to
  insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6
  rules and if both, both), the changes were minimal and only are used
  if 'prepend' is specified (so people only using the previous command
  set should be fine).

  [Other Info]

  The ufw prepend command is new in 0.36 and thus only available in
  Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is
  known to work with fail2ban and the prepend command in production
  environments since it was available.

  
  = Original description =

  I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when 
IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered  6 to 10,  the 
following command:
  [code]
  ufw insert 1 deny from 2a02:2210:12:a:b820:fff:fea2:25d1
  [/code]
  errors with "ERROR: Invalid position '1'".

  However, the command
  [code]
  ufw insert 6 deny from 2a02:2210:12:a:b820:fff:fea2:25d1
  [/code]
  succeeds.

  In my case, this poses a problem, since I am trying to insert rules
  from a script against brute force attacks. The script needs to insert
  blocking rules before a number of other rules that open up some ports
  (since the order of rules is important in ufw). However since the
  number of IPV4 rules will be changing all the time, the position of
  the first available number for an IPV6 address is hard to determine.

  Proposed solution: either allow IPV6 rules to precede IPV4 rules, or
  implement a keyword defining the first available position; e.g. "ufw
  insert first deny from 2a02:2210:12:a:b820:fff:fea2:25d1".

  BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu
  12.04.5 LTS,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/1368411/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1368411] Re: Cannot insert IPV6 rule before IPV4 rules

Reply via email to