Hi, thank you for reporting an issue. This is discussed in the ufw man
page:
"
status - show status of firewall and ufw managed rules. Use status verbose for
extra information. In the status output, 'Anywhere' is synonymous with 'any',
0.0.0.0/0 (IPv4) and ::/0 (IPv6). Note that when using status, there is a
subtle difference when reporting interfaces. For example, if the following
rules are added:
ufw allow in on eth0 from 192.168.0.0/16
ufw allow out on eth1 to 10.0.0.0/8
ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16
ufw limit 2222/tcp comment 'SSH port'
ufw status will output:
To Action From
-- ------ ----
Anywhere on eth0 ALLOW 192.168.0.0/16
10.0.0.0/8 ALLOW OUT Anywhere on eth1
10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0
Anywhere LIMIT Anywhere # SSH port
For the input and output rules, the interface is reported relative to the
firewall system as an endpoint, whereas with route rules, the interface is
reported relative to the direction packets flow through the firewall.
"
You stated:
"
-A ufw-user-input -i serviceA -p tcp --dport 3306 -j ACCEPT
So far everything is good. The iptables rule is generated as expected and
traffic is allowed.
But I find the "ufw status verbose" output very confusing:
```
To Action From
-- ------ ----
3306/tcp on serviceA ALLOW IN Anywhere # ServiceA: MySQL access
```
Here it looks like we are allowing traffic To port 3306 on serviceA (from
anywhere).
"
The "-A ufw-user-input -i serviceA -p tcp --dport 3306 -j ACCEPT" rule
literally says "append to the ufw-user-input chain a rule that says
input on interface 'serviceA' to port 3306/tcp should be accepted" and
so your interpretation of the ufw verbose status is correct.
I find the proposal to change this more confusing personally but
ultimately I think whether one is more clear or not is subjective. ufw
is operating as documented and I fear changing the output after so many
years would be far to disruptive for users. I'm going to mark this as
Opinion. Thanks again for your report.
** Changed in: ufw
Status: New => Opinion
** Changed in: ufw (Ubuntu)
Status: New => Opinion
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/2075395
Title:
status description lists "in" interface in "to" column
Status in ufw:
Opinion
Status in ufw package in Ubuntu:
Opinion
Bug description:
Hello!
I've found what I think might be a bug in the `ufw status [verbose]`
output.
**Background**
I have an SQL server running directly on the host listening on port 3306.
I have serviceA running in a Docker container, attached to bridge "serviceA".
I would like to allow serviceA to talk to the SQL server on port
3306/tcp.
**UFW command**
`ufw allow in on serviceA to any port 3306 proto tcp comment "ServiceA: MySQL
access"`
**user.rules**
```
### tuple ### allow tcp 3306 0.0.0.0/0 any 0.0.0.0/0 in_serviceA
comment=53657276696365413a204d7953514c20616363657373
-A ufw-user-input -i serviceA -p tcp --dport 3306 -j ACCEPT
```
So far everything is good. The iptables rule is generated as expected and
traffic is allowed.
But I find the "ufw status verbose" output very confusing:
```
To Action From
-- ------ ----
3306/tcp on serviceA ALLOW IN Anywhere # ServiceA:
MySQL access
```
Here it looks like we are allowing traffic To port 3306 on serviceA
(from anywhere).
Instead I would expect the following output:
```
To Action From
-- ------ ----
3306/tcp ALLOW IN Anywhere on serviceA # ServiceA:
MySQL access
```
This is very confusing and could make administrators think that the
system is secure, when it's not, or lead to lots of unnecessary
troubleshooting.
I'm using UFW 0.36.2 on Ubuntu 24.04.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2075395/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
