** Description changed: Binary package hint: ufw - # - # I can't used ufw with bridged networking. If I even *try* + # + # I can't use ufw with bridged networking. If I even *try* # to use it, it breaks ufw and I have to uninstall it. - # + # # To repro: - # + # # Set up bridged networking for use w/KVM and LXC, as per: # https://help.ubuntu.com/community/KVM/Networking - # + # # For example, use this: - # + # $ cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet manual auto br0 iface br0 inet dhcp - bridge_ports eth0 - bridge_fd 9 - bridge_hello 2 - bridge_maxage 12 - bridge_stp off + bridge_ports eth0 + bridge_fd 9 + bridge_hello 2 + bridge_maxage 12 + bridge_stp off # # ...and add this iptables line to /etc/ufw/before.rules, as per # https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/573461 # http://www.anthonyldechiaro.com/blog/2011/01/11/linux-containers-and-ufw/ # # -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT - # + # # This would supposedely allow my host's bridged network card to move # packets for my KVM VMs and LXC containers, even with ufw turned on. # (By default, with ufw, I can't make any new connections to my server.) - # + # # (There is an additional sysctl setting for using a bridge with ufw, # in /etc/sysctl.conf. But whether or not I add that too, I get # the following behaviour:) # Start with a fresh install of ufw: root@cst6:~# apt-get purge ufw && apt-get install ufw # [...snip...] # Keep a backup of the original config file... root@cst6:~# cp -a /etc/ufw/before.rules /before.rules-dist - root@cst6:~# + root@cst6:~# # Add the "enable bridging" iptables line as per the URL: root@cst6:~# tail -n 2 /etc/ufw/before.rules -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT COMMIT - root@cst6:~# + root@cst6:~# # Flush any existing iptables rules. root@cst6:~# iptables -F # This file basically says "no rules", as one would expect. - root@cst6:~# iptables -L > /my_iptables_rules_before_ufw + root@cst6:~# iptables -L > /my_iptables_rules_before_ufw # Now... turn it on. root@cst6:~# ufw enable Firewall is active and enabled on system startup - root@cst6:~# + root@cst6:~# - # + # # Now I can't make new connections to that box. Port 22 # is not kept open as per /etc/ufw/applications.d/openssh-server # for some reason, whether or not I've added that line above. - # + # # Ok, fine, so that new line is broke somehow. But that isn't # what this bug post is about. Into the rabbit hole we go: - # + # # First, I can successfully re-enable new connections with this: root@cst6:~# ufw disable Firewall stopped and disabled on system startup root@cst6:~# # Always flush between a ufw disable and ufw enable, because # ufw won't "undo" any funky new rules you put into before.rules: root@cst6:~# iptables -F # # And now we go into crazyland. This next part makes no sense to me. # Once I've run with that line once, it causes ufw to break my bridged networking - # altogether -- all packets in or out get filtered by ufw (I see + # altogether -- all packets in or out get filtered by ufw (I see # the [UFW BLOCK] lines in /var/log/messages). It's can't be undone. - # + # # I try to undo the new line, by using the backup config # file I made at the start. root@cst6:~# mv /etc/ufw/before.rules /before.rules-broke - root@cst6:~# mv /before.rules-dist /etc/ufw/before.rules + root@cst6:~# mv /before.rules-dist /etc/ufw/before.rules # Here I prove that the line I added is now gone, back to the default: root@cst6:~# tail -n2 /etc/ufw/before.rules # don't delete the 'COMMIT' line or these rules won't be processed COMMIT - root@cst6:~# + root@cst6:~# # And yet, ufw now filters everything on br0! Not just new connections, like before: root@cst6:~# iptables -F # Flush any old rules root@cst6:~# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup - root@cst6:~# - # + root@cst6:~# + # # My SSH session is now frozen, as no packets get through. - # I walk to the server, open a terminal, and run "ufw disable" to + # I walk to the server, open a terminal, and run "ufw disable" to # re-enable networking. - # + # # From this point on, anytime you run ufw enable, it filters # everything on br0... even though you are using the default # ufw configuration files, and originally that worked for everything # but new connections! - # + # # This drove me crazy and wasted a ton of time. # Use original config files -- still behaves differently. # I've reproduced this four times now. - # + # # The only way I can get fresh ufw to its original state # is to do this: root@cst6:~# apt-get purge ufw && apt-get install ufw - # - # It seems to be caching some broken iptables rules. Perhaps a + # + # It seems to be caching some broken iptables rules. Perhaps a # stale .pyc file is being used somehow? Where to look? # ProblemType: Bug DistroRelease: Ubuntu 10.04 Package: ufw 0.30pre1-0ubuntu2 ProcVersionSignature: Ubuntu 2.6.32-28.55-generic 2.6.32.27+drm33.12 Uname: Linux 2.6.32-28-generic i686 NonfreeKernelModules: nvidia Architecture: i386 Date: Sat Apr 9 20:10:55 2011 InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100427.1) PackageArchitecture: all ProcEnviron: - LANG=en_US.UTF-8 - SHELL=/bin/bash + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: ufw
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/756270 Title: ufw does not work with lxc or kvm bridge mode and then stops working -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
