[Bug 2075395] Re: status description lists "in" interface in "to" column

Jamie Strandboge Fri, 02 Aug 2024 03:31:57 -0700

Hi, thank you for reporting an issue. This is discussed in the ufw man
page:


"
status - show status of firewall and ufw managed rules. Use status verbose for
extra information. In the status output, 'Anywhere' is synonymous with 'any',
0.0.0.0/0 (IPv4) and ::/0 (IPv6). Note that when using status, there is a
subtle difference when reporting interfaces. For example, if the following
rules are added:

    ufw allow in on eth0 from 192.168.0.0/16
    ufw allow out on eth1 to 10.0.0.0/8
    ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16
    ufw limit 2222/tcp comment 'SSH port'

ufw status will output:

    To                         Action      From
    --                         ------      ----
    Anywhere on eth0           ALLOW       192.168.0.0/16
    10.0.0.0/8                 ALLOW OUT   Anywhere on eth1
    10.0.0.0/8 on eth1         ALLOW FWD   192.168.0.0/16 on eth0
    Anywhere                   LIMIT       Anywhere                 # SSH port

For the input and output rules, the interface is reported relative to the
firewall system as an endpoint, whereas with route rules, the interface is
reported relative to the direction packets flow through the firewall.
"

You stated:
"
-A ufw-user-input -i serviceA -p tcp --dport 3306 -j ACCEPT

So far everything is good. The iptables rule is generated as expected and 
traffic is allowed.
But I find the "ufw status verbose" output very confusing:

```
To Action From
-- ------ ----
3306/tcp on serviceA ALLOW IN Anywhere # ServiceA: MySQL access
```

Here it looks like we are allowing traffic To port 3306 on serviceA (from 
anywhere).
"

The "-A ufw-user-input -i serviceA -p tcp --dport 3306 -j ACCEPT" rule
literally says "append to the ufw-user-input chain a rule that says
input on interface 'serviceA' to port 3306/tcp should be accepted" and
so your interpretation of the ufw verbose status is correct.

I find the proposal to change this more confusing personally but
ultimately I think whether one is more clear or not is subjective. ufw
is operating as documented and I fear changing the output after so many
years would be far to disruptive for users. I'm going to mark this as
Opinion. Thanks again for your report.

** Changed in: ufw
       Status: New => Opinion

** Changed in: ufw (Ubuntu)
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2075395

Title:
  status description lists "in" interface in "to" column

To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2075395/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2075395] Re: status description lists "in" interface in "to" column

Reply via email to