SRU Request
I. ufw in it's default configuration uses IPV6=no in /etc/default/ufw.
The intended and documented behavior of this setting is to use a default
DROP policy with connections allowed on the loopback interface only. The
current version does not do this when using the /etc/init.d/ufw script,
which means that though IPV6=no, the default policy for the INPUT,
OUTPUT and FORWARD chains is ACCEPT on boot.
II. this has been fixed in 0.18.2 (will be uploaded after alpha freeze).
/etc/init.d/ufw has been adjusted to set the default policy of DROP when
IPV6=no (/usr/sbin/ufw uses the /etc/init.d/ufw when running 'enable',
so enable will still work as before).
III. debdiff is attached that addresses this bug and bug #194844 (also
SRU candidate)
IV. TEST CASE (need a kernel which supports ipv6 and ip6_tables
(basically, any but -virtual):
1. make sure /etc/default/ufw has 'IPV6=no'
2. sudo ufw enable
3. sudo ip6tables -n -L (shows default DROP policy with allowed connections
on loopback)
4. sudo /etc/init.d/ufw force-reload
5. sudo ip6tables -n -L (shows default ACCEPT policy, should be same as in
step 3)
V. The regression potential is considered low. While the default
behavior on boot has changed (to be what is documented), in practice
users will have used 'ufw enable' to enable the firewall and tested that
the rules work as expected. 'ufw enable' sets the default policy to
DROP, so user's would have noticed IPv6 connectivity being blocked at
this stage, and adjusted the rules accordingly. It was only after a
reboot that the IPv6 policy is changed to the more lenient ACCEPT
policy.
** Changed in: ufw (Ubuntu Hardy)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
Status: New => Confirmed
--
ufw: default IPv6 policy not set on boot when IPV6=no
https://bugs.launchpad.net/bugs/251355
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
