[Touch-packages] [Bug 1858464] Re: iptable rules are still present after disabling ufw

Jamie Strandboge Mon, 06 Jan 2020 11:55:56 -0800

Thank you for using Ubuntu and reporting a bug.

Please note that 'sudo ufw disable' will flush the ufw chains and make
them all 'pass through' (ie, think of them as NOPs) until reboot. On
reboot, ufw won't run and even the pass through chains won't be added.


Furthermore, unless MANAGE_BUILTINS is set to 'yes' in /etc/default/ufw
(it defaults to 'no'), ufw only manages its own chains in an effort to
play nice with other software that adds rules to the firewall (eg,
libvirt). Looking at your bug description, there are no ufw rules on the
system, only rules in LIBVIRT_* chains, which ufw did not add when it
was enabled before it was disabled.

AFAICS, this is not a bug. ufw is behaving as expected and other
software on the system is responsible for adding the aforementioned
rules.

** Changed in: ufw (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1858464

Title:
  iptable rules are still present after disabling ufw

Status in ufw package in Ubuntu:
  Invalid

Bug description:
  If ufw is disabled, the iptable rules still remain active. This is
  wrong behavior, if an administrator has asked for the firewall to be
  disabled then no rules of any kind (except for the default policy
  ACCEPT) should be present in the iptables list.

  Actual results:

  root@r820-jq3yx12:~# iptables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_INP  all  --  anywhere             anywhere

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_FWX  all  --  anywhere             anywhere
  LIBVIRT_FWI  all  --  anywhere             anywhere
  LIBVIRT_FWO  all  --  anywhere             anywhere

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_OUT  all  --  anywhere             anywhere

  Chain LIBVIRT_FWI (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate 
RELATED,ESTABLISHED
  REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

  Chain LIBVIRT_FWO (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  192.168.122.0/24     anywhere
  REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

  Chain LIBVIRT_FWX (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere

  Chain LIBVIRT_INP (1 references)
  target     prot opt source               destination
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

  Chain LIBVIRT_OUT (1 references)
  target     prot opt source               destination
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

  root@r820-jq3yx12:~# ufw status
  Status: inactive

  
  Expected results:

  root@r820-jq3yx12:~# iptables -P INPUT ACCEPT
  root@r820-jq3yx12:~# iptables -P FORWARD ACCEPT
  root@r820-jq3yx12:~# iptables -P OUTPUT ACCEPT
  root@r820-jq3yx12:~# iptables -t nat -F
  root@r820-jq3yx12:~# iptables -t mangle -F
  root@r820-jq3yx12:~# iptables -F
  root@r820-jq3yx12:~# iptables -X

  root@r820-jq3yx12:~# iptables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: ufw 0.36-1ubuntu3
  ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
  Uname: Linux 5.3.0-24-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu8.2
  Architecture: amd64
  Date: Mon Jan  6 11:24:18 2020
  InstallationDate: Installed on 2019-12-29 (8 days ago)
  InstallationMedia: Ubuntu-MATE 19.10 "Eoan Ermine" - Release amd64 (20191017)
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: ufw
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1858464/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1858464] Re: iptable rules are still present after disabling ufw

Reply via email to