ufw should detect if the command being given will cut off SSH access and warn if the user is connected via SSH.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Wishlist
|
Jamie Strandboge |
Bug Description
Binary package hint: ufw
IRC discussion from today on #ubuntu-server. Times are -0400.
[22:08] <kinema> Is there a standard way of loading iptables rules in Ubuntu?
[22:08] <ScottK> kinema: See the ufw package.
[22:08] <ScottK> It provides some basic standard settings for such.
[22:09] <ScottK> Personally I have a shell script I like.
[22:21] <kinema> Hmmm....denying all traffic when logged in via ssh isn't the smartest thing I've done today.
[22:22] <-- kinema has left this channel.
[22:23] --> kinema has joined this channel (<email address hidden>).
[22:23] <ScottK> Trust me, you aren't the first one to do that.
[22:24] <unewbi1> :)
[22:30] <kinema> What are the chances there is a decent Ubuntuish script or set of scripts for managing a firewall somewhere online that I could look at?
[22:33] <kinema> There's something I find unsettling about ufw.
[22:34] * hads likes firehol
[22:38] <ScottK> kinema: If you find problems about ufw, please file bugs.
[22:39] * ScottK likes /sh, but probably not what you're after.
[22:39] <kinema> ScottK: I'm going to give ufw a chance.
[22:39] <kinema> We'll see.
[22:39] <kinema> Of course I'll file bugs if necessary.
[22:40] <ScottK> OK, but please file bugs. It is actively developed within the Ubuntu Server team, so it's worth doing.
[22:41] <kinema> ScottK: Would I be correct in assuming that rules are inserted into the various tabes/chains as soon as command is executed?
[22:42] <ScottK> kinema: I'm not sure, as I've mentioned, I don't use it, but it's the recommended approach in Ubuntu Server for people who don't roll their own.
[22:42] <kinema> Thanks.
[22:45] <ScottK> Maybe jdstrand is around and can answer.
[22:47] <kinema> I thought about it and the fact that running "sudo ufw default deny" killed my ssh connection shows that rules are inserted immediately.
Note the upgrade-manager knows if you're connected via SSH, so there's probably code there that could be reused.
Related branches
Changed in ufw: | |
importance: | Undecided → Wishlist |
Thank you for using Ubuntu and taking the time to report a bug. ufw tries to be careful not to flush the chains, and will not do so if it is possible to simply add a rule to a chain. Changing the default policy (ie 'ufw default deny') is one of those commands that requires flushing the chains. However, you can set up the chains prior to enabling the firewall (see the REMOTE MANAGEMENT section of the man page for details). This is particularly useful for allowing ssh before enabling the firewall.
The idea of checking if a user is currently logged in via ssh or providing some sort of a way out is actually on the TODO list, and something worth exploring.