ufw should be able to add rules rejecting traffic

Bug #197322 reported by hendrik on 2008-03-01
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Jamie Strandboge

Bug Description

ufw should be able to add rules specifiying the REJECT target, including a default policy of REJECT.

hendrik (hendrik-patchworklady) wrote :

This patch against /usr/sbin/ufw (Version: 0.13) adds the options to specify 'reject' in a rule, specify 'reject' to delete a rule and adds the possibility to specify 'reject' as the default policy for INPUT, OUTPUT or FORWARD. TCP is rejected via '--with-reject tcp-reset', all others protocols via the default '--with-reject icmp-port-unreachable'.

hendrik (hendrik-patchworklady) wrote :

This patch against /etc/init.d/ufw (Version: 0.13) modifies the init-script to allow a default policy of 'reject' for INPUT, OUTPUT or FORWARD. As REJECT is not a built-in target, the default policy for the table is set to DROP, but all traffic is rejected by two catch-all rules at the bottom of the table, one rejecting TCP via '--reject-with tcp-reset', the next rejecting all other protocols via the default '--with-reject icmp-port-unreachable'.

hendrik (hendrik-patchworklady) wrote :

This patch against the uncompressed manpage ufw.8 (Version: 0.13) adds the 'reject' option to the manpage, including two examples of its use.

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report the bug and submit a patch. This should get integrated into the next version of ufw.

Changed in ufw:
assignee: nobody → jamie-strandboge
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

This may not be suitable for Hardy, but I have added a branch based on the changes submitted. Still need to update the test cases for decline/REJECT regressions.

Changed in ufw:
importance: Undecided → Wishlist
Jamie Strandboge (jdstrand) wrote :

Marking as triaged since the patch won't apply anymore. I'm still not sure this will be supported in ufw.

Changed in ufw:
assignee: jdstrand → nobody
status: In Progress → Triaged
hendrik (hendrik-patchworklady) wrote :

I would probably be able to produce another patch for ufw, init-script and the manpage, however, I am interested in the reason for possibly not supporting this in ufw. I would really like to use ufw some more; not being able to reject, not drop, traffic though can make problem-solving rather time-consuming in some cases.

Changed in ufw:
assignee: nobody → jdstrand
Jamie Strandboge (jdstrand) wrote :

Thanks hendrik for your work on this. The hesitation in adding this feature was because ufw strives to be uncomplicated, and the difference between iptables DROP and REJECT is a subtlety that might have made things too complicated. That said, I believe it should be a part of ufw, and I have committed a first pass at the functionality in rev 343 of ufw/trunk.

Changed in ufw:
status: Triaged → In Progress
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.26-0ubuntu1

ufw (0.26-0ubuntu1) jaunty; urgency=low

  * new upstream release, which fixes:
    - formatting of dpkg output incorrect on upgrades (LP: #300726)
    - new REJECT functionality (LP: #197322)
    - ufw shouldn't flush built-in chains by default. New MANAGE_BUILTINS
      configuration option can be used to restore the old (flush) behavior
  * debian/control:
    - Build-Depends-Indep on iptables (required for iptables version check in
    - add ${misc:Depends} to Depends and bump Standards-Version to 3.8.0
    - update Description
    - move po-debconf to Build-Depends
  * added debian/watch
  * debian/source.lintian-overrides: don't complain about
  * debian/rules:
    - rename and gzip upstream changelogs
    - rename initscript.ubuntu to ufw.init and use dh_installinit (but
      continue to use /etc/defaults/ufw installed via setup.py for now)
    - cleanup dh_installdirs
    - use dh_installexamples for example files
    - run debconf-updatepo in clean target
  * debian/postinst: remove old ufw.rules check because ufw.rules existed for
    only a short time during the Hardy development cycle, it's ignored by ufw
    and its existence is harmless.
  * debian/config and debian/templates: remove ufw/oldrules
  * provide debconf mechanism for enabling the firewall and setting some basic
    rules (LP: #307715)

 -- Jamie Strandboge <email address hidden> Fri, 16 Jan 2009 08:02:36 -0600

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers