ufw should provide an interface to update ip forwarding

Bug #262421 reported by Vadim Peretokin on 2008-08-28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
gui-ufw (Ubuntu)
ufw (Ubuntu)
Jamie Strandboge

Bug Description

Binary package hint: ufw


As per this document (https://help.ubuntu.com/8.04/serverguide/C/firewall.html), the user has to modify ufw's configuration files directly ("First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”"). The gufw package (https://launchpad.net/ubuntu/+source/gui-ufw) does just that.

However, this conflicts with the Debian rules, which says that a program can't touch another's conffiles unless the main one gives it permission to (http://www.debian.org/doc/debian-policy/ch-files.html#s10.7.4). Could ufw please give gufw permission to ufw them?

Related branches

Jamie Strandboge (jdstrand) wrote :

This needs to be handled in the ufw package, and ultimately in the ufw command itself. At this time ufw does not support manipulating the ufw-user-forward chain at all, so providing an interface in the ufw command that allows just changing the forward policy could be confusing for users. Additionally, you would clearly also want to adjust /etc/ufw/sysctl.conf, but this is problematic because it includes both ipv4 and ipv6 settings, so you would need to be careful about the treatment of ipv6. Supporting FORWARDing generally in ufw may be implemented in the future, but will require significant planning, and is well beyond inclusion in Intrepid. I do find the your apparent use of the forwarding chains at this time somewhat puzzling, as again, it is not supported in the ufw command itself.

All that said, I will review/accept patches to ufw. The best approach at this time likely will be to provide a script that would simply adjust this setting (with a corresponding man page). Keep in mind that these changes will require a FFe as detailed in https://wiki.ubuntu.com/FreezeExceptionProcess.

Changed in ufw:
assignee: nobody → jdstrand
status: New → Incomplete
importance: Undecided → Wishlist
Changed in ufw:
assignee: jdstrand → nobody
status: Incomplete → Confirmed
costales (costales) on 2010-03-02
Changed in gui-ufw (Ubuntu):
status: New → Invalid
costales (costales) on 2010-11-09
Changed in gui-ufw:
status: New → Triaged
Changed in gui-ufw:
status: Triaged → In Progress
costales (costales) on 2012-04-21
Changed in gui-ufw:
status: In Progress → Triaged
Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.34~rc-0ubuntu1

ufw (0.34~rc-0ubuntu1) trusty; urgency=medium

  * New upstream pre-release (LP: #1059060, #1065297, #1062521, #1101304,
    LP: #1075975, #1089262, #262421)
  * Dropped the following patches now included upstream:
    - 0002-lp1044361.patch
    - 0003-fix-typeerror-on-error.patch
    - 0004-lp1039729.patch
    - 0005-lp1191197.patch
  * Remaining changes:
    - 0001-optimize-boot.patch: only read in /etc/ufw/ufw.conf when disabled
  * debian/before[6].rules.md5sum: adjusted for new release
  * debian/control: update Standards-Version to 3.9.5
  * debian/rules:
    - only ship /usr/share/ufw/iptables/*rules and not /usr/share/ufw/
    - *.init files should also be config files
  * debian/ufw.links: added to makes symlinks from /usr/share/ufw/iptables/*
    to /usr/share/ufw/ (so ucf is happy on upgrades)
  * debian/ufw.postinst:
    - use TEMPLATE_PATH/iptables/*rules instead of TEMPLATE_PATH/*rules (not
      strictly required since we are using dh_link, but makes the intent
    - copy /usr/share/ufw/*.init in to /etc/ufw
 -- Jamie Strandboge <email address hidden> Thu, 20 Feb 2014 09:23:54 -0600

Changed in ufw (Ubuntu):
status: In Progress → Fix Released
costales (costales) on 2014-05-19
Changed in gui-ufw:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers