ufw must be stopped after iface is powered off

Bug #298736 reported by Aymeric on 2008-11-16
6
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge
Intrepid
Undecided
Jamie Strandboge

Bug Description

Using Ubuntu Hardy Heron as server and ufw as firewall.
I have found that ufw is started before the iface is configured, so it's ok, when your iface is enable, all your firewall rule is loaded.

*But* ufw is stopped before the iface !
So if you have a service running and locked by a rule in ufw (sample: ssh is allowed only for a range of IP), when you are rebooting your service is not behind a firewall until your iface is disable.

This is very insecure when you have an other services that take long time to stop and it's between the halt of ufw and iface disable.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting the bug. It is a known issue that ufw is unloaded on shutdown, and a fix for this is planned.

Changed in ufw:
assignee: nobody → jdstrand
status: New → Triaged
Changed in ufw:
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.24

---------------
ufw (0.24) jaunty; urgency=low

  * debian/rules: check for 'nocheck' in DEB_BUILD_OPTIONS
  * debian/postrm: don't fail if iptables or ip6tables fails (LP: #278670)
  * fix typo in error message (LP: #280348)
  * allow case-insensitive matches for application rules (LP: #263757). Based
    on work by Didier Roche
  * add skel-ui for UI example
  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * before6.rules: adjust hop limit to 255 for NDP messages (LP: #299268) per
    RFC 4890 secton 4.2. Thanks to Ryan Giobbi
  * before6.rules: restrict multicast (LP: #304216). Thanks to Ryan Giobbi
  * before.rules: don't use ctstate as it is not supported on all kernels and
    we don't use the extra information anyway (LP: #289906)
  * fix translations for input strings (LP: #302426)
  * update ucf md5sums for before.rules and before6.rules
  * adjust root/destructive tests for when we can't unmount /proc

 -- Jamie Strandboge <email address hidden> Fri, 12 Dec 2008 13:43:11 -0500

Changed in ufw:
status: Fix Committed → Fix Released
Changed in ufw:
assignee: nobody → jdstrand
status: New → Triaged
assignee: nobody → jdstrand
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

Fix committed in bzr. Will prepare an SRU soon.

Changed in ufw:
status: Triaged → Fix Committed
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

Accepted ufw into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Accepted ufw into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Aymeric (mulx) wrote :

I have upgrade ufw from hardy-proposed, this is bug is corrected.
Thank you!

I can't test with intrepid.

Jamie Strandboge (jdstrand) wrote :

Fixed in 0.16.2.4

$ apt-cache policy ufw
ufw:
  Installed: 0.16.2.4
  Candidate: 0.16.2.4
  Version table:
 *** 0.16.2.4 0
        500 http://archive.ubuntu.com hardy-proposed/main Packages
        100 /var/lib/dpkg/status
     0.16.2.3 0
        500 http://192.168.122.1 hardy-updates/main Packages
     0.16.2 0
        500 http://192.168.122.1 hardy/main Packages

Jamie Strandboge (jdstrand) wrote :

Fixed in 0.23.3

$ apt-cache policy ufw
ufw:
  Installed: 0.23.3
  Candidate: 0.23.3
  Version table:
 *** 0.23.3 0
        500 http://archive.ubuntu.com intrepid-proposed/main Packages
        100 /var/lib/dpkg/status
     0.23.2 0
        500 http://192.168.122.1 intrepid/main Packages

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.23.3

---------------
ufw (0.23.3) intrepid-proposed; urgency=low

  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * formatting of dpkg output incorrect on upgrades (LP: #300726)
  * debian/control: update Vcs information

 -- Jamie Strandboge <email address hidden> Mon, 19 Jan 2009 10:32:03 -0600

Changed in ufw:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.16.2.4

---------------
ufw (0.16.2.4) hardy-proposed; urgency=low

  * debian/postrm: don't fail if iptables or ip6tables fails (LP: #278670)
  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * debian/control: update Vcs information

 -- Jamie Strandboge <email address hidden> Sat, 17 Jan 2009 09:04:06 -0600

Changed in ufw:
status: Fix Committed → Fix Released
Aymeric (mulx) wrote :

Package is now available in hardy-udpates
Thank you.
---------------
$ apt-cache policy ufw
ufw:
  Installed: 0.16.2.4
  Candidate: 0.16.2.4
  Version table:
 *** 0.16.2.4 0
        500 http://fr.archive.ubuntu.com hardy-updates/main Packages
        100 /var/lib/dpkg/status
     0.16.2 0
        500 http://fr.archive.ubuntu.com hardy/main Packages

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers