Cannot insert IPV6 rule before IPV4 rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Fix Released
|
Medium
|
Jamie Strandboge | ||
ufw (Debian) |
Fix Released
|
Unknown
|
|||
ufw (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Bionic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Cosmic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Disco |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
[Impact]
ufw's 'insert' command is designed to work with 'ufw status numbered' to insert rules in specific places in the ruleset. This makes it more difficult than it should be for using ufw as part of an IPS/dynamic firewall (eg, fail2ban) since if the firewall already has an IPv4 rule then the user/IPS must calculate the position of an IPv6-only rule before inserting it.
From the git commit:
"
add 'prepend' command
Introduce 'prepend' command to add rules to the top of the IPv4 and/or
IPv6 chains. This is particularly useful for dynamic firewalls/IPS (eg,
fail2ban). Unlike 'insert', 'prepend' does not require knowledge about
the IPv6 rule number so integration into IPS is much easier.
"
[Test Case]
$ sudo ufw allow 22/tcp
$ sudo ufw allow from 1.2.3.4
$ sudo ufw allow from 2001:db8::/32
$ sudo ufw enable
$ sudo ufw status numbered
...
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Anywhere ALLOW IN 1.2.3.4
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] Anywhere (v6) ALLOW IN 2001:db8::/32
# unchanged from 0.35
$ sudo ufw insert 1 deny from 2a02:2210:
ERROR: Invalid position '1'
# new in 0.36
$ sudo ufw prepend deny from 2a02:2210:
$ sudo ufw prepend deny from 6.7.8.9
$ sudo ufw status numbered
...
[ 1] Anywhere DENY IN 6.7.8.9
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] Anywhere ALLOW IN 1.2.3.4
[ 4] Anywhere (v6) DENY IN 2a02:2210:
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] Anywhere (v6) ALLOW IN 2001:db8::/32
[Regression Potential]
ufw has a clean methodology for adding new commands so while frontend.py necessarily has some logic changes to calculate where to insert the rule (ie, if IPv4 at the top, if IPv6 before other IPv6 rules and if both, both), the changes were minimal and only are used if 'prepend' is specified (so people only using the previous command set should be fine).
[Other Info]
The ufw prepend command is new in 0.36 and thus only available in Debian, Ubuntu disco and the ufw snap for a few weeks. The snap is known to work with fail2ban and the prepend command in production environments since it was available.
= Original description =
I am unable to insert any rules concerning IPV6 before IPV4 rules. Thus, when IPV4 rules are numbered 1 to 5 and IPV6 rules are numbered 6 to 10, the following command:
[code]
ufw insert 1 deny from 2a02:2210:
[/code]
errors with "ERROR: Invalid position '1'".
However, the command
[code]
ufw insert 6 deny from 2a02:2210:
[/code]
succeeds.
In my case, this poses a problem, since I am trying to insert rules from a script against brute force attacks. The script needs to insert blocking rules before a number of other rules that open up some ports (since the order of rules is important in ufw). However since the number of IPV4 rules will be changing all the time, the position of the first available number for an IPV6 address is hard to determine.
Proposed solution: either allow IPV6 rules to precede IPV4 rules, or implement a keyword defining the first available position; e.g. "ufw insert first deny from 2a02:2210:
BTW: this was all figured out with ufw version 0.31.1-1, Ubuntu 12.04.5 LTS,
Changed in ufw (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in ufw (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in ufw (Ubuntu): | |
status: | Triaged → Confirmed |
tags: | removed: upgrade-software-version |
Changed in ufw (Debian): | |
status: | Unknown → New |
Changed in ufw (Debian): | |
status: | New → Fix Released |
Changed in ufw (Debian): | |
status: | Fix Released → New |
Changed in ufw: | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw: | |
status: | In Progress → Fix Committed |
Changed in ufw (Ubuntu): | |
status: | Confirmed → Triaged |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in ufw (Ubuntu Cosmic): | |
status: | New → Triaged |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw (Ubuntu Bionic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
Changed in ufw (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in ufw: | |
importance: | Undecided → Low |
importance: | Low → Medium |
Changed in ufw (Ubuntu Disco): | |
status: | Triaged → In Progress |
Changed in ufw (Debian): | |
status: | New → Fix Released |
description: | updated |
Changed in ufw (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in ufw (Ubuntu Cosmic): | |
status: | Triaged → In Progress |
This is my solution.
--- ufw-0.34/ src/frontend. py 2015-08-20 20:10:26.000000000 +0200 src/frontend. py 2015-12-21 09:46:25.311587993 +0100
elif ip_version == "v6":
if r.position > num_v4:
r.set_ position( r.position - num_v4)
pos_err_ msg += str(r.position) + "'"
raise UFWError( pos_err_ msg)
r.set_ v6(True)
+++ ufw-0.34/
@@ -451,7 +451,7 @@ class UFWFrontend:
- elif r.position != 0 and r.position <= num_v4:
+ elif r.position != 0 and r.position > num_v4+num_v6: