Rules for DROP actions are inserted after allow actions in user.rules and thus do not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Invalid
|
Undecided
|
Unassigned |
Bug Description
ufw verion: 0.35
distro: Arch ARM (for aarch64)
summary: Unless I am doing this incorrectly, I am finding that DROP rules I add are inserted into /etc/ufw/user.rules above the ACCEPT rules and are thus ignored. If by contrast, I manually edit /etc/ufw/user.rules and place my DROP rule above the allow rules, ufw gives the expected behavior (ie no connections).
steps to reproduce:
1) Setup a fresh install of ufw like this:
ufw default deny
ufw allow from 192.168.1.0/24
ufw allow SSH
ufw allow 'WWW Secure'
ufw deny from 199.115.0.0/16
2) Enable ufw and look in /etc/ufw/
...
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 WWW%20Secure - in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT -m comment --comment 'dapp_WWW%20Secure'
### tuple ### deny any any 0.0.0.0/0 any 199.155.0.0/16 in
-A ufw-user-input -s 199.155.0.0/16 -j DROP
...
As I understand it, rules are taken in order and the traffic in the ACCEPT comes through before the next line which is the DROP. Taken as such, I have repeat connections from the spammer at that IP address. Now, if I manually reverse the rules in /etc/ufw/user.rules the incoming connections are blocked as expected.
Seems if I place these in /etc/ufw/ before. rules right before the bottom, they are honored. Not a bug, sorry for the noise.