ufw

Rules for DROP actions are inserted after allow actions in user.rules and thus do not work

Bug #1606353 reported by graysky on 2016-07-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Undecided
Unassigned

Bug Description

ufw verion: 0.35
distro: Arch ARM (for aarch64)

summary: Unless I am doing this incorrectly, I am finding that DROP rules I add are inserted into /etc/ufw/user.rules above the ACCEPT rules and are thus ignored. If by contrast, I manually edit /etc/ufw/user.rules and place my DROP rule above the allow rules, ufw gives the expected behavior (ie no connections).

steps to reproduce:
1) Setup a fresh install of ufw like this:

ufw default deny
ufw allow from 192.168.1.0/24
ufw allow SSH
ufw allow 'WWW Secure'
ufw deny from 199.115.0.0/16

2) Enable ufw and look in /etc/ufw/user.rules, you will see:

...
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 WWW%20Secure - in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT -m comment --comment 'dapp_WWW%20Secure'

### tuple ### deny any any 0.0.0.0/0 any 199.155.0.0/16 in
-A ufw-user-input -s 199.155.0.0/16 -j DROP
...

As I understand it, rules are taken in order and the traffic in the ACCEPT comes through before the next line which is the DROP. Taken as such, I have repeat connections from the spammer at that IP address. Now, if I manually reverse the rules in /etc/ufw/user.rules the incoming connections are blocked as expected.

graysky (graysky) wrote :

Seems if I place these in /etc/ufw/before.rules right before the bottom, they are honored. Not a bug, sorry for the noise.

Changed in ufw:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers