ufw

Rules for DROP actions are inserted after allow actions in user.rules and thus do not work

Bug #1606353 reported by graysky on 2016-07-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ufw	Invalid	Undecided	Unassigned

Bug Description

ufw verion: 0.35
distro: Arch ARM (for aarch64)

summary: Unless I am doing this incorrectly, I am finding that DROP rules I add are inserted into /etc/ufw/user.rules above the ACCEPT rules and are thus ignored. If by contrast, I manually edit /etc/ufw/user.rules and place my DROP rule above the allow rules, ufw gives the expected behavior (ie no connections).

steps to reproduce:
1) Setup a fresh install of ufw like this:

ufw default deny
ufw allow from 192.168.1.0/24
ufw allow SSH
ufw allow 'WWW Secure'
ufw deny from 199.115.0.0/16

2) Enable ufw and look in /etc/ufw/user.rules, you will see:

...
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 WWW%20Secure - in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT -m comment --comment 'dapp_WWW%20Secure'

### tuple ### deny any any 0.0.0.0/0 any 199.155.0.0/16 in
-A ufw-user-input -s 199.155.0.0/16 -j DROP
...

As I understand it, rules are taken in order and the traffic in the ACCEPT comes through before the next line which is the DROP. Taken as such, I have repeat connections from the spammer at that IP address. Now, if I manually reverse the rules in /etc/ufw/user.rules the incoming connections are blocked as expected.

Revision history for this message

graysky (graysky) wrote on 2016-07-31:

Seems if I place these in /etc/ufw/before.rules right before the bottom, they are honored. Not a bug, sorry for the noise.

Changed in ufw:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.