ufw

ufw before6.rules adds echo-request and echo-response rules to wrong chain

Bug #1633698 reported by Nick Tait on 2016-10-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Medium
Unassigned
ufw (Ubuntu)
Medium
Unassigned

Bug Description

The default before6.rules file that is installed with the ufw package contains a copy/paste error. It is apparent that the intention is to add rules for echo-request and echo-response to the following chains:

ufw6-before-input
ufw6-before-output
ufw6-before-forward

However there is a copy/paste error and instead of adding the rules to ufw6-before-output, it adds it to ufw6-before-input a second time. The result is that the rules are absent from ufw6-before-output.

The file that needs to be fixed in the package is: /usr/share/ufw/iptables/before6.rules

Here is what diff -u shows if I compare the original file to the corrected version:

--- /usr/share/ufw/iptables/before6.rules 2016-04-15 17:16:29.000000000 +1200
+++ ufw_fixed_before6.rules 2016-10-15 23:00:57.763041239 +1300
@@ -77,8 +77,8 @@
 -A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 # codes 0-2
 -A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 -A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
 -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
 -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT

The impact of this error is minor because the ufw.conf file sets the default outbound policy to accept:
DEFAULT_OUTPUT_POLICY="ACCEPT"

Of course if anyone changed the default outbound policy then the error would mean that pings made from the server to other machines would be blocked.

I will attach the original and my fixed version of before6.rules to this bug report.

Thanks for taking the time to look at this issue.

Nick.

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: ufw 0.35-2
ProcVersionSignature: Ubuntu 4.8.0-22.24-generic 4.8.0
Uname: Linux 4.8.0-22-generic i686
ApportVersion: 2.20.3-0ubuntu8
Architecture: i386
Date: Sat Oct 15 23:09:04 2016
InstallationDate: Installed on 2016-10-14 (1 days ago)
InstallationMedia: Ubuntu-Server 16.10 "Yakkety Yak" - Release i386 (20161012.1)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)

Nick Tait (nick.t) wrote :
Jamie Strandboge (jdstrand) wrote :

Thank you for using ufw and filing a bug. I've adjusted this in trunk and it will be in the next release.

Changed in ufw:
status: New → Fix Committed
importance: Undecided → Medium
Changed in ufw (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in ufw (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.35-3

---------------
ufw (0.35-3) unstable; urgency=medium

  * 0002-bug849628.patch: adjust testsuite for recent changes to netbase
    (Closes: 849628)
  * 0003-use-default-tcp-syncookies.patch: don't override distribution default
    for TCP syncookies
  * 0004-lp1633698.patch: adjust ufw6-before-output rules for echo-reply and
    echo-request (LP: #1633698)
  * update debian/before6.rules.md5sum
  * fix lintian errors:
    - debian/control: Build-Depends on dh-python and debhelper >= 9
    - debian/compat: use compatibility level 9

 -- Jamie Strandboge <email address hidden> Sun, 08 Jan 2017 16:33:45 +0000

Changed in ufw (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers