ufw before6.rules adds echo-request and echo-response rules to wrong chain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Fix Released
|
Medium
|
Jamie Strandboge | ||
ufw (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The default before6.rules file that is installed with the ufw package contains a copy/paste error. It is apparent that the intention is to add rules for echo-request and echo-response to the following chains:
ufw6-before-input
ufw6-before-output
ufw6-before-forward
However there is a copy/paste error and instead of adding the rules to ufw6-before-output, it adds it to ufw6-before-input a second time. The result is that the rules are absent from ufw6-before-output.
The file that needs to be fixed in the package is: /usr/share/
Here is what diff -u shows if I compare the original file to the corrected version:
--- /usr/share/
+++ ufw_fixed_
@@ -77,8 +77,8 @@
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
--A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-
The impact of this error is minor because the ufw.conf file sets the default outbound policy to accept:
DEFAULT_
Of course if anyone changed the default outbound policy then the error would mean that pings made from the server to other machines would be blocked.
I will attach the original and my fixed version of before6.rules to this bug report.
Thanks for taking the time to look at this issue.
Nick.
ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: ufw 0.35-2
ProcVersionSign
Uname: Linux 4.8.0-22-generic i686
ApportVersion: 2.20.3-0ubuntu8
Architecture: i386
Date: Sat Oct 15 23:09:04 2016
InstallationDate: Installed on 2016-10-14 (1 days ago)
InstallationMedia: Ubuntu-Server 16.10 "Yakkety Yak" - Release i386 (20161012.1)
PackageArchitec
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in ufw (Ubuntu): | |
status: | Triaged → In Progress |
Changed in ufw: | |
milestone: | none → 0.36 |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Thank you for using ufw and filing a bug. I've adjusted this in trunk and it will be in the next release.