Changed behaviour of ufw's limit policy in Ubuntu Bionic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I originally posted this on https:/
If the explanation does not consider this as a bug, it can of course be closed.
I'm administrating several hosts with Ansible that until recently ran all on Ubuntu Xenial. After upgrading two of the hosts to Bionic, I'm experiencing a changed behaviour of the `ufw`-configured firewall that I couldn't figure out what is causing it. For context, here are some relevant tasks that are executed by Ansible (its pipilining feature to re-use connections is enabled) on the target hosts (I do not seek alternatives for the Ansible configuration, but want to understand the underlying cause):
1. disable `ufw`
2. reset `ufw`
3. grant limited (`limit` policy) access to the `sshd` from a gateway
4. allow other incoming connections depending on the roles
5. enable `ufw`, set the default policy to `deny`
With the Xenial installations this works fine, with the Bionic ones the process stalls on step 5.
At this point I can login per `ssh` on the host in question, and
a) `ufw verbose` yields the expected result (all rules defined, ), identical to the Xenial hosts.
b) I can see entries in `/var/log/syslog` that block connections to port 22 from the gateway.
I therefore deduce that step 5 is executed properly, but causes the used connection to get closed and hence the client is waiting for a response.
When I change the policy in step 3 to `allow`, step 5 and the whole process succeeds. I compared the `ufw` sources (different micro releases of `0.35`) and can't find a difference regarding the handling of the `limit` policy which is also reflected by identical `iptables` rules on both distribution versions:
-A ufw-user-input -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A ufw-user-input -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --mask 255.255.255.255 --rsource -j ufw-user-limit
-A ufw-user-input -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -j ufw-user-
The phenomena are the same on a host with a freshly installed Ubuntu Bionic.
Can anyone explain what the source of the changed behaviour is?
As a sidenote, is ufw still maintained or developed further? The last release is about three years old now.
it actually seems to be an issue with Ansible 2.6 which i just had upgraded to:
https:/ /github. com/ansible/ ansible/ issues/ 45446