Drop rules not being applied correctly until ufw reload
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Expired
|
Undecided
|
Unassigned |
Bug Description
I have a small VPS server running Ubuntu 18.04.2 with ufw 0.35-5 on a Virtuozza platform.
I've noticed that after a restart of the server, some of the rules are not being applied. ufw is configured to DROP incoming by default, but I have to provide drop rules in the user-input chain in order for the DROP rules to work correctly.
After reboot the chain looks like this:
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
Running ufw reload changes the chain to:
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 244 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
87 5220 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Firstly, the DROP rules shouldn't be necessary to drop traffic to port 22, since the default is DROP in /etc/default/ufw:
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=
But I still get the following logged in the systemd journal:
Aug 17 09:42:45 host kernel: [UFW BLOCK] IN=eth0 OUT= MAC=x:x:x:x:x:x:x SRC=138.59.218.118 DST=x.x.x.x LEN=60 TOS=0x08 PREC=0x20 TTL=52 ID=3788 DF PROTO=TCP SPT=37227 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 17 09:42:52 host kernel: [UFW BLOCK] IN=eth0 OUT= MAC=x:x:x:x:x:x:x SRC=41.65.64.36 DST=x.x.x.x LEN=60 TOS=0x08 PREC=0x20 TTL=50 ID=12022 DF PROTO=TCP SPT=46718 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 17 09:42:53 host sshd[726]: Connection closed by 138.59.218.118 port 37227 [preauth]
Aug 17 09:42:54 host sshd[728]: Invalid user ubuntu from 41.65.64.36 port 46718
Aug 17 09:42:54 host sshd[728]: pam_unix(
Aug 17 09:42:54 host sshd[728]: pam_unix(
Aug 17 09:42:56 host sshd[728]: Failed password for invalid user ubuntu from 41.65.64.36 port 46718 ssh2
Aug 17 09:42:56 host sshd[728]: Received disconnect from 41.65.64.36 port 46718:11: Bye Bye [preauth]
Aug 17 09:42:56 host sshd[728]: Disconnected from invalid user ubuntu 41.65.64.36 port 46718 [preauth]
The above is before issuing ufw reload after a reboot. After a ufw reload traffic is blocked correctly.
I am unsure why extra DROP rules are needed at the end of the chain, so I think this might be a bug.
I will add that I don't see this problem on non-Virtuozzo platforms.
Please let me know if you need additional information.
Thanks
Changed in ufw: | |
status: | New → Incomplete |
Can you attach the output of the following command:
$ sudo /usr/share/ ufw/check- requirements