Comment 0 for bug 1933117
Revision history for this message
| Derek Ramsey (ramman3000) wrote ufw deletes entries in wrong order | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
UFW versions 0.35 (on Ubuntu 16.04 LTS) and 0.36 (on Ubuntu 20.04 LTS)
If a rule is inserted without specifying the protocol, it will default to both udp and tcp. If a second rule is inserted earlier in the order that specifies the protocol but is otherwise identical, UFW will delete the wrong rule if the first rule is deleted.
This is repeatable with the following script:
ufw insert 1 allow from 1.1.1.1/26 to any port 22
ufw insert 2 allow from 1.2.3.4/26 to any port 22
ufw insert 1 allow from 1.2.3.4/26 to any port 22 proto tcp
iptables -L -n | grep -A 6 "Chain ufw-user-input"
yes | ufw delete 3
iptables -L -n | grep -A 4 "Chain ufw-user-input"
The output is as follows:
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 1.1.1.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.1.1.0/26 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.2.3.0/26 0.0.0.0/0 udp dpt:22
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.1.1.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.1.1.0/26 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
UFW deleted the first rule for 1.2.3.0 and then the last rule for 1.2.3.0, leaving the wrong rule remaining. Here is the ufw status:
To Action From
-- ------ ----
22/tcp ALLOW 1.2.3.0/26
22 ALLOW 1.1.1.0/26
Mixing ALLOW and DROP/DENY rules can further result in incorrect behavior due to this incorrect reordering. On port 22, this could render SSH remotely inaccessible.