ufw

ufw flushes iptables although disabled

Bug #311066 reported by AmenophisIII on 2008-12-24
8
Affects Status Importance Assigned to Milestone
ufw
Undecided
Jamie Strandboge
0.16-hardy
Undecided
Jamie Strandboge
0.23-intrepid
Undecided
Jamie Strandboge
ufw (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Jamie Strandboge
Intrepid
Undecided
Jamie Strandboge
Jaunty
Undecided
Unassigned

Bug Description

the init.d script for ufw flushes the iptables when called with "stop" even when ENABLED=no in the ufw.conf.

i noticed this when i did a "init 1" for some backups. after getting back to "init 5" there where still no rules, but all services are started of course.... so for me... this was a kind of a security problem, so ill report it as such. but its not THAT critical i guess...

i set my own iptables with ifupdown commands and network seems to stay enabled in "init 1".
you could argue, thats my own fault... but i did not even know about ufw.. and its disabled... so it shouldnt tinker with my iptables! :)

imho the init script should test if ENABLED is set, while stopping just like it is done in the start case:

    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
...

and not do anything if its disabled.

ufw 0.23.2
ubuntu 8.10

Jamie Strandboge (jdstrand) wrote :

Thank you for using ufw and taking the time to report a bug. I am working on a fix for this and it should be available soon.

Changed in ufw:
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

This is fixed in 0.25.

Changed in ufw:
status: In Progress → Fix Released
Martin Pitt (pitti) wrote :

I assume this is fixed in Jaunty.

Changed in ufw:
status: New → Fix Released
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Accepted ufw into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Accepted ufw into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in ufw:
status: New → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Fixed in 0.16.2.4

$ apt-cache policy ufw
ufw:
  Installed: 0.16.2.4
  Candidate: 0.16.2.4
  Version table:
 *** 0.16.2.4 0
        500 http://archive.ubuntu.com hardy-proposed/main Packages
        100 /var/lib/dpkg/status
     0.16.2.3 0
        500 http://192.168.122.1 hardy-updates/main Packages
     0.16.2 0
        500 http://192.168.122.1 hardy/main Packages

Jamie Strandboge (jdstrand) wrote :

Fixed in 0.23.3

$ apt-cache policy ufw
ufw:
  Installed: 0.23.3
  Candidate: 0.23.3
  Version table:
 *** 0.23.3 0
        500 http://archive.ubuntu.com intrepid-proposed/main Packages
        100 /var/lib/dpkg/status
     0.23.2 0
        500 http://192.168.122.1 intrepid/main Packages

Changed in ufw:
assignee: nobody → jdstrand
assignee: nobody → jdstrand

I can confirm that the fix works with the version in intrepid-proposed.

Keeping ufw disables:
Adding a rule to an iptables chain, running "invoke-rc.d ufw stop" will then clear this rule. After upgrading to the version in intrepid-proposed the rule is still there.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.23.3

---------------
ufw (0.23.3) intrepid-proposed; urgency=low

  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * formatting of dpkg output incorrect on upgrades (LP: #300726)
  * debian/control: update Vcs information

 -- Jamie Strandboge <email address hidden> Mon, 19 Jan 2009 10:32:03 -0600

Changed in ufw:
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf) wrote :

there are two users reporting success, please release the hardy package. Thank you.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.16.2.4

---------------
ufw (0.16.2.4) hardy-proposed; urgency=low

  * debian/postrm: don't fail if iptables or ip6tables fails (LP: #278670)
  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * debian/control: update Vcs information

 -- Jamie Strandboge <email address hidden> Sat, 17 Jan 2009 09:04:06 -0600

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers