On Fri, 13 Dec 2019, Jamie Strandboge wrote:
> On Thu, 10 Oct 2019, Jonathan Dowland wrote:
>
> > Package: ufw
> > Version: 0.36-1
> > Severity: important
> >
> > Dear Maintainer,
> >
> > Post-buster upgrade, and ufw is no longer functioning correctly. I'm using
> > ip(6)tables-legacy, rather than the newer xtables stuff, for
> > interoperability
> > with docker. My ufw ruleset has several ALLOWs, e.g.
> >
> > # ufw status | grep 22
> > 22 ALLOW Anywhere
> >
> > (taken when ufw is "running").
> >
> > However upon first starting ufw ("ufw enable"), all incoming traffic to the
> > host is dropped. Via the console I can see that this is because the INPUT
> > chain policy has been set to DENY, and the ufw tables are not hooked in
> > properly. Excerpts from "iptables-save" after "ufw enable":
> >
> > *filter
> > :INPUT DROP [2943:317505]
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [80:9298]
> > …
> > -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
> > …
> >
> > So great, my rules are encoded into the ufw-user-input table fine, but that
> > table is not hooked into INPUT : iptables-save | grep "^-A INPUT" is empty.
> >
>
> I cannot reproduce on an up to date buster system:
>
> $ sudo update-alternatives --config iptables
> There are 2 choices for the alternative iptables (providing
> /usr/sbin/iptables).
>
> Selection Path Priority Status
> ------------------------------------------------------------
> * 0 /usr/sbin/iptables-nft 20 auto mode
> 1 /usr/sbin/iptables-legacy 10 manual mode
> 2 /usr/sbin/iptables-nft 20 manual mode
>
> Press <enter> to keep the current choice[*], or type selection number: 1
> update-alternatives: using /usr/sbin/iptables-legacy to provide
> /usr/sbin/iptables (iptables) in manual mode
>
>
> $ sudo ufw allow 22
> $ sudo ufw enable
> Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
> Firewall is active and enabled on system startup
>
> $ sudo iptables-save |grep '\-A INPUT'
> -A INPUT -j ufw-before-logging-input
> -A INPUT -j ufw-before-input
> -A INPUT -j ufw-after-input
> -A INPUT -j ufw-after-logging-input
> -A INPUT -j ufw-reject-input
> -A INPUT -j ufw-track-input
>
> (note the user chains are added to the end of the before chains with '-A
> ufw-before-input -j ufw-user-input')
>
> So everything is working ok. Do you have other firewall software
> installed? Eg, iptables-persistent or similar?
>
> Is it possible that you have software that is using the nft backend and
> not legacy? Is something calling iptables-legacy* directly but
> alternatives aren't setup correctly?
I'm closing this bug due to it being unreproducible locally and not
receiving the requested information. Please feel free to respond with
more info and we can reopen the bug.
--
Email: ja...@strandboge.com
IRC: jdstrand
