Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"

Thu, 01 Nov 2018 10:13:10 -0700 

Package: ufw
Version: 0.35-6
Severity: grave
Tags: security a11y
Justification: user security hole

Dear Maintainer,

1.) Surprisingly ENABLED is set to ENABLED=no in /etc/ufw/ufw.conf after 
upgrade.
2.) Setting option "IPV6=yes" in /etc/default/ufw produces an error:

root@mysystem # ufw enable
ERROR: problem running ufw-init
ip6tables-restore v1.8.1 (nf_tables): unknown option "--icmpv6-type"
Error occurred at line: 38
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Problem:
-> /etc/ufw/before6.rules

Setting "IPV6=no" leads to normal operation (without IPV6 support of course)

root@mysystem # systemctl status ufw.service
● ufw.service - Uncomplicated firewall
  Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: 
enabled)
  Active: active (exited) since Thu 2018-11-01 17:31:18 CET; 7min ago
  Docs: man:ufw(8)
  Process: 7103 ExecStop=/lib/ufw/ufw-init stop (code=exited, status=0/SUCCESS)
  Process: 7822 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, 
status=0/SUCCESS)
  Main PID: 7822 (code=exited, status=0/SUCCESS)

Nov 01 17:31:18 mysystem systemd[1]: Starting Uncomplicated firewall...
Nov 01 17:31:18 mysystem systemd[1]: Started Uncomplicated firewall.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufw depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  iptables               1.8.1-2
ii  lsb-base               9.20170808
ii  python3                3.6.7-1
ii  ucf                    3.0038

ufw recommends no packages.

Versions of packages ufw suggests:
ii  rsyslog  8.38.0-1+b1

-- Configuration Files:
/etc/default/ufw changed:
IPV6=yes
DEFAULT_INPUT_POLICY="ACCEPT"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"


-- debconf information:
* ufw/existing_configuration:
  ufw/allow_custom_ports:
  ufw/enable: true
  ufw/allow_known_ports:
--

Reply via email to