Bug#931125: ufw: Rules disappear when updating task list

Sun, 25 Aug 2019 11:51:26 -0700 

On Wed, 26 Jun 2019, Eloi Coutant wrote:

> Package: ufw
> Version: 0.35-4
> Severity: important
> 
> Dear Maintainer,
> 
> I configured ufw with a DENY IN and DENY OUT default position. To ease
> the configuration, I created new apps placed in
> /etc/ufw/applications.d/custom, as well as used some existing apps, then
> allowed in and out the desired apps.
> 
> Unfortunately, some ALLOW OUT rules disappear after installing new packages 
> when dpkg triggers... trigger. I traced that back to the "ufw app update all" 
> command, which effectively disable some outgoing rules for no apparent reason.
> 
> While some rules are not as important, it is problematic to lose
> outgoing traffic for a mail server because we updated some other
> packages...
> 
> Here are the lines deleted in the rules file after ufw app update all:
> < ### tuple ### allow tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Nginx%20Full - out   
>                       
> < -A ufw-user-output -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment 
> --comment 'dapp_Nginx% 20Full'                                                
>                                              
> <                                                                             
>                       
> < ### tuple ### allow any 53 0.0.0.0/0 any 0.0.0.0/0 DNS - out                
>                       
> < -A ufw-user-output -p tcp --dport 53 -j ACCEPT -m comment --comment 
> 'dapp_DNS'                    
> < -A ufw-user-output -p udp --dport 53 -j ACCEPT -m comment --comment 
> 'dapp_DNS'                    
> <                                                                             
>                       
> < ### tuple ### allow tcp 25,143,465,587,993,4190 0.0.0.0/0 any 0.0.0.0/0 
> Mail - out                
> < -A ufw-user-output -p tcp -m multiport --dports 25,143,465,587,993,4190 -j 
> ACCEPT -m comment --com ment 'dapp_Mail'                                      
>                                               
> 
> Some of the app are custom (the "Mail" one), others are provided by ufw
> or package maintainer ('Nginx Full' or 'DNS').
> 
> Please do not hesitate to ask for further information. I think this bug
> is quite critical as we really shouldn't have changes in rules not
> explicitely provided by the administrator.
> 

I believe this will be fixed with this:
https://git.launchpad.net/ufw/commit/?id=569edf283bd18c5816f980b8480cf02f1d1ead03

However there isn't enough information in this bug report to be sure.
Can you provide the full list of ufw app rules in the order you add them
for any rules that reference Nginx Full, DNS and Mail? You can send that
to me privately if you prefer.

Thanks!

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: PGP signature

Reply via email to