[Bug 633044] Re: ufw breaks ipv6
[Expired for ufw (Ubuntu) because there has been no activity for 60 days.] ** Changed in: ufw (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/633044 Title: ufw breaks ipv6 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 633044] Re: ufw breaks ipv6
** Changed in: ufw (Ubuntu) Status: Invalid = Incomplete -- ufw breaks ipv6 https://bugs.launchpad.net/bugs/633044 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 633044] Re: ufw breaks ipv6
I cannot reproduce this. Getting back to a known state: $ grep IPV6 /etc/default/ufw IPV6=no $ sudo ufw reset ... $ sudo ufw enable Firewall is active and enabled on system startup $ sudo ufw status Status: active $ sudo ip6tables -L INPUT -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo any anywhere anywhere Ok, the firewall is now enabled without IPV6 support, and all IPV6 traffic on the loopback is accepted. This is expected and by design. Let's add IPv6: $ grep IPV6 /etc/default/ufw IPV6=yes $ sudo ufw reset ... $ sudo ufw enable Firewall is active and enabled on system startup $ sudo ufw status Status: active $ sudo ip6tables -L INPUT -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo any anywhere anywhere 0 0 ufw6-before-logging-input all anyany anywhere anywhere 0 0 ufw6-before-input all anyany anywhere anywhere 0 0 ufw6-after-input all anyany anywhere anywhere 0 0 ufw6-after-logging-input all anyany anywhere anywhere 0 0 ufw6-reject-input all anyany anywhere anywhere 0 0 ufw6-track-input all anyany anywhere anywhere $ sudo ufw allow OpenSSH Rule added Rule added (v6) $ sudo ufw status Status: active To Action From -- -- OpenSSHALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) $ sudo ip6tables -L ufw6-user-input Chain ufw6-user-input (1 references) target prot opt source destination ACCEPT tcp anywhere anywheretcp dpt:ssh /* 'dapp_OpenSSH' */ Can you run the above commands and see if you have different results? -- ufw breaks ipv6 https://bugs.launchpad.net/bugs/633044 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 633044] Re: ufw breaks ipv6
On Mi, Sep 08, 2010 at 14:23:11 (CEST), Jamie Strandboge wrote: ufw has IPv6 disabled by default (this will likely change very soon) in such a way that only traffic on the loopback is allowed. To enable IPv6 support in ufw, you adjust /etc/default/ufw as you did, then restart ufw with 'sudo ufw disable ; sudo ufw enable'. Once that is done, the default policy is in effect, which by default is 'deny', so you must add rules for the traffic you want to allow, just list with IPv4. If you added generic rules before you enabled IPv6, you will have to add those again with IPv6 enabled. See 'man ufw' for details. What you have described as a bug sounds like ufw is operating as documented. I am going to close the bug for now. Please reopen if you find this in error. You are basically claiming that once ipv6 is enabled, it should behave in the same way as ipv4. Unfortunately, this doesn't match my observations: $ ufw reset Resetting all rules to installed defaults. Proceed with operation (y|n)? y [...] $ ufw app update OpenSSH $ ufw enable $ ip6tables -L INPUT Chain INPUT (policy DROP) target prot opt source destination $ iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere You see that I end up with an empty INPUT queue for ipv6, which effectively breaks all ipv6 traffic. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 ** Changed in: ufw Status: Invalid = New ** Changed in: ufw (Ubuntu) Status: Invalid = New -- ufw breaks ipv6 https://bugs.launchpad.net/bugs/633044 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 633044] Re: ufw breaks ipv6
Your commands show ufw is operating correctly, but you are using the wrong commands to add a rule and to check it worked. What I think you meant to do is: $ sudo ufw reset $ sudo ufw enable $ sudo ufw allow OpenSSH Rule added Rule added (v6) $ sudo ufw status Status: active To Action From -- -- OpenSSHALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) $ sudo ip6tables -L ufw6-user-input Chain ufw6-user-input (1 references) target prot opt source destination ACCEPT tcp anywhere anywheretcp dpt:ssh /* 'dapp_OpenSSH' */ You can see the full iptables output with: $ sudo ufw show raw or: $ sudo ufw show user-rules ** Changed in: ufw (Ubuntu) Status: New = Invalid ** Changed in: ufw Status: New = Invalid -- ufw breaks ipv6 https://bugs.launchpad.net/bugs/633044 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 633044] Re: ufw breaks ipv6
On Do, Sep 09, 2010 at 18:58:59 (CEST), Jamie Strandboge wrote:
Your commands show ufw is operating correctly, but you are using the
wrong commands to add a rule and to check it worked. What I think you
meant to do is:
$ sudo ufw reset
$ sudo ufw enable
$ sudo ufw allow OpenSSH
Rule added
Rule added (v6)
$ sudo ufw status
Status: active
To Action From
-- --
OpenSSHALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
$ sudo ip6tables -L ufw6-user-input
Chain ufw6-user-input (1 references)
target prot opt source destination
ACCEPT tcp anywhere anywheretcp dpt:ssh /*
'dapp_OpenSSH' */
At this point, the INPUT chain for ipv4 looks properly:
$ iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
but for ipv6, it remains empty:
$ ip6tables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
the other chains (ufw-{before,after,track}-{input,output} etc. do exist
for ipv6, though, just the INPUT chain remains empty.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--
ufw breaks ipv6
https://bugs.launchpad.net/bugs/633044
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 633044] Re: ufw breaks ipv6
ufw has IPv6 disabled by default (this will likely change very soon) in such a way that only traffic on the loopback is allowed. To enable IPv6 support in ufw, you adjust /etc/default/ufw as you did, then restart ufw with 'sudo ufw disable ; sudo ufw enable'. Once that is done, the default policy is in effect, which by default is 'deny', so you must add rules for the traffic you want to allow, just list with IPv4. If you added generic rules before you enabled IPv6, you will have to add those again with IPv6 enabled. See 'man ufw' for details. What you have described as a bug sounds like ufw is operating as documented. I am going to close the bug for now. Please reopen if you find this in error. ** Changed in: ufw (Ubuntu) Status: New = Invalid ** Changed in: ufw Status: New = Invalid -- ufw breaks ipv6 https://bugs.launchpad.net/bugs/633044 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
