ufw should be able to add rules rejecting traffic

This patch against /usr/sbin/ufw (Version: 0.13) adds the options to specify 'reject' in a rule, specify 'reject' to delete a rule and adds the possibility to specify 'reject' as the default policy for INPUT, OUTPUT or FORWARD. TCP is rejected via '--with-reject tcp-reset', all others protocols via the default '--with-reject icmp-port-unreachable'.

This patch against /etc/init.d/ufw (Version: 0.13) modifies the init-script to allow a default policy of 'reject' for INPUT, OUTPUT or FORWARD. As REJECT is not a built-in target, the default policy for the table is set to DROP, but all traffic is rejected by two catch-all rules at the bottom of the table, one rejecting TCP via '--reject-with tcp-reset', the next rejecting all other protocols via the default '--with-reject icmp-port-unreachable'.

This patch against the uncompressed manpage ufw.8 (Version: 0.13) adds the 'reject' option to the manpage, including two examples of its use.

Thank you for using Ubuntu and taking the time to report the bug and submit a patch. This should get integrated into the next version of ufw.

This may not be suitable for Hardy, but I have added a branch based on the changes submitted. Still need to update the test cases for decline/REJECT regressions.

Marking as triaged since the patch won't apply anymore. I'm still not sure this will be supported in ufw.

I would probably be able to produce another patch for ufw, init-script and the manpage, however, I am interested in the reason for possibly not supporting this in ufw. I would really like to use ufw some more; not being able to reject, not drop, traffic though can make problem-solving rather time-consuming in some cases.

Thanks hendrik for your work on this. The hesitation in adding this feature was because ufw strives to be uncomplicated, and the difference between iptables DROP and REJECT is a subtlety that might have made things too complicated. That said, I believe it should be a part of ufw, and I have committed a first pass at the functionality in rev 343 of ufw/trunk.

This bug was fixed in the package ufw - 0.26-0ubuntu1

---------------
ufw (0.26-0ubuntu1) jaunty; urgency=low

  * new upstream release, which fixes:
    - formatting of dpkg output incorrect on upgrades (LP: #300726)
    - new REJECT functionality (LP: #197322)
    - ufw shouldn't flush built-in chains by default. New MANAGE_BUILTINS
      configuration option can be used to restore the old (flush) behavior
  * debian/control:
    - Build-Depends-Indep on iptables (required for iptables version check in
      setup.py)
    - add ${misc:Depends} to Depends and bump Standards-Version to 3.8.0
    - update Description
    - move po-debconf to Build-Depends
  * added debian/watch
  * debian/source.lintian-overrides: don't complain about
    no-complete-debconf-translation
  * debian/rules:
    - rename and gzip upstream changelogs
    - rename initscript.ubuntu to ufw.init and use dh_installinit (but
      continue to use /etc/defaults/ufw installed via setup.py for now)
    - cleanup dh_installdirs
    - use dh_installexamples for example files
    - run debconf-updatepo in clean target
  * debian/postinst: remove old ufw.rules check because ufw.rules existed for
    only a short time during the Hardy development cycle, it's ignored by ufw
    and its existence is harmless.
  * debian/config and debian/templates: remove ufw/oldrules
  * provide debconf mechanism for enabling the firewall and setting some basic
    rules (LP: #307715)

 -- Jamie Strandboge <email address hidden> Fri, 16 Jan 2009 08:02:36 -0600