ufw

ufw flushes iptables although disabled

Bug #311066 reported by AmenophisIII on 2008-12-24

	Status	Importance	Assigned to
ufw	Fix Released	Undecided	Jamie Strandboge
0.16-hardy	Fix Released	Undecided	Jamie Strandboge
0.23-intrepid	Fix Released	Undecided	Jamie Strandboge
ufw (Ubuntu)	Fix Released	Undecided	Unassigned
Hardy	Fix Released	Undecided	Jamie Strandboge
Intrepid	Fix Released	Undecided	Jamie Strandboge
Jaunty	Fix Released	Undecided	Unassigned

Bug Description

the init.d script for ufw flushes the iptables when called with "stop" even when ENABLED=no in the ufw.conf.

i noticed this when i did a "init 1" for some backups. after getting back to "init 5" there where still no rules, but all services are started of course.... so for me... this was a kind of a security problem, so ill report it as such. but its not THAT critical i guess...

i set my own iptables with ifupdown commands and network seems to stay enabled in "init 1".
you could argue, thats my own fault... but i did not even know about ufw.. and its disabled... so it shouldnt tinker with my iptables! :)

imho the init script should test if ENABLED is set, while stopping just like it is done in the start case:

if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
...

and not do anything if its disabled.

ufw 0.23.2
ubuntu 8.10

Tags:

Related branches

lp:ubuntu/karmic/ufw

lp:ubuntu/hardy-proposed/ufw

lp:ubuntu/intrepid-proposed/ufw

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-12-24:

Thank you for using ufw and taking the time to report a bug. I am working on a fix for this and it should be available soon.

Changed in ufw:
assignee:	nobody → jdstrand
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-12-24:

This is fixed in 0.25.

Changed in ufw:
status:	In Progress → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2009-01-20:

I assume this is fixed in Jaunty.

Changed in ufw:
status:	New → Fix Released
status:	New → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2009-01-20:

Accepted ufw into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message

Martin Pitt (pitti) wrote on 2009-01-20:

Accepted ufw into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in ufw:
status:	New → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-01-20:

Fixed in 0.16.2.4

$ apt-cache policy ufw
ufw:
  Installed: 0.16.2.4
  Candidate: 0.16.2.4
  Version table:
*** 0.16.2.4 0
        500 http://archive.ubuntu.com hardy-proposed/main Packages
        100 /var/lib/dpkg/status
     0.16.2.3 0
        500 http://192.168.122.1 hardy-updates/main Packages
     0.16.2 0
        500 http://192.168.122.1 hardy/main Packages

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-01-20:

Fixed in 0.23.3

$ apt-cache policy ufw
ufw:
  Installed: 0.23.3
  Candidate: 0.23.3
  Version table:
*** 0.23.3 0
        500 http://archive.ubuntu.com intrepid-proposed/main Packages
        100 /var/lib/dpkg/status
     0.23.2 0
        500 http://192.168.122.1 intrepid/main Packages

Jamie Strandboge (jdstrand) on 2009-01-21

Changed in ufw:
assignee:	nobody → jdstrand
assignee:	nobody → jdstrand

Revision history for this message

Andreas Wenning (andreas-wenning) wrote on 2009-01-21:

I can confirm that the fix works with the version in intrepid-proposed.

Keeping ufw disables:
Adding a rule to an iptables chain, running "invoke-rc.d ufw stop" will then clear this rule. After upgrading to the version in intrepid-proposed the rule is still there.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-01-28:

This bug was fixed in the package ufw - 0.23.3

---------------
ufw (0.23.3) intrepid-proposed; urgency=low

  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * formatting of dpkg output incorrect on upgrades (LP: #300726)
  * debian/control: update Vcs information

-- Jamie Strandboge <email address hidden> Mon, 19 Jan 2009 10:32:03 -0600

Changed in ufw:
status:	Fix Committed → Fix Released

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2009-02-03:

#10

there are two users reporting success, please release the hardy package. Thank you.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-02-03:

#11

This bug was fixed in the package ufw - 0.16.2.4

---------------
ufw (0.16.2.4) hardy-proposed; urgency=low

  * debian/postrm: don't fail if iptables or ip6tables fails (LP: #278670)
  * debian/postinst: don't stop in runlevels 0 and 6 (LP: #298736)
  * don't do symlink check anymore (LP: #317700)
  * conf/initscript: don't flush rules on stop when not enabled (LP: #311066)
  * debian/control: update Vcs information

-- Jamie Strandboge <email address hidden> Sat, 17 Jan 2009 09:04:06 -0600

Changed in ufw:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.