Comment 4 for bug 251355

SRU Request

I. ufw in it's default configuration uses IPV6=no in /etc/default/ufw. The intended and documented behavior of this setting is to use a default DROP policy with connections allowed on the loopback interface only. The current version does not do this when using the /etc/init.d/ufw script, which means that though IPV6=no, the default policy for the INPUT, OUTPUT and FORWARD chains is ACCEPT on boot.

II. this has been fixed in 0.18.2 (will be uploaded after alpha freeze). /etc/init.d/ufw has been adjusted to set the default policy of DROP when IPV6=no (/usr/sbin/ufw uses the /etc/init.d/ufw when running 'enable', so enable will still work as before).

III. debdiff is attached that addresses this bug and bug #194844 (also SRU candidate)

IV. TEST CASE (need a kernel which supports ipv6 and ip6_tables (basically, any but -virtual):

  1. make sure /etc/default/ufw has 'IPV6=no'
  2. sudo ufw enable
  3. sudo ip6tables -n -L (shows default DROP policy with allowed connections on loopback)
  4. sudo /etc/init.d/ufw force-reload
  5. sudo ip6tables -n -L (shows default ACCEPT policy, should be same as in step 3)

V. The regression potential is considered low. While the default behavior on boot has changed (to be what is documented), in practice users will have used 'ufw enable' to enable the firewall and tested that the rules work as expected. 'ufw enable' sets the default policy to DROP, so user's would have noticed IPv6 connectivity being blocked at this stage, and adjusted the rules accordingly. It was only after a reboot that the IPv6 policy is changed to the more lenient ACCEPT policy.