[Touch-packages] [Bug 1858464] [NEW] iptable rules are still present after disabling ufw

Nikolas Britton Mon, 06 Jan 2020 09:46:24 -0800

Public bug reported:

If ufw is disabled, the iptable rules still remain active. This is wrong
behavior, if an administrator has asked for the firewall to be disabled
then no rules of any kind (except for the default policy ACCEPT) should
be present in the iptables list.


Actual results:

root@r820-jq3yx12:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LIBVIRT_INP  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LIBVIRT_FWX  all  --  anywhere             anywhere
LIBVIRT_FWI  all  --  anywhere             anywhere
LIBVIRT_FWO  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LIBVIRT_OUT  all  --  anywhere             anywhere

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate 
RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.122.0/24     anywhere
REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

root@r820-jq3yx12:~# ufw status
Status: inactive


Expected results:

root@r820-jq3yx12:~# iptables -P INPUT ACCEPT
root@r820-jq3yx12:~# iptables -P FORWARD ACCEPT
root@r820-jq3yx12:~# iptables -P OUTPUT ACCEPT
root@r820-jq3yx12:~# iptables -t nat -F
root@r820-jq3yx12:~# iptables -t mangle -F
root@r820-jq3yx12:~# iptables -F
root@r820-jq3yx12:~# iptables -X

root@r820-jq3yx12:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: ufw 0.36-1ubuntu3
ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
Uname: Linux 5.3.0-24-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Mon Jan  6 11:24:18 2020
InstallationDate: Installed on 2019-12-29 (8 days ago)
InstallationMedia: Ubuntu-MATE 19.10 "Eoan Ermine" - Release amd64 (20191017)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ufw
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: ufw (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug eoan iptables ufw

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1858464

Title:
  iptable rules are still present after disabling ufw

Status in ufw package in Ubuntu:
  New

Bug description:
  If ufw is disabled, the iptable rules still remain active. This is
  wrong behavior, if an administrator has asked for the firewall to be
  disabled then no rules of any kind (except for the default policy
  ACCEPT) should be present in the iptables list.

  Actual results:

  root@r820-jq3yx12:~# iptables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_INP  all  --  anywhere             anywhere

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_FWX  all  --  anywhere             anywhere
  LIBVIRT_FWI  all  --  anywhere             anywhere
  LIBVIRT_FWO  all  --  anywhere             anywhere

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination
  LIBVIRT_OUT  all  --  anywhere             anywhere

  Chain LIBVIRT_FWI (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate 
RELATED,ESTABLISHED
  REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

  Chain LIBVIRT_FWO (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  192.168.122.0/24     anywhere
  REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

  Chain LIBVIRT_FWX (1 references)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere

  Chain LIBVIRT_INP (1 references)
  target     prot opt source               destination
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

  Chain LIBVIRT_OUT (1 references)
  target     prot opt source               destination
  ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

  root@r820-jq3yx12:~# ufw status
  Status: inactive

  
  Expected results:

  root@r820-jq3yx12:~# iptables -P INPUT ACCEPT
  root@r820-jq3yx12:~# iptables -P FORWARD ACCEPT
  root@r820-jq3yx12:~# iptables -P OUTPUT ACCEPT
  root@r820-jq3yx12:~# iptables -t nat -F
  root@r820-jq3yx12:~# iptables -t mangle -F
  root@r820-jq3yx12:~# iptables -F
  root@r820-jq3yx12:~# iptables -X

  root@r820-jq3yx12:~# iptables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: ufw 0.36-1ubuntu3
  ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
  Uname: Linux 5.3.0-24-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu8.2
  Architecture: amd64
  Date: Mon Jan  6 11:24:18 2020
  InstallationDate: Installed on 2019-12-29 (8 days ago)
  InstallationMedia: Ubuntu-MATE 19.10 "Eoan Ermine" - Release amd64 (20191017)
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: ufw
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1858464/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1858464] [NEW] iptable rules are still present after disabling ufw

Reply via email to