Ubuntu
ufw package

ufw should display all active rules and important info

Bug #251153 reported by Peter Matulis
2
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: ufw

The rules that are loaded automatically when ufw is enabled should be displayed when the 'status' command is invoked. If not, this could lead to a lot of confusion on the part of the user.

Practically speaking, and considering just ingress filtering, I believe this impacts ICMP and DHCP traffic (configured in /etc/ufw/before.rules) on a default install of 8.04.

In addition:

a) Since ufw is primarily designed for ingress filtering, somewhere the output to the 'status' command should reinforce this fact.
b) It may be improper to neglect to have the 'status' command display the default allow or deny policy.

Related branches

lp:ubuntu/karmic/ufw
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting this bug. The 'status' command is intended to only report the ufw managed rules as well as some other information. Eg:

$ sudo ufw status
Status: loaded
Logging: on
Default: deny

To Action From
22:tcp ALLOW 192.168.2.0/24

This is not intended as a replacement for 'iptables -n -L'. In fact, displaying rules from /etc/ufw/*.rules would likely cause more confusion because the user would not be able to manage rules in these files with the ufw command. I do agree that the documentation should be more clear on this point however, and I will update it accordingly.

Changed in ufw:
assignee: nobody → jdstrand
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Triaged → Fix Committed
Revision history for this message
Peter Matulis (petermatulis) wrote :

Ok.

BTW, I still do not get the default policy nor the logging state with the 'status' command. Your output shows both however along with "Status: loaded" (?).

$ sudo ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)

$ sudo ufw status
Firewall loaded

$ sudo ufw logging ON
Logging enabled

$ sudo ufw status
Firewall loaded

Are you running a different version?

$ ufw version
ufw 0.16.2.2
Copyright (C) 2008 Canonical Ltd.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.19

---------------
ufw (0.19) intrepid; urgency=low

  * don't modify the chains when --dry-run is specified (LP: #247352)
  * add dotted netmask support
  * don't have util.py import common.py
  * normalize rules so what is added to chains and what is displayed to the
    user is consistent (LP: #237446)
  * documentation updates (LP: #247177)
  * implement port ranges (LP: #231103)
  * fix initscript to properly set default DROP when ipv6 is available and
    set to 'no' in /etc/default/ufw (LP: #251355)
  * don't give confusing output when ipv6 and/or ip6_tables is not
    available (LP: #194844)
  * update ucf historical checksums to include those in 0.16.2
  * update manpage for 'status' clarifications (LP: #251153)
  * update before*.rules to count outgoing packets on lo (LP: #255092)
  * update status output so it is more consistent with rule syntax

 -- Jamie Strandboge <email address hidden> Mon, 07 Jul 2008 16:22:45 -0400

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.