Ubuntu
ufw package

List of rules not consistent with the rule added

Bug #237446 reported by costales
4
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Hi.
What steps will reproduce the problem?
1. Add a rule. Maybe special rule ?:O
2. List rules.
3. The rule not consistent with the rule added.

What is the expected output? What do you see instead?
If I like erase the rule listed, I can't, because is other rule.

I include the example in my computer.

Related branches

lp:ubuntu/karmic/ufw
Revision history for this message
costales (costales) wrote :
Revision history for this message
costales (costales) wrote :

You can see how the rule can't delete if I try with 96.0.0.0/4. The real rule is 111.12.34.2/4, but I see 96.0.0.0/4

mypc@mypc-desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere DENY 1.0.0.0/8
0.0.0.0/4 DENY Anywhere

mypc@mypc-desktop:~$ sudo ufw allow to 111.12.34.2/4
Rule added
mypc@mypc-desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere DENY 1.0.0.0/8
0.0.0.0/4 DENY Anywhere
96.0.0.0/4 ALLOW Anywhere

mypc@mypc-desktop:~$ sudo ufw delete allow to 96.0.0.0/4
Rules updated
mypc@mypc-desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere DENY 1.0.0.0/8
0.0.0.0/4 DENY Anywhere
96.0.0.0/4 ALLOW Anywhere

mypc@mypc-desktop:~$ sudo ufw delete allow to 111.12.34.2/4
Rule deleted
mypc@mypc-desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere DENY 1.0.0.0/8
0.0.0.0/4 DENY Anywhere

mypc@mypc-desktop:~$

Jamie Strandboge (jdstrand)
Changed in ufw:
assignee: nobody → jdstrand
status: New → Confirmed
Revision history for this message
costales (costales) wrote :

Other example:
If I added allow http.
In the future I must remove http, not port 80 protocol tcp (I watch it).

marcos@ubuntu804desktop:~$ sudo ufw status
Firewall loaded
marcos@ubuntu804desktop:~$ sudo ufw allow http
Rule added
marcos@ubuntu804desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
80:tcp ALLOW Anywhere

marcos@ubuntu804desktop:~$ sudo ufw delete allow proto tcp to port 80
ERROR: Wrong number of arguments
marcos@ubuntu804desktop:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
80:tcp ALLOW Anywhere

marcos@ubuntu804desktop:~$ sudo ufw delete allow http
Rule deleted
marcos@ubuntu804desktop:~$ sudo ufw status
Firewall loaded
marcos@ubuntu804desktop:~$

Revision history for this message
Darren Albers (dalbers) wrote :

Marcus,

I think UFW is actually correct here... I have never seen a 4 bit mask before but it does break down along the lines it shows.

96.0.0.0 is the start of the /4 mask that contains 111.12.34.2 so by telling UFW you want to block 111.12.34.2/4 it interprets (Correctly) that you mean 96.0.0.0/4.

Did you mean to type 111.12.34.2/24? That would result in UFW blocking: 111.12.34.0/24

BTW: Great work on GUFW!

Thanks!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for using ufw and reporting this bug. I can confirm that using 111.12.34.2/4 does not work as expected. I hope to fix this so that it will allow the removal of 96.0.0.0/4. I have already started on this, and it will be in a future commit.

The problem with removing the http port is that your syntax to delete was wrong. Eg
$ sudo ufw delete allow proto tcp to port 80

This should be:
$ sudo ufw delete allow proto tcp to any port 80

If using the extended syntax, you must specify the source/destination address, even if it is just 'any'. See 'man ufw' for details.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Committed fix to bzr, will roll out to intrepid within the next few days.

Changed in ufw:
status: Confirmed → Fix Committed
Revision history for this message
costales (costales) wrote :

Thanks very much!!! :D

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.19

---------------
ufw (0.19) intrepid; urgency=low

  * don't modify the chains when --dry-run is specified (LP: #247352)
  * add dotted netmask support
  * don't have util.py import common.py
  * normalize rules so what is added to chains and what is displayed to the
    user is consistent (LP: #237446)
  * documentation updates (LP: #247177)
  * implement port ranges (LP: #231103)
  * fix initscript to properly set default DROP when ipv6 is available and
    set to 'no' in /etc/default/ufw (LP: #251355)
  * don't give confusing output when ipv6 and/or ip6_tables is not
    available (LP: #194844)
  * update ucf historical checksums to include those in 0.16.2
  * update manpage for 'status' clarifications (LP: #251153)
  * update before*.rules to count outgoing packets on lo (LP: #255092)
  * update status output so it is more consistent with rule syntax

 -- Jamie Strandboge <email address hidden> Mon, 07 Jul 2008 16:22:45 -0400

Changed in ufw:
status: Fix Committed → Fix Released
costales (costales)
Changed in ufw:
status: Fix Released → Incomplete
status: Incomplete → Fix Committed
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.