ufw

'ufw status' doesn't always show app rules

Bug #1838764 reported by rrrand
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Jamie Strandboge

Bug Description

Some rules disappear after 'ufw app update all'.
Ufw versions 0.35 and 0.36 have the same behaviour and I could not have found about it in manuals.

How to check:

0) Add application MyApp somewhere in /etc/ufw/applications.d/.

1) Append rules
ufw allow from 192.168.1.0/24 to 192.168.1.0/24 app MyApp
ufw allow out from 192.168.1.0/24 to 192.168.1.0/24 app MyApp

(those rules have the only difference: direction out.)

2) Then call
ufw app update all

3) The second rule will disappear.

The next link is about the same
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931125

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

What I observe is that with the second command, the app rule isn't added at all even though ufw said it was. Ie:

$ sudo ufw allow from 192.168.1.0/24 to 192.168.1.0/24 app OpenSSH
Rules updated
$ sudo ufw allow out from 192.168.1.0/24 to 192.168.1.0/24 app OpenSSH
Rules updated
$ sudo ufw status
Status: active

To Action From
-- ------ ----
192.168.1.0/24 OpenSSH ALLOW 192.168.1.0/24

Changed in ufw:
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looking at this, the rules are correctly being added to /etc/ufw/user.rules. ufw show raw shows:

...
Chain ufw-user-input (1 references)
    pkts bytes target prot opt in out source destination
       0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.0/24 tcp dpt:22 /* 'dapp_OpenSSH' */

...
Chain ufw-user-output (1 references)
    pkts bytes target prot opt in out source destination
       0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.0/24 tcp dpt:22 /* 'dapp_OpenSSH' */
...

so the rules are correctly being added to both chains. Using 'ufw status verbose' also shows the rules:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
192.168.1.0/24 22/tcp (OpenSSH) ALLOW IN 192.168.1.0/24

192.168.1.0/24 22/tcp (OpenSSH) ALLOW OUT 192.168.1.0/24

The problem is that for app rules, 'ufw status' isn't showing the output rules. If I use non-app rules, I can see that 'ufw status' shows the output rules correctly:

$ sudo ufw status
Status: active

To Action From
-- ------ ----
192.168.1.0/24 22/tcp ALLOW 192.168.1.0/24

192.168.1.0/24 22/tcp ALLOW OUT 192.168.1.0/24

summary: - Rules disappear after 'ufw app update all'
+ 'ufw status' doesn't always show app rules
Changed in ufw:
status: Confirmed → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.