gufw-developers team mailing list archive

Thread
Date
[Bug 1571701] Re: The rules have disappeared from the Rules tab

To: gufw-developers@xxxxxxxxxxxxxxxxxxx
From: jean-christophe manciot <manciot.jeanchristophe@xxxxxxxxx>
Date: Mon, 18 Apr 2016 23:00:24 -0000
Reply-to: Bug 1571701 <1571701@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I completely removed iptables, ufw & gufw and reinstalled them.

At the beginning, there is:
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Then, I start Gufw, my default profile ("root-profile") is loaded, but Gufw is disabled, which is weird.
I enable it, make sure that incoming traffic is disabled, then I view:

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output

Shouldn't we read "-P INPUT DROP" instead of "-P INPUT ACCEPT"?
I quit Gufw, and relaunch it: the status is OFF!!!
How can this even happen?
I look at the root-profile on disk, and all the rules have been removed - somehow by Gufw I guess.
Now I understand why none of the rules previously defined in the "root-profile" appear anywhere within Gufw nor in the iptables rules list.

I pull the backup into /etc/gufw/app_profiles instead of /etc/gufw this time, relaunch Gufw, remove the profile from the preferences, import the new profile and... none of the rules defined in the profile appear in the rules tab!
A look at the log tells me that "WARN: uid is 0 but '/etc' is owned by 1000" for all new rules.
I change the owner to root and reimport the profile successfully this time: the rules are accepted.

However, none of them appear in the iptables.
I quit Gufw, relaunch it and... the status is OFF again and all the rules have vanished!
Putting the status back ON make the rules reappear within Gufw & the iptables, at last. 
Also, now we have "-P INPUT DROP" & some other rules (which should have been there in the first place?) also appear, for example:
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
...

I quit Gufw & relaunch it: this time the status is ON.

As a conclusion, checking /etc owner seems overkill: if you fear that someone may have taken over the root account, not loading the firewall rules won't change the situation since he/she has already been able to dethrone the root account...
Also, why do we need to load Gufw several times to import a profile & enable it?

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1571701

Title:
  The rules have disappeared from the Rules tab

Status in Gufw:
  New

Bug description:
  The rules used to be listed without any issue.
  I don't know what have changed since to explain this strange & suspicious behavior.
  The correct profile is loaded from /etc/gufw/app_profiles .
  The profile text file contains all the rules.

  Gufw first complained that the profile permissions needed to be 600. I
  have no idea why there were defined as 777, but I defined them back to
  600. Now I can launch Gufw, but without any rule appearing in the tab.

  Ubuntu 15.10 4.2.0-35
  Gufw 15.10.0-0ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1571701/+subscriptions
References

[Bug 1571701] [NEW] The rules have disappeared from the Rules tab
From: jean-christophe manciot, 2016-04-18