touch-packages team mailing list archive

Thread
Date

[Bug 1075975] Re: ufw needs hooks to execute commands pre/post firewall startup/shutdown

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 20 Aug 2015 20:24:02 -0000
Reply-to: Bug 1075975 <1075975@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ufw
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1075975

Title:
  ufw needs hooks to execute commands pre/post firewall startup/shutdown

Status in ufw:
  Fix Released
Status in ufw package in Ubuntu:
  Fix Released

Bug description:
  Some commands related to iptables must be executed in conjunction with
  starting/stopping a firewall in order for the correct operation of the
  firewall.  UFW currently does not provide the ability to run those
  commands without hacking its source code.

  My specific use case:  I must deploy machines to my customer, on which
  I must block certain countries' IP ranges.  The most efficient method
  of doing this is to use the ipset utilities.  I can insert ipset-
  matching firewall rules via iptables commands in the
  /etc/ufw/before.rules script.  However, this will fail if I do not
  first execute ipset commands to define the respective ipsets.

  My current workaround choices are:

  1) Write a separate init script to define ipsets and configure it to
  execute before ufw.  I don't like this option because user error could
  cause this script to not execute first, and then ufw would not start
  properly.

  2) Hack ufw init scripts (/lib/ufw/ufw-init-functions) to make the
  necessary calls before actually starting the firewall.  This is the
  option I went with.  However, I don't like it, because now I must
  maintain a forked version of ufw and make sure that it is preferred
  over the official version.

  My proposal:

  Implement 4 hook shell script files that are called by UFW's init
  scripts pre-start, post-start, pre-stop, and post-stop.  These should
  be stored in /etc/ufw/ and marked as config files so that they are not
  overwritten on ufw upgrade.  They should default to being empty
  scripts, and sysadmins could then choose to populate them with
  whatever commands are necessary for their individual deployments.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: ufw 0.33-0ubuntu2
  ProcVersionSignature: Ubuntu 3.5.0-17.28-generic 3.5.5
  Uname: Linux 3.5.0-17-generic x86_64
  ApportVersion: 2.6.1-0ubuntu6
  Architecture: amd64
  Date: Wed Nov  7 09:13:03 2012
  InstallationDate: Installed on 2011-08-29 (435 days ago)
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
  MarkForUpload: True
  PackageArchitecture: all
  SourcePackage: ufw
  UpgradeStatus: Upgraded to quantal on 2012-10-22 (15 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/1075975/+subscriptions