[clug] Issue where gufw losing settings on reboot

George at Clug Clug at goproject.info
Wed Dec 20 09:53:18 UTC 2017


In a Debian Stretch computer I have been using gufw as simple Firewall
GUI.  It seem quite effective and easy to use, but...

I am curious if anyone has seen a similar issue to the one I describe

I run gufw with both incoming and outgoing set to Deny and only open
the specific ports that I wanted to have open.

However I had been having issues where various ports would not work
when I powered the computer on.

I started testing with ssh (port 22) to see if could ssh into the
computer, I would get it to work, only to find the next day I could
not connect any more. Now finally I found a way to manually resolve
the issue.

To resolve this issue, using gufw I would simply set Outgoing from
Deny to Allow, and all would work. Then I discovered that setting
Outgoing  from Deny to to Allow, then back to Deny, also worked. I
also found that setting the Incoming to Allow and back to Deny would
work too. Basically causing gufw to rewrite the firewall settings,
would cause all expected ports to work.

Checking the actual firewall setting using "iptables -L >
settings1.txt" directly after powering the computer on. I then ran
gufw, turning outgoing to Allow, and then back to Deny, and then ran 
"iptables -L > settings2.txt" and compared the two files.

I found that after on power on or after a reboot of the computer the
"Chain ufw-user-input" setting to open the incoming ssh port was
missing from the configuration.  I don't think this is a ssh issue
specifically, it is just the example I was testing with.  Somehow
gufw is not setting ports correctly on power on.

Part of iptables -L listing after using gufw to Allow and Deny
Outgoing ports (that is to cause gufw to rewrite the firewall
Chain ufw-user-input (1 references)
target     prot opt source              
ACCEPT     tcp  --  anywhere            
anywhere             tcp dpt:ssh

Part of iptables -L listing after first powering on the computer or
after a restart (the 'ACCEPT' for the ssh setting is missing)
Chain ufw-user-input (1 references)
target     prot opt source               destination

Well I expect some readers are thinking, just use iptables instead of
gufw (am I correct?). And I guess that is what I will have to do,
until the bug (if it is a bug and not just my installation) is fixed.

If anyone uses gufw, please let me know of your experiences.  Have
you seen this issue?.



More information about the linux mailing list