View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006094 | Kali Linux | [All Projects] General Bug | public | 2020-02-11 07:39 | 2020-12-01 10:48 |
| Reporter | RoseDeSable | Assigned To | rhertzog | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Target Version | Fixed in Version | 2020.2 | |||
| Summary | 0006094: UFW: fails at start and blocks all incoming packets | ||||
| Description | #ufw enable WARN: uid is 0 but '/etc' is owned by 103 WARN: uid is 0 but '/lib' is owned by 103 Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init iptables-restore: line 2 failed iptables-restore: COMMIT expected at line 19 iptables-restore: line 2 failed Problem running '/etc/ufw/user.rules' After this message all incoming packets are blocked. But I see no message [UFW BLOCK... in my log. The same rules are running on two kali-systems. The difference is, that the last update of the system without ufw-failure was at 2020-02-06 14:59:18 GMT+1. On the system with failure I do the dist-upgrade at Monday 2020-02-10 15:24:23 GMT+1. | ||||
|
|
Same here! ERROR: problem running ufw-init iptables-restore: COMMIT expected at line 21 iptables-restore: COMMIT expected at line 19 iptables-restore: line 2 failed Problem running '/etc/ufw/user.rules' I actually removed and purged both ufw and iptables because of this bug. |
|
|
RoseDeSable You can enable ufw and you will see this bug. Logging not working at all which maybe the issue I'm not yet sure and I would be happy to hear from the maintainers who merged this from the upstream. Do anyone test packages before sending out in kali-rolling? This is a major bug and it should be marked as CRITICAL! |
|
|
hacktivist Last week ufw was upgraded to 0.36-1. It was running without any error. First after the upgrade of some other packages yesterday, the problem occurs. Therefore I believe, that kali has problems with different levels of software in the case, when a product especially depends on another product. |
|
|
Is not ufw which has problems because "last week" worked even yesterday. Far as I see this is a bug of IPTABLES https://pkg.kali.org/news/393439/iptables-184-2-imported-into-kali-rolling/ UFW works correctly but can't commit to iptables. You can check using < iptables -S > that your rules are not passed by ufw. I have tried to install the older version of iptables from kali-rolling but according to apt-cache policy iptables only version 1.8.4-2 is available. On debian https://tracker.debian.org/news/1100518/iptables-184-2-migrated-to-testing/ you can see that the current version of iptables is in fact under testing! |
|
|
Indeed, you strike home: ||/ Name Version Architektur Beschreibung +++-==============-============-============-================================================= ii iptables 1.8.3-2 <== the system without the failure ii iptables 1.8.4-2 <== the system with the failure If I call "ipatbles -S " on 1.8.4-2, then I only receive # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT I see no tables. I'm glad to have created a second kali on an usb-ssd: This is my trying / backup / destroy system, where I make upgrades. Firstly If I have no errors, then I upgrade my main system on the laptop. One the week I synchronise the usb-system with my main system: I boot kali-live on my laptop and let run my bash, which use rsync. So I can do my work without interruption. |
|
|
No matter what you do. This is a big bug affecting everyone seriously. |
|
|
This is likely this Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951102 and this one too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949739 And reported upstream here: https://bugzilla.netfilter.org/show_bug.cgi?id=1400 I'll downgrade iptables in kali-rolling for now. |
|
|
The following packages have unmet dependencies: iptables : Depends: libip4tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed Depends: libip6tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed Depends: libiptc0 (= 1.8.3-2) but 1.8.4-2 is to be installed Depends: libxtables12 (= 1.8.3-2) but 1.8.4-2 is to be installed Recommends: nftables but it is not going to be installed E: Unable to correct problems, you have held broken packages. This is a big problem. apt autoremove --purge libip4tc2 libip6tc2 libiptc0 libxtables12 Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: initscripts insserv startpar sysv-rc Suggested packages: bootchart2 The following packages will be REMOVED: accountsservice* apg* appstream* apt-config-icons* atom* bleachbit* bolt* chrome-gnome-shell* colord* colord-data* dbus-user-session* default-mysql-server* desktop-file-utils* dkms* dnsmasq-base* easy-rsa* eject* ettercap-graphical* exfat-fuse* exfat-utils* fonts-firacode* fwupd* fwupd-amd64-signed* galera-3* gdm3* gir1.2-accountsservice-1.0* gir1.2-evince-3.0* gir1.2-gck-1* gir1.2-gcr-3* gir1.2-gdm-1.0* gir1.2-geoclue-2.0* gir1.2-gmenu-3.0* gir1.2-gnomebluetooth-1.0* gir1.2-gweather-3.0* gir1.2-handy-0.0* gir1.2-ibus-1.0* gir1.2-mutter-5* gir1.2-nm-1.0* gir1.2-nma-1.0* gir1.2-packagekitglib-1.0* gir1.2-polkit-1.0* gir1.2-upowerglib-1.0* gnome-control-center* gnome-control-center-data* gnome-core* gnome-disk-utility* gnome-session* gnome-session-bin* gnome-session-common* gnome-settings-daemon* gnome-settings-daemon-common* gnome-shell* gnome-shell-common* gnome-shell-extension-dashtodock* gnome-shell-extension-desktop-icons* gnome-shell-extension-easyscreencast* gnome-shell-extension-proxyswitcher* gnome-shell-extension-workspaces-to-dock* gnome-shell-extensions* gnome-software* gnome-software-common* gnome-sushi* gnome-tweak-tool* gnome-tweaks* gparted* gparted-common* gstreamer1.0-packagekit* gvfs* gvfs-backends* gvfs-bin* gvfs-common* gvfs-daemons* gvfs-fuse* gvfs-libs* ibus* ibus-data* ibus-gtk* ibus-gtk3* ifenslave* ifupdown* im-config* init* iproute2* isc-dhcp-client* kali-desktop-core* kali-desktop-gnome* kali-grant-root* kali-linux-core* kali-menu* kali-themes* libaccountsservice0* libappstream-glib8* libappstream4* libatasmart4* libayatana-appindicator3-1* libayatana-indicator3-7* libblockdev-crypto2* libblockdev-fs2* libblockdev-loop2* libblockdev-part-err2* libblockdev-part2* libblockdev-swap2* libblockdev-utils2* libblockdev2* libcolord-gtk1* libcolorhug2* libconfig-inifiles-perl* libdbd-mysql-perl* libdbi-perl* libdbusmenu-gtk3-4* libdns-export1107* libfwupd2* libfwupdplugin1* libgcab-1.0-0* libgdm1* libgnome-autoar-0-0* libgnome-menu-3-0* libgsoap-2.8.91* libgusb2* libhtml-template-perl* libibus-1.0-5* libip4tc2* libip6tc2* libiptc0* libisc-export1104* libjudydebian1* libmusicbrainz5-2* libmusicbrainz5cc2v5* libmutter-5-0* libndp0* libnma0* libnss-myhostname* libnss-systemd* libpackagekit-glib2-18* libpam-systemd* libparted-fs-resize0* libpipewire-0.2-1* libpkcs11-helper1* libplymouth4* libpolkit-agent-1-0* libpulse-mainloop-glib0* librygel-core-2.6-2* librygel-db-2.6-2* librygel-renderer-2.6-2* librygel-server-2.6-2* libsmbios-c2* libteamdctl0* libterm-readkey-perl* libtss2-esys0* libvncserver1* libvolume-key1* libxcb-res0* libxmlb1* libxtables12* mariadb-client-10.3* mariadb-client-core-10.3* mariadb-server-10.3* mariadb-server-core-10.3* miredo* mobile-broadband-provider-info* mousetweaks* mutter* mutter-common* nautilus* nautilus-data* network-manager* network-manager-gnome* network-manager-openvpn* network-manager-openvpn-gnome* numad* opensc* opensc-pkcs11* openvpn* packagekit* packagekit-tools* plymouth* plymouth-label* policykit-1* ppp* python3-distro-info* python3-ibus-1.0* python3-software-properties* qt5-gtk2-platformtheme* qt5-style-plugin-cleanlooks* qt5-style-plugin-motif* qt5-style-plugin-plastique* qt5-style-plugins* realmd* rsync* rtkit* rygel* software-properties-common* software-properties-gtk* switcheroo-control* systemd* systemd-sysv* tpm-udev* udisks2* unattended-upgrades* virtualbox* virtualbox-dkms* virtualbox-ext-pack* virtualbox-qt* vlan* xdg-desktop-portal* xwayland* The following NEW packages will be installed: initscripts insserv startpar sysv-rc WARNING: The following essential packages will be removed. This should NOT be done unless you know exactly what you are doing! init systemd-sysv (due to init) |
|
|
Good Morning Hacktivist, you must re-install the version 1.8.3-2 of iptables. In this case you must also downgrade to the elder versions of the other shown packets. I do the following: 1) apt-get install iptables=1.8.3-2 libip4tc2=1.8.3-2 libip6tc2=1.8.3-2 libiptc0=1.8.3-2 libxtables12=1.8.3-2 2) I restart my system 3) I re-enable my ufw. Allthing goes right iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N ufw-before-logging-input -N ufw-before-logging-output -N ufw-before-logging-forward -N ufw-before-input -N ufw-before-output -N ufw-before-forward ... 4) I make an update of my packet list and a dist-upgrade (apt-get update;apt-get dist-upgrade). The version 1.8.4-2 of iptables isn't seen: espeak-ng-data exploitdb keyutils libbson-1.0-0 libcgi-pm-perl libespeak-ng1 libkeyutils1 libkeyutils1:i386 libmongoc-1.0-0 libnet-dns-sec-perl libpng-dev libpng-tools libpng16-16 libpng16-16:i386 liburi-perl login passwd python-cryptography python-passlib python3-cryptography python3-passlib For rhertzog: ------------------- I believe, that the stuff of kali must do something, to remove the failing version of iptables from systems, where it is allready installed !!! Bye Rose |
|
|
root@localhost:~# ufw status verbose Status: inactive root@localhost:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT root@localhost:~# ufw default deny outgoing Default outgoing policy changed to 'deny' (be sure to update your rules accordingly) root@localhost:~# ufw enable Firewall is active and enabled on system startup root@localhost:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N ufw-before-logging-input -N ufw-before-logging-output -N ufw-before-logging-forward -N ufw-before-input -N ufw-before-output -N ufw-before-forward -N ufw-after-input -N ufw-after-output -N ufw-after-forward -N ufw-after-logging-input -N ufw-after-logging-output -N ufw-after-logging-forward -N ufw-reject-input -N ufw-reject-output -N ufw-reject-forward -N ufw-track-input -N ufw-track-output -N ufw-track-forward -N ufw-logging-deny -N ufw-logging-allow -N ufw-skip-to-policy-input -N ufw-skip-to-policy-output -N ufw-skip-to-policy-forward -N ufw-not-local -N ufw-user-input -N ufw-user-output -N ufw-user-forward -N ufw-user-logging-input -N ufw-user-logging-output -N ufw-user-logging-forward -N ufw-user-limit -N ufw-user-limit-accept -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT root@localhost:~# ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) root@localhost:~# nano /etc/default/ufw root@localhost:~# ufw reload Firewall reloaded root@localhost:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), deny (outgoing), disabled (routed) New profiles: skip root@localhost:~# ufw allow out on tun0 from any to any Thanks for the hint! I forgot the =version |
|
|
Rose: stuff is not staff |
|
|
This will be properly fixed for everybody once 1.8.4-3 from Debian enters Kali. We will wait until it reaches testing. |
|
|
1.8.4-3 is in Debian testing |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-02-11 07:39 | RoseDeSable | New Issue | |
| 2020-02-11 08:22 | hacktivist | Note Added: 0012197 | |
| 2020-02-11 08:26 | hacktivist | Note Added: 0012198 | |
| 2020-02-11 08:40 | RoseDeSable | Note Added: 0012199 | |
| 2020-02-11 08:49 | hacktivist | Note Added: 0012200 | |
| 2020-02-11 09:19 | RoseDeSable | Note Added: 0012201 | |
| 2020-02-11 10:07 | hacktivist | Note Added: 0012203 | |
| 2020-02-12 13:43 | rhertzog | Note Added: 0012264 | |
| 2020-02-12 13:43 | rhertzog | Assigned To | => rhertzog |
| 2020-02-12 13:43 | rhertzog | Status | new => assigned |
| 2020-02-13 09:08 | hacktivist | Note Added: 0012267 | |
| 2020-02-13 09:50 | RoseDeSable | Note Added: 0012268 | |
| 2020-02-13 10:24 | hacktivist | Note Added: 0012269 | |
| 2020-02-13 10:33 | hacktivist | Note Added: 0012270 | |
| 2020-02-14 10:26 | rhertzog | Note Added: 0012282 | |
| 2020-02-21 14:11 | sbrun | Status | assigned => resolved |
| 2020-02-21 14:11 | sbrun | Resolution | open => fixed |
| 2020-02-21 14:11 | sbrun | Fixed in Version | => 2020.2 |
| 2020-02-21 14:11 | sbrun | Note Added: 0012326 | |
| 2020-12-01 10:48 | g0tmi1k | Priority | high => normal |