View Issue Details

IDProjectCategoryView StatusLast Update
0006094Kali Linux[All Projects] General Bugpublic2020-02-21 14:11
ReporterRoseDeSable Assigned Torhertzog  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version2020.2 
Summary0006094: UFW: fails at start and blocks all incoming packets
Description#ufw enable
WARN: uid is 0 but '/etc' is owned by 103
WARN: uid is 0 but '/lib' is owned by 103
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 2 failed
iptables-restore: COMMIT expected at line 19
iptables-restore: line 2 failed

Problem running '/etc/ufw/user.rules'

After this message all incoming packets are blocked. But I see no message [UFW BLOCK... in my log.

The same rules are running on two kali-systems. The difference is, that the last update of the system without ufw-failure was at 2020-02-06 14:59:18 GMT+1. On the system with failure I do the dist-upgrade at Monday 2020-02-10 15:24:23 GMT+1.




Activities

hacktivist

2020-02-11 08:22

reporter   ~0012197

Same here!

ERROR: problem running ufw-init
iptables-restore: COMMIT expected at line 21
iptables-restore: COMMIT expected at line 19
iptables-restore: line 2 failed

Problem running '/etc/ufw/user.rules'

I actually removed and purged both ufw and iptables because of this bug.

hacktivist

2020-02-11 08:26

reporter   ~0012198

RoseDeSable

You can enable ufw and you will see this bug. Logging not working at all which maybe the issue I'm not yet sure and I would be happy to hear from the maintainers who merged this from the upstream. Do anyone test packages before sending out in kali-rolling? This is a major bug and it should be marked as CRITICAL!

RoseDeSable

2020-02-11 08:40

reporter   ~0012199

hacktivist

Last week ufw was upgraded to 0.36-1. It was running without any error. First after the upgrade of some other packages yesterday, the problem occurs. Therefore I believe, that kali has problems with different levels of software in the case, when a product especially depends on another product.

hacktivist

2020-02-11 08:49

reporter   ~0012200

Is not ufw which has problems because "last week" worked even yesterday. Far as I see this is a bug of IPTABLES

https://pkg.kali.org/news/393439/iptables-184-2-imported-into-kali-rolling/

UFW works correctly but can't commit to iptables.

You can check using < iptables -S > that your rules are not passed by ufw.

I have tried to install the older version of iptables from kali-rolling but according to apt-cache policy iptables only version 1.8.4-2 is available. On debian https://tracker.debian.org/news/1100518/iptables-184-2-migrated-to-testing/ you can see that the current version of iptables is in fact under testing!

RoseDeSable

2020-02-11 09:19

reporter   ~0012201

Indeed,
 you strike home:

||/ Name Version Architektur Beschreibung
+++-==============-============-============-=================================================
ii iptables 1.8.3-2 <== the system without the failure
ii iptables 1.8.4-2 <== the system with the failure

If I call "ipatbles -S " on 1.8.4-2, then I only receive

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

I see no tables.

I'm glad to have created a second kali on an usb-ssd: This is my trying / backup / destroy system, where I make upgrades. Firstly If I have no errors, then I upgrade my main system on the laptop. One the week I synchronise the usb-system with my main system: I boot kali-live on my laptop and let run my bash, which use rsync. So I can do my work without interruption.

hacktivist

2020-02-11 10:07

reporter   ~0012203

No matter what you do. This is a big bug affecting everyone seriously.

rhertzog

2020-02-12 13:43

administrator   ~0012264

This is likely this Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951102
and this one too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949739

And reported upstream here: https://bugzilla.netfilter.org/show_bug.cgi?id=1400

I'll downgrade iptables in kali-rolling for now.

hacktivist

2020-02-13 09:08

reporter   ~0012267

The following packages have unmet dependencies:
 iptables : Depends: libip4tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
            Depends: libip6tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
            Depends: libiptc0 (= 1.8.3-2) but 1.8.4-2 is to be installed
            Depends: libxtables12 (= 1.8.3-2) but 1.8.4-2 is to be installed
            Recommends: nftables but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

This is a big problem.


apt autoremove --purge libip4tc2 libip6tc2 libiptc0 libxtables12
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  initscripts insserv startpar sysv-rc
Suggested packages:
  bootchart2
The following packages will be REMOVED:
  accountsservice* apg* appstream* apt-config-icons* atom* bleachbit* bolt* chrome-gnome-shell* colord* colord-data* dbus-user-session* default-mysql-server* desktop-file-utils* dkms* dnsmasq-base* easy-rsa* eject*
  ettercap-graphical* exfat-fuse* exfat-utils* fonts-firacode* fwupd* fwupd-amd64-signed* galera-3* gdm3* gir1.2-accountsservice-1.0* gir1.2-evince-3.0* gir1.2-gck-1* gir1.2-gcr-3* gir1.2-gdm-1.0* gir1.2-geoclue-2.0*
  gir1.2-gmenu-3.0* gir1.2-gnomebluetooth-1.0* gir1.2-gweather-3.0* gir1.2-handy-0.0* gir1.2-ibus-1.0* gir1.2-mutter-5* gir1.2-nm-1.0* gir1.2-nma-1.0* gir1.2-packagekitglib-1.0* gir1.2-polkit-1.0* gir1.2-upowerglib-1.0*
  gnome-control-center* gnome-control-center-data* gnome-core* gnome-disk-utility* gnome-session* gnome-session-bin* gnome-session-common* gnome-settings-daemon* gnome-settings-daemon-common* gnome-shell* gnome-shell-common*
  gnome-shell-extension-dashtodock* gnome-shell-extension-desktop-icons* gnome-shell-extension-easyscreencast* gnome-shell-extension-proxyswitcher* gnome-shell-extension-workspaces-to-dock* gnome-shell-extensions*
  gnome-software* gnome-software-common* gnome-sushi* gnome-tweak-tool* gnome-tweaks* gparted* gparted-common* gstreamer1.0-packagekit* gvfs* gvfs-backends* gvfs-bin* gvfs-common* gvfs-daemons* gvfs-fuse* gvfs-libs* ibus*
  ibus-data* ibus-gtk* ibus-gtk3* ifenslave* ifupdown* im-config* init* iproute2* isc-dhcp-client* kali-desktop-core* kali-desktop-gnome* kali-grant-root* kali-linux-core* kali-menu* kali-themes* libaccountsservice0*
  libappstream-glib8* libappstream4* libatasmart4* libayatana-appindicator3-1* libayatana-indicator3-7* libblockdev-crypto2* libblockdev-fs2* libblockdev-loop2* libblockdev-part-err2* libblockdev-part2* libblockdev-swap2*
  libblockdev-utils2* libblockdev2* libcolord-gtk1* libcolorhug2* libconfig-inifiles-perl* libdbd-mysql-perl* libdbi-perl* libdbusmenu-gtk3-4* libdns-export1107* libfwupd2* libfwupdplugin1* libgcab-1.0-0* libgdm1*
  libgnome-autoar-0-0* libgnome-menu-3-0* libgsoap-2.8.91* libgusb2* libhtml-template-perl* libibus-1.0-5* libip4tc2* libip6tc2* libiptc0* libisc-export1104* libjudydebian1* libmusicbrainz5-2* libmusicbrainz5cc2v5*
  libmutter-5-0* libndp0* libnma0* libnss-myhostname* libnss-systemd* libpackagekit-glib2-18* libpam-systemd* libparted-fs-resize0* libpipewire-0.2-1* libpkcs11-helper1* libplymouth4* libpolkit-agent-1-0*
  libpulse-mainloop-glib0* librygel-core-2.6-2* librygel-db-2.6-2* librygel-renderer-2.6-2* librygel-server-2.6-2* libsmbios-c2* libteamdctl0* libterm-readkey-perl* libtss2-esys0* libvncserver1* libvolume-key1* libxcb-res0*
  libxmlb1* libxtables12* mariadb-client-10.3* mariadb-client-core-10.3* mariadb-server-10.3* mariadb-server-core-10.3* miredo* mobile-broadband-provider-info* mousetweaks* mutter* mutter-common* nautilus* nautilus-data*
  network-manager* network-manager-gnome* network-manager-openvpn* network-manager-openvpn-gnome* numad* opensc* opensc-pkcs11* openvpn* packagekit* packagekit-tools* plymouth* plymouth-label* policykit-1* ppp*
  python3-distro-info* python3-ibus-1.0* python3-software-properties* qt5-gtk2-platformtheme* qt5-style-plugin-cleanlooks* qt5-style-plugin-motif* qt5-style-plugin-plastique* qt5-style-plugins* realmd* rsync* rtkit* rygel*
  software-properties-common* software-properties-gtk* switcheroo-control* systemd* systemd-sysv* tpm-udev* udisks2* unattended-upgrades* virtualbox* virtualbox-dkms* virtualbox-ext-pack* virtualbox-qt* vlan*
  xdg-desktop-portal* xwayland*
The following NEW packages will be installed:
  initscripts insserv startpar sysv-rc
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  init systemd-sysv (due to init)

RoseDeSable

2020-02-13 09:50

reporter   ~0012268

Good Morning Hacktivist,
 you must re-install the version 1.8.3-2 of iptables. In this case you must also downgrade to the elder versions of the other shown packets. I do the following:

1) apt-get install iptables=1.8.3-2 libip4tc2=1.8.3-2 libip6tc2=1.8.3-2 libiptc0=1.8.3-2 libxtables12=1.8.3-2

2) I restart my system

3) I re-enable my ufw. Allthing goes right

iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward
...

4) I make an update of my packet list and a dist-upgrade (apt-get update;apt-get dist-upgrade). The version 1.8.4-2 of iptables isn't seen:

espeak-ng-data exploitdb keyutils libbson-1.0-0 libcgi-pm-perl libespeak-ng1 libkeyutils1 libkeyutils1:i386 libmongoc-1.0-0 libnet-dns-sec-perl libpng-dev libpng-tools libpng16-16 libpng16-16:i386 liburi-perl login passwd python-cryptography python-passlib python3-cryptography python3-passlib


For rhertzog:
-------------------

I believe, that the stuff of kali must do something, to remove the failing version of iptables from systems, where it is allready installed !!!


Bye
Rose

hacktivist

2020-02-13 10:24

reporter   ~0012269

root@localhost:~# ufw status verbose
Status: inactive
root@localhost:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@localhost:~# ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward
-N ufw-after-input
-N ufw-after-output
-N ufw-after-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-logging-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-reject-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-track-forward
-N ufw-logging-deny
-N ufw-logging-allow
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-skip-to-policy-forward
-N ufw-not-local
-N ufw-user-input
-N ufw-user-output
-N ufw-user-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-logging-forward
-N ufw-user-limit
-N ufw-user-limit-accept
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

root@localhost:~# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

root@localhost:~# nano /etc/default/ufw
root@localhost:~# ufw reload
Firewall reloaded
root@localhost:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
root@localhost:~# ufw allow out on tun0 from any to any

Thanks for the hint! I forgot the =version

hacktivist

2020-02-13 10:33

reporter   ~0012270

Rose: stuff is not staff

rhertzog

2020-02-14 10:26

administrator   ~0012282

This will be properly fixed for everybody once 1.8.4-3 from Debian enters Kali. We will wait until it reaches testing.

sbrun

2020-02-21 14:11

manager   ~0012326

1.8.4-3 is in Debian testing

Issue History

Date Modified Username Field Change
2020-02-11 07:39 RoseDeSable New Issue
2020-02-11 08:22 hacktivist Note Added: 0012197
2020-02-11 08:26 hacktivist Note Added: 0012198
2020-02-11 08:40 RoseDeSable Note Added: 0012199
2020-02-11 08:49 hacktivist Note Added: 0012200
2020-02-11 09:19 RoseDeSable Note Added: 0012201
2020-02-11 10:07 hacktivist Note Added: 0012203
2020-02-12 13:43 rhertzog Note Added: 0012264
2020-02-12 13:43 rhertzog Assigned To => rhertzog
2020-02-12 13:43 rhertzog Status new => assigned
2020-02-13 09:08 hacktivist Note Added: 0012267
2020-02-13 09:50 RoseDeSable Note Added: 0012268
2020-02-13 10:24 hacktivist Note Added: 0012269
2020-02-13 10:33 hacktivist Note Added: 0012270
2020-02-14 10:26 rhertzog Note Added: 0012282
2020-02-21 14:11 sbrun Status assigned => resolved
2020-02-21 14:11 sbrun Resolution open => fixed
2020-02-21 14:11 sbrun Fixed in Version => 2020.2
2020-02-21 14:11 sbrun Note Added: 0012326