View Issue Details

IDProjectCategoryView StatusLast Update
0006094Kali LinuxGeneral Bugpublic2020-12-01 10:48
ReporterRoseDeSable Assigned Torhertzog  
Status resolvedResolutionfixed 
Summary0006094: UFW: fails at start and blocks all incoming packets

#ufw enable
WARN: uid is 0 but '/etc' is owned by 103
WARN: uid is 0 but '/lib' is owned by 103
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 2 failed
iptables-restore: COMMIT expected at line 19
iptables-restore: line 2 failed

Problem running '/etc/ufw/user.rules'

After this message all incoming packets are blocked. But I see no message [UFW BLOCK... in my log.

The same rules are running on two kali-systems. The difference is, that the last update of the system without ufw-failure was at 2020-02-06 14:59:18 GMT+1. On the system with failure I do the dist-upgrade at Monday 2020-02-10 15:24:23 GMT+1.




2020-02-11 08:22

reporter   ~0012197

Same here!

ERROR: problem running ufw-init
iptables-restore: COMMIT expected at line 21
iptables-restore: COMMIT expected at line 19
iptables-restore: line 2 failed

Problem running '/etc/ufw/user.rules'

I actually removed and purged both ufw and iptables because of this bug.



2020-02-11 08:26

reporter   ~0012198


You can enable ufw and you will see this bug. Logging not working at all which maybe the issue I'm not yet sure and I would be happy to hear from the maintainers who merged this from the upstream. Do anyone test packages before sending out in kali-rolling? This is a major bug and it should be marked as CRITICAL!



2020-02-11 08:40

reporter   ~0012199


Last week ufw was upgraded to 0.36-1. It was running without any error. First after the upgrade of some other packages yesterday, the problem occurs. Therefore I believe, that kali has problems with different levels of software in the case, when a product especially depends on another product.



2020-02-11 08:49

reporter   ~0012200

Is not ufw which has problems because "last week" worked even yesterday. Far as I see this is a bug of IPTABLES

UFW works correctly but can't commit to iptables.

You can check using < iptables -S > that your rules are not passed by ufw.

I have tried to install the older version of iptables from kali-rolling but according to apt-cache policy iptables only version 1.8.4-2 is available. On debian you can see that the current version of iptables is in fact under testing!



2020-02-11 09:19

reporter   ~0012201

you strike home:

||/ Name Version Architektur Beschreibung
ii iptables 1.8.3-2 <== the system without the failure
ii iptables 1.8.4-2 <== the system with the failure

If I call "ipatbles -S " on 1.8.4-2, then I only receive

iptables -S


I see no tables.

I'm glad to have created a second kali on an usb-ssd: This is my trying / backup / destroy system, where I make upgrades. Firstly If I have no errors, then I upgrade my main system on the laptop. One the week I synchronise the usb-system with my main system: I boot kali-live on my laptop and let run my bash, which use rsync. So I can do my work without interruption.



2020-02-11 10:07

reporter   ~0012203

No matter what you do. This is a big bug affecting everyone seriously.



2020-02-12 13:43

administrator   ~0012264

This is likely this Debian bug:
and this one too:

And reported upstream here:

I'll downgrade iptables in kali-rolling for now.



2020-02-13 09:08

reporter   ~0012267

The following packages have unmet dependencies:
iptables : Depends: libip4tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libip6tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libiptc0 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libxtables12 (= 1.8.3-2) but 1.8.4-2 is to be installed
Recommends: nftables but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

This is a big problem.

apt autoremove --purge libip4tc2 libip6tc2 libiptc0 libxtables12
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
initscripts insserv startpar sysv-rc
Suggested packages:
The following packages will be REMOVED:
accountsservice apg appstream apt-config-icons atom bleachbit bolt chrome-gnome-shell colord colord-data dbus-user-session default-mysql-server desktop-file-utils dkms dnsmasq-base easy-rsa eject
exfat-fuse exfat-utils fonts-firacode fwupd fwupd-amd64-signed galera-3 gdm3 gir1.2-accountsservice-1.0 gir1.2-evince-3.0 gir1.2-gck-1 gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-geoclue-2.0
gir1.2-gnomebluetooth-1.0 gir1.2-gweather-3.0 gir1.2-handy-0.0 gir1.2-ibus-1.0 gir1.2-mutter-5 gir1.2-nm-1.0 gir1.2-nma-1.0 gir1.2-packagekitglib-1.0 gir1.2-polkit-1.0 gir1.2-upowerglib-1.0
gnome-control-center gnome-control-center-data gnome-core gnome-disk-utility gnome-session gnome-session-bin gnome-session-common gnome-settings-daemon gnome-settings-daemon-common gnome-shell gnome-shell-common
gnome-shell-extension-desktop-icons gnome-shell-extension-easyscreencast gnome-shell-extension-proxyswitcher gnome-shell-extension-workspaces-to-dock gnome-shell-extensions
gnome-software-common gnome-sushi gnome-tweak-tool gnome-tweaks gparted gparted-common gstreamer1.0-packagekit gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs ibus
ibus-gtk ibus-gtk3 ifenslave ifupdown im-config init iproute2 isc-dhcp-client kali-desktop-core kali-desktop-gnome kali-grant-root kali-linux-core kali-menu kali-themes libaccountsservice0
libappstream4 libatasmart4 libayatana-appindicator3-1 libayatana-indicator3-7 libblockdev-crypto2 libblockdev-fs2 libblockdev-loop2 libblockdev-part-err2 libblockdev-part2 libblockdev-swap2
libblockdev-utils2 libblockdev2 libcolord-gtk1 libcolorhug2 libconfig-inifiles-perl libdbd-mysql-perl libdbi-perl libdbusmenu-gtk3-4 libdns-export1107 libfwupd2 libfwupdplugin1 libgcab-1.0-0 libgdm1
libgnome-menu-3-0 libgsoap-2.8.91 libgusb2 libhtml-template-perl libibus-1.0-5 libip4tc2 libip6tc2 libiptc0 libisc-export1104 libjudydebian1 libmusicbrainz5-2 libmusicbrainz5cc2v5
libmutter-5-0 libndp0 libnma0 libnss-myhostname libnss-systemd libpackagekit-glib2-18 libpam-systemd libparted-fs-resize0 libpipewire-0.2-1 libpkcs11-helper1 libplymouth4 libpolkit-agent-1-0
libpulse-mainloop-glib0 librygel-core-2.6-2 librygel-db-2.6-2 librygel-renderer-2.6-2 librygel-server-2.6-2 libsmbios-c2 libteamdctl0 libterm-readkey-perl libtss2-esys0 libvncserver1 libvolume-key1 libxcb-res0
libxmlb1 libxtables12 mariadb-client-10.3 mariadb-client-core-10.3 mariadb-server-10.3 mariadb-server-core-10.3 miredo mobile-broadband-provider-info mousetweaks mutter mutter-common nautilus nautilus-data
network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome numad opensc opensc-pkcs11 openvpn packagekit packagekit-tools plymouth plymouth-label policykit-1 ppp
python3-ibus-1.0 python3-software-properties qt5-gtk2-platformtheme qt5-style-plugin-cleanlooks qt5-style-plugin-motif qt5-style-plugin-plastique qt5-style-plugins realmd rsync rtkit rygel
software-properties-gtk switcheroo-control systemd systemd-sysv tpm-udev udisks2 unattended-upgrades virtualbox virtualbox-dkms virtualbox-ext-pack virtualbox-qt vlan
xdg-desktop-portal xwayland
The following NEW packages will be installed:
initscripts insserv startpar sysv-rc
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
init systemd-sysv (due to init)



2020-02-13 09:50

reporter   ~0012268

Good Morning Hacktivist,
you must re-install the version 1.8.3-2 of iptables. In this case you must also downgrade to the elder versions of the other shown packets. I do the following:

1) apt-get install iptables=1.8.3-2 libip4tc2=1.8.3-2 libip6tc2=1.8.3-2 libiptc0=1.8.3-2 libxtables12=1.8.3-2

2) I restart my system

3) I re-enable my ufw. Allthing goes right

iptables -S
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward

4) I make an update of my packet list and a dist-upgrade (apt-get update;apt-get dist-upgrade). The version 1.8.4-2 of iptables isn't seen:

espeak-ng-data exploitdb keyutils libbson-1.0-0 libcgi-pm-perl libespeak-ng1 libkeyutils1 libkeyutils1:i386 libmongoc-1.0-0 libnet-dns-sec-perl libpng-dev libpng-tools libpng16-16 libpng16-16:i386 liburi-perl login passwd python-cryptography python-passlib python3-cryptography python3-passlib

For rhertzog:

I believe, that the stuff of kali must do something, to remove the failing version of iptables from systems, where it is allready installed !!!




2020-02-13 10:24

reporter   ~0012269

root@localhost:~# ufw status verbose
Status: inactive
root@localhost:~# iptables -S
root@localhost:~# ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~# iptables -S
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward
-N ufw-after-input
-N ufw-after-output
-N ufw-after-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-logging-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-reject-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-track-forward
-N ufw-logging-deny
-N ufw-logging-allow
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-skip-to-policy-forward
-N ufw-not-local
-N ufw-user-input
-N ufw-user-output
-N ufw-user-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-logging-forward
-N ufw-user-limit
-N ufw-user-limit-accept
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

root@localhost:~# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

root@localhost:~# nano /etc/default/ufw
root@localhost:~# ufw reload
Firewall reloaded
root@localhost:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
root@localhost:~# ufw allow out on tun0 from any to any

Thanks for the hint! I forgot the =version



2020-02-13 10:33

reporter   ~0012270

Rose: stuff is not staff



2020-02-14 10:26

administrator   ~0012282

This will be properly fixed for everybody once 1.8.4-3 from Debian enters Kali. We will wait until it reaches testing.



2020-02-21 14:11

manager   ~0012326

1.8.4-3 is in Debian testing

Issue History

Date Modified Username Field Change
2020-02-11 07:39 RoseDeSable New Issue
2020-02-11 08:22 hacktivist Note Added: 0012197
2020-02-11 08:26 hacktivist Note Added: 0012198
2020-02-11 08:40 RoseDeSable Note Added: 0012199
2020-02-11 08:49 hacktivist Note Added: 0012200
2020-02-11 09:19 RoseDeSable Note Added: 0012201
2020-02-11 10:07 hacktivist Note Added: 0012203
2020-02-12 13:43 rhertzog Note Added: 0012264
2020-02-12 13:43 rhertzog Assigned To => rhertzog
2020-02-12 13:43 rhertzog Status new => assigned
2020-02-13 09:08 hacktivist Note Added: 0012267
2020-02-13 09:50 RoseDeSable Note Added: 0012268
2020-02-13 10:24 hacktivist Note Added: 0012269
2020-02-13 10:33 hacktivist Note Added: 0012270
2020-02-14 10:26 rhertzog Note Added: 0012282
2020-02-21 14:11 sbrun Status assigned => resolved
2020-02-21 14:11 sbrun Resolution open => fixed
2020-02-21 14:11 sbrun Fixed in Version => 2020.2
2020-02-21 14:11 sbrun Note Added: 0012326
2020-12-01 10:48 g0tmi1k Priority high => normal