Closed zac90 closed 8 months ago
hi @zac90
Thanks for this issue, i have added the purge handler to 3.5.3.1.2 for iptables. For UFW, i believe UFW is a front for a nftables or iptables backend. So removing both would cause an issue. This maybe why the CIS documentation doesn't state to remove nftables but only iptable persist.
thanks
uk-bolly
hi uk-bolly, UFW works as a front end to iptables. It does not require nftables. As long as the underlying iptables is installed, which is embedded into the kernel and not removed with iptables-persistent
as far as I know it'll work fine. I did a quick check as well by removing both nftables
and iptables-persistent
and ufw blocked ports fine.
hi @zac90
Thanks again for the feedback, Looking at and speaking to others it seems unclear. Documentation seems to state the default backend now for ufw is nftables https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-22-04-lts (which is why maybe CIS have not added the removal of nftables?). Checking a fresh system it appears when i looks at iptables command it points to the following
readlink -f /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
This appears that iptables commands are indeed using nftables? When i look at the manpage
NAME xtables-nft — iptables using nftables kernel api
reading through and running the iptables command
iptables -V
iptables v1.8.7 (nf_tables)
But when you look to remove nftables or ufw they don't show any dependancies. Whereas trying to remove iptables this tries to remove ufw.
The man page appears to explain this. When looking at the actual iptables package this does have all of the xtables configuration and appears that iptables is now a wrapper for nftables?
It appears to work as expected without removing nftables as well. But I also agree with not having packages installed for the sake of it which is also part of a good baseline. For now i believe we should leave it as per the CIS recommendation and benchmark has it listed as it does still seem unclear on the actual state of best practise from any documentation that i have found from Ubuntu or CIS.
Thanks as always
uk-bolly
No worries. Thanks for the comprehensive write up. Perhaps it continued to work for me because it was just doing basic rules that iptables supports whereas maybe more complex rules require the nftables. Who knows.
Describe the Issue If ufw is enabled, both iptables and nftables should be removed. At the moment only
iptables-persistent
is removed. Ensure nftables is also purged as some files persist with a normal remove.Expected Behavior Remove nftables as well
Actual Behavior nftables remains with ufw active and may cause unexpected results.
Control(s) Affected 3.5.1.x and 3.5.3.1.2
Additional Notes The CIS Hardening guide does not specifically state to do this in the ufw section however at the start of the firewall overview it contains the following "Only one method should be used to configure a firewall on the system. Use of more than one method could produce unexpected results"
Possible Solution Add the following to remove nftables when ufw is in use. Similar to control 3.5.3.1.2, except both that control and this one should use the
apt
module withpurge: true