search

littlebizzy / slickstack

Lightning-fast WordPress on Nginx
https://slickstack.io
GNU General Public License v3.0
629 stars 112 forks source link

ufw #39

Closed Bronislawsky closed 4 years ago

Bronislawsky commented 4 years ago

Hi! I have been able to reproduce the problem with /etc/ufw/user.rules

here, I just ran ufw reload and the user.rules get wiped and I believe I found out why, it doesn't pass the sanity check because it doesn't contain the comment

tuple ### ...

ref : https://askubuntu.com/questions/1006834/ufw-rules-disappear-after-manually-adding-them-to-user-rules-ubuntu-16-04

jessuppi commented 4 years ago

@Bronislawsky Please kindly add this to the existing Issue on this topic instead:

https://github.com/littlebizzy/slickstack/issues/36

If you can use more descriptive titles when creating Issues, it would also help the community understand a bit more about what you're reporting. Thanks!

Bronislawsky commented 4 years ago

Alright, Issue was 'closed' that's why I created new one.. I am pretty git new, I will pay attention.

Precision in this issue, no matter if you add custom rules or not as soon as ss's user.rules is copied over /etc/ufw/user(6).rules it will not survive a 'ufw reload' because user.rules is not well formatted.

Bronislawsky commented 4 years ago

`typo in ss-install.txt
ufw allow @SSH_PORT should be ufw allow $SSH_PORT

########### This block generates user.rules and user6.rules ############ ufw default deny incoming ufw default allow outgoing ufw allow $SSH_PORT ufw allow 80 ufw allow 443 ufw allow 6379 #######################################################################

I think, these lines ################################################################################# wget -O /tmp/user.rules http://mirrors.slickstack.io/ufw-firewall/user-rules.txt

if [[ -z "$SSH_PORT" ]]; then sed -i "s/@SSH_PORT/6969/g" /tmp/user.rules else sed -i "s/@SSH_PORT/${SSH_PORT}/g" /tmp/user.rules fi

cp /tmp/user.rules /etc/ufw/user.rules chown root:root /etc/ufw/user.rules chmod 0664 /etc/ufw/user.rules ################################################################################## is useless because it overwrite the previously generated user(6).rules and if for some reson 'ufw reload' is executed, you get jailed out from ipv4. ipv6 rules will persiste because it hasn't been override with the faulty cp /tmp/user.rules /etc/ufw/user.rules

IMHO wget -O /tmp/user.rules http://mirrors.slickstack.io/ufw-firewall/user-rules.txt should not happend at all.`

jessuppi commented 4 years ago

Locking this thread as a similar Issue already exists, please add comments there, thanks ~