The officially official Devuan Forum!

You are not logged in.

#1 2022-12-27 16:17:25

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

[SOLVED] ufw and gufw appeared to have uninstalled

Some weirdness ... I have Devuan Linux plus nginx plus grav-admin installed on my Dell OptiPlex 7050 configured in Raid 1.

ufw and gufw, previously installed and configured, have disappeared from the install as if never there.

What I mean is that neither responds and when I go to Synaptic Package Manager they aren't greyed - which I take to mean that Devuan doesn't see them as installed.

How would that happen, please?

Thanks

Offline

#2 2022-12-27 16:37:24

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Those packages don't seem to have been added to the banned list.

Have you checked the logs?

zcat /var/log/dpkg.log.*.gz | cat - /var/log/dpkg.log | grep 'ufw'

“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#3 2022-12-27 16:42:57

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Response is  "gzip: /var/log/dpkg.log.*gz: No such file or directory"

Offline

#4 2022-12-27 16:51:23

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Sorry, working blind with that one. Find the logs yourself then. EDIT: the system probably isn't old enough to have rotated the logs so

grep 'ufw' /var/log/dpkg.log

I don't have a De{vu,bi}an system handy so I don't actually know where the logs are...

Last edited by Head_on_a_Stick (2022-12-27 16:52:41)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#5 2022-12-27 16:57:20

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

That doesn't return an error - just back to the prompt.

Odd stuff happening ...

Offline

#6 2022-12-27 16:58:45

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Perhaps check the Synaptic log as well but I thought all package management operations were collated under the dpkg log.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#7 2022-12-27 17:27:16

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Synaptic Package Manager (File -> History) shows no deletion of ufw or gufw

It also doesn't show either being installed.

I read this "... you won't see any packages installed, updated or removed from the command line (using apt, apt-get, dpkg), using the Software Updater, or the Software application. Similarly, the /var/log/apt/history.log APT log file only lists actions performed using apt/apt-get."

Offline

#8 2022-12-27 18:53:40

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

OK, I followed Steps 2 & 3 here https://www.codingforentrepreneurs.com/ … -firewall/

I wasn't sure about Step 4 so I skipped it and went to Step 5 - which appeared to work fine and returned the expected URL.

Now I'll try to get back to grav ...

Offline

#9 2022-12-27 19:01:00

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

If you just want a firewall that only allows ports 22, 80 & 443 see https://wiki.nftables.org/wiki-nftables … r_a_server

ufw is bloat!


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#10 2022-12-27 19:35:20

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

OK, so I just read that GUFW is a UI for UFW and UFW is a wrapper for iptables or nftables.

I dislike bloat but am mostly not tinkering with tech and often forget detail - which is where a wrapper and a UI saves me.

Given my application to serve text files (many with embedded images), a blog, a small news aggregator, some links pages, a basic learning-certificate program, and a Docker-based scanner feed (the only thing that will use Docker) - using grav on top of nginx - might I find nftables getting very complicated?

Offline

#11 2022-12-27 19:53:06

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Not really.

It's as simple as

# apt install nftables orphan-sysvinit-scripts {g,}ufw-
# cp /usr/share/orphan-sysvinit-scripts/nftables /etc/init.d
# update-rc.d nftables defaults
# editor /etc/nftables.conf # copy in example file from my link
# /etc/init.d/nftables start

Then check with

# nft list ruleset

It would be even simpler had Debian bothered to supply an init script for nftables but unfortunately the developer doesn't give a crap about alternative init systems. For shame!


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#12 2022-12-28 17:40:05

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

OK. I'm going to go minimalist, one step at a time.

I've uninstalled grav.

I used Synaptic to uninstall ufw and gufw - but whereis finds ufw still in /etc/ufw (multiple .rules, .init, .conf and one .init file in there)

/etc/gufw still contains app.profiles, gufw.cfg, Home.profile, Office.profile, and Public.profile.

I can just delete these directories/folders and files but do you know why Synaptic uninstall left these behind?

Offline

#13 2022-12-28 17:54:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

https://raphaelhertzog.com/2011/01/31/d … ion-files/

Last edited by Head_on_a_Stick (2022-12-28 17:54:23)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#14 2022-12-28 19:09:27

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Cool.

Aptitude isn't installed - is it worth adding?

I returned to Synaptic and selected Status then Uninstalled then gufw and ufw to completely remove.

It left those two folders in place and deleted all but applications.p from ufw and left gufw.cfg, Home.profile, Office.profile, and Public.profile behind in gufw (it only deleted app.profile).

I'll remove the rest manually.

Offline

#15 2022-12-28 19:21:40

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

In nftables.conf - when I copy in from https://wiki.nftables.org/wiki-nftables … r_a_server do I replace all but the 'shebang' line at the top?

Offline

#16 2022-12-28 19:34:52

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

/etc/init.d/nftables calls /usr/bin/nft -f /etc/nftables.conf so the file doesn't actually need a shebang.

EDIT: use this to check after the service starts:

# nft list ruleset

Last edited by Head_on_a_Stick (2022-12-28 19:36:40)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#17 2022-12-28 19:48:24

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

root@devuan1:/etc# nft list ruleset
table inet firewall {
	chain inbound_ipv4 {
	}

	chain inbound_ipv6 {
		icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
	}

	chain inbound {
		type filter hook input priority filter; policy drop;
		ct state vmap { invalid : drop, established : accept, related : accept }
		iifname "lo" accept
		meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
		tcp dport { 22, 80, 443 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}
root@devuan1:/etc# 

Offline

#18 2022-12-28 19:50:22

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

If that's as it should be - should I make a mod re. the potential for "ping flood" as mentioned?

Also, as I understand it, our ISP https://bulloch.solutions/home/ doesn't support ip6v - should those references be commented-out or deleted or is there no harm in leaving them there?

Last edited by dcolburn (2022-12-28 20:05:26)

Offline

#19 2022-12-28 20:03:10

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

It is my understanding that ICMP echo requests should be allowed but I'm no expert.

Reference: http://shouldiblockicmp.com/


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#20 2022-12-28 20:08:07

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Head_on_a_Stick wrote:

It is my understanding that ICMP echo requests should be allowed but I'm no expert.

Reference: http://shouldiblockicmp.com/

OK, I'll leave it be.

I believe that the ASUS router I'm using has some firewall controls - I could look at preventing a ping flood there first.

Offline

#21 2022-12-28 20:10:22

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Should I disable iptables? https://linux-audit.com/nftables-beginn … filtering/

"It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. So keep it simple and flush out all iptables rules, and make sure it is not loaded."

    iptables -F
Do the same for IPv6:
    ip6tables -F

"Ensure that during system reboots the iptables configuration or modules are no longer loaded." (I'm not sure how to do this.)

Last edited by dcolburn (2022-12-28 20:10:49)

Offline

#22 2022-12-28 20:39:42

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

I think nftables should be the default backend for any "iptables" implementations.

See https://wiki.debian.org/nftables and run

for i in {ip{,6},arp,eb}tables ; do sudo update-alternatives --config $i ; done

All of the alternatives should be pointing to *tables-nft, change them if they don't.

Check for any extant iptables configuration with

# iptables-save

I'm pretty sure that should be blank.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#23 2022-12-28 21:03:32

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

OK, done, with no errors.

Just one outstanding question then I probably should close this as Solved ...

As I understand it, our ISP https://bulloch.solutions/home/ doesn't support ip6v - should those references be commented-out or deleted or is there no harm in leaving them there?

Offline

#24 2022-12-28 21:10:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: [SOLVED] ufw and gufw appeared to have uninstalled

I don't have IPv6 at the moment but I leave the firewall functionality intact just in case my ISP adds it without telling me.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#25 2022-12-28 21:24:36

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] ufw and gufw appeared to have uninstalled

Cool. OK, thanks.

Offline

Board footer