Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The fact that ufw doesn't play well with iptables sounds like a good reason not to use it.

(Yes yes I know iptables is antiquated but they should still be compatible with each other at the kernel level)



UFW works fine with iptables. The issue occurs because docker adds an iptables chain that takes precedence over the UFW rules.


If ufw worked fine, they shouldn't have had to run "iptables -L" to find out that docker put in a rule that "ufw status" couldn't see. The commands should just be interchangeable.


UFW works by creating iptables rules. It intentionally does not expose the full functionality of iptables. The u is for "uncomplicated". The fact that you can add iptables chains that take precedence over the UFW managed chain is a feature of iptables, not a bug of UFW. You'll find the same is true of any Linux firewall that sits on top of iptables or nftables.


I use firehol. All it does is convert "interface eth0 server https allow" into the respective iptables rule(s). While in theory you could write additional iptables rules outside of firehol, there really isn't an equivalent to "ufw status", only "iptables -L"... no room for ambiguity.


I hadn't heard of this before. Reading about it a bit it feels like the worst of both worlds. Doesn't this mean you need to know firehole to create your firehol config AND know iptables to inspect what's actually applied?


Maybe, I really hadn't thought about it that way... but it's a lot easier to write rules though unless you're doing something weird (like ripping a packet apart to look at a particular byte offset). I used to write my own iptables scripts but that got quite tedious.


Could UFW detect/warn that there are iptables rules interfering with its own rules?


That's a good question actually. Given the complexity and power of iptables and nftables (which is the reason UFW, firewalld and the like exist) I'd guess probably not. Trying to determine if a rule on another chain (or really a combination of rules across a combination of chains) changes the behavior of one of yours would be... challenging. I suspect the best it could do reliably is detect that rules in other chains exist and warn about that, but that's also a pretty common case. Pretty much every VPS in a cloud would have this warning for example.

Personally I think the real problem here is docker. Injecting rules into iptables is a bit like blindly injecting lines of code into someone else's program sight unseen. I'm not aware of any other tools that are nearly so willing to do so.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: