Modified ufw firewall rules not staying after reboot

[Mark Moore]

I seem to be having an issue when I update the ufw firewall rules to restrict access they are wiped after a reboot and set back to the default rules on my sensors. Any ideas on why that is occurring?

Thx in advance for any assistance given.

[Doug Burks]

Hi Mark,

How exactly are you modifying the firewall rules?

On Wed, Jul 8, 2015 at 9:43 AM, Mark Moore <tornado...@gmail.com> wrote:
> I seem to be having an issue when I update the ufw firewall rules to restrict access they are wiped after a reboot and set back to the default rules on my sensors. Any ideas on why that is occurring?
>
> Thx in advance for any assistance given.
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Mark Moore]

sudo ufw allow from x.x.166.151 to any port 514
sudo ufw allow proto udp from x.x.x.151 to any port 1514
sudo ufw allow proto tcp from x.x.x.151 to any port 22
sudo ufw allow proto tcp from x.x.x.68 to any port 22
sudo ufw allow proto tcp from x.x.x.51 to any port 22
sudo ufw allow proto tcp from x.x.x.22 to any port 22
sudo ufw allow proto tcp from x.x.x.68 to any port 3389
sudo ufw allow proto tcp from x.x.x.51 to any port 3389
sudo ufw allow proto tcp from x.x.x.0/23 to any port 22,3389
sudo ufw allow proto tcp from x.x.x.0/23 to any port 22,3389
sudo ufw allow proto tcp from x.x.x.0/23 to any port 22,3389

sudo ufw delete allow 22/tcp
sudo ufw delete allow 514
sudo ufw delete allow 1514/udp
sudo ufw delete allow 3389

[Doug Burks]

After running these commands, did you run "sudo ufw status" to ensure
that the firewall rules looked correct?

[Mark Moore]

yes, i ran that after removing them and then once all set, I reboot the sensor to verify the rules are there.

[Doug Burks]

Have you verified that ufw is saving your firewall rules to /lib/ufw/user.rules?
sudo cat /lib/ufw/user.rules

On Wed, Jul 8, 2015 at 10:05 AM, Mark Moore <tornado...@gmail.com> wrote:
> yes, i ran that after removing them and then once all set, I reboot the sensor to verify the rules are there.
>

[Mark Moore]

After running sudo cat /lib/ufw/user.rules, I see my rules in the configuration.

[Doug Burks]

If they are being saved there, then UFW should load them at the next reboot.

Do you have any other startup scripts or configuration management that
may be changing your firewall rules?

On Wed, Jul 8, 2015 at 10:22 AM, Mark Moore <tornado...@gmail.com> wrote:
> After running sudo cat /lib/ufw/user.rules, I see my rules in the configuration.
>

[Mark Moore]

I have not added any scripts or cm changes.

[Doug Burks]

I'm not able to duplicate this on any of my systems.

If you'd like to purchase commercial support, we can troubleshoot your
system in real time via GotoMeeting. If you're interested in this
option, please follow up with me off-list.

Thanks!

On Wed, Jul 8, 2015 at 10:57 AM, Mark Moore <tornado...@gmail.com> wrote:
> I have not added any scripts or cm changes.
>