UFW - Backed Up Rules

[bdwyertech]

Cookbook version

2.6.2 (any version though really)

Chef-client version

12.19.36

Platform Details

Ubuntu 16.04

Scenario:

Everything works, it simply creates a lot of backed up rules. In my environment, I create individual firewall rules between servers in a private network. As servers come and go (dynamic cloud environment), eventually you are left with a massive number of backed up rulesets.

Steps to Reproduce:

Change your rules a few times and watch these build up in /etc/ufw/

Suggested Solution:

In my wrapper cookbook, I put something in like the below -- it is the best thing I could come up with. Maybe its better left in a wrapper, but I figured I'd at least put it out there as many may not realize it is happening.

ruby_block 'Clean up Backed-Up UFW Rules' do
  block do
    deleted = ::Dir.glob('/etc/ufw/*\.rules\.*').each { |f| ::File.delete(f) }
    Chef::Log.info('Deleted Backed-Up UFW Rulesets: ' + deleted.inspect)
  end
  only_if { platform_family?('debian') }
end

[martinb3]

Hi there -- this looks like these are getting created by the Chef file resource. I would have expected these get written to /var/chef/backup, but not to the local directory. We'll have to test this, and perhaps expose an option, to turn it off.

[bdwyertech]

It looks like these are actually created by running ufw reset

root@firewalltest:/etc/ufw# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20170911_082950'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20170911_082950'
Backing up 'after.rules' to '/etc/ufw/after.rules.20170911_082950'
Backing up 'user.rules' to '/etc/ufw/user.rules.20170911_082950'
Backing up 'before.rules' to '/etc/ufw/before.rules.20170911_082950'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20170911_082950'

[martinb3]

Ah, okay. Seeing the filenames, that makes more sense! We can get a fix in for this.