Alright so I'm running this Ubuntu 22.04 server, it's about 6 months mature now and has had a sparkling security record to date.
Today I SSH'd in just to check one of the UFW rules, and lo—
$ sudo ufw status
Status: inactive
I smashed out sudo ufw enable, then scrambled over to /var/log to see how long the firewall had been inactive, only to become more confused: the most recent logfile contained completely typical occurrences of [UFW BLOCK] entries, and even a matching [UFW LIMIT] log for my current SSH session. Graphing the logs w.r.t. time revealed no gaps, no oddities.
So, some inductive reasoning here suggests that ufw had, in fact, been enabled and working as expected all long.
The question is: Why would ufw status say it was "inactive" if it seemed to be functioning?
I have two theories on this. Either:
- An implementation change to the
ufw CLI was introduced by an apt upgrade at some point, such that it now looks elsewhere for persistent state to report status. Meanwhile, the previous ufw enable invocation (from ~6 months ago) remains in its valid, operational state. If true, this isn't a problem, and at most I should perform a system reboot to unify the split states.
Or:
- I'm being toyed with by some kind of stealth attacker that I have zero experience identifying / dealing with...
Any/all insights are much appreciated!
