ufw remains inactive at boot time
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I was advised to start a bug report (Comment 38): https:/
I "ufw enable" then several seconds later networking stops. I have get Ubuntu to gracefully power-down using the power-button and then gracefully power-up.
Out of curiosity, is anyone here having this problem wish ufw starting up at boot time while also using having fail2ban installed?
Here is my theory. It takes a while for fail2ban to issue all the iptable commands to configure the firewall. When ufw tries to initialise there may be a clash or lock held either by an iptables instance spawned by fail2ban or an iptables instance spawned by ufw. One of them will fail and will quite probably mess-up ufw's rules breaking network connectivity.
This time I waited for fail2ban to finish establishing its iptables rules before issuing "ufw enable" and this time round network connectivity was not lost.
How to I ensure that ufw is fully up and initialised BEFORE the fail2ban service starts?
-----
root@loki:~# ./ufw-diag.sh
Has python: pass (binary: python3, version: 3.8.10, py3)
Has iptables: pass
Has ip6tables: pass
Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass
This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)?
== IPv4 ==
Creating 'ufw-check-
Inserting RETURN at top of 'ufw-check-
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-
icmp (echo-request): pass
== IPv6 ==
Creating 'ufw-check-
Inserting RETURN at top of 'ufw-check-
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-
icmpv6 with hl (neighbor-
icmpv6 with hl (router-
icmpv6 with hl (router-
ipv6 rt: pass
All tests passed
-----
root@loki:
[Unit]
Description=
Documentation=
DefaultDependen
Before=
After=NetworkMa
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=
# ExecStartPost=
ExecStop=
[Install]
WantedBy=
-----
root@loki:
[Unit]
Description=
Documentation=
After=network.
PartOf=
[Service]
Type=simple
ExecStartPre=
ExecStart=
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=
ExecStop=
ExecReload=
PIDFile=
Restart=on-failure
RestartPreventE
[Install]
WantedBy=
-----
root@loki:
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=
# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""
-----
root@loki:/etc/ufw# lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04
-----
root@loki:/etc/ufw# ufw --version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
summary: |
- ufw does not activate at boot time + ufw remains inactive at boot time |
description: | updated |
root@loki: /home/myron# journalctl -u ufw.service
-- Logs begin at Wed 2021-12-29 15:30:45 GMT, end at Thu 2021-12-30 13:10:27 GMT. --
-- No entries --
-----
Current status of service. ufw was enabled manually so is actually active. It won't be once I reboot.
root@loki: /home/myron# systemctl status ufw system/ ufw.service; enabled; vendor preset: enabled) slice/ufw. service
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/
Active: active (exited) since Wed 2021-12-29 15:30:34 GMT; 21h ago
Docs: man:ufw(8)
Main PID: 295 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.
Warning: journal has been rotated since unit was started, output may be incomplete.