ufw does not start automatically at boot

Bug #1726856 reported by Matt Caswell on 2017-10-24
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ufw
Undecided
Jamie Strandboge
ufw (Ubuntu)
Status tracked in Cosmic
Xenial
Undecided
Jamie Strandboge
Artful
Undecided
Jamie Strandboge
Bionic
Undecided
Jamie Strandboge
Cosmic
Undecided
Jamie Strandboge

Bug Description

Whenever I boot into 17.10 ufw is always inactive, even though /etc/ufw/ufw.conf has this:

# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ufw 0.35-5
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 24 13:56:40 2017
InstallationDate: Installed on 2015-04-01 (936 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago)
mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170

Matt Caswell (frodo-baggins) wrote :
Seth Arnold (seth-arnold) wrote :

Hi Matt, can you give the output of:

systemctl status ufw

and

journalctl -u ufw.service

Thanks

Changed in ufw (Ubuntu):
status: New → Incomplete
Matt Caswell (frodo-baggins) wrote :

Hi Seth,

This is what I get:

matt@matt-laptop:~$ sudo ufw status
Status: inactive
matt@matt-laptop:~$ journalctl -u ufw.service
-- Logs begin at Tue 2017-10-24 22:48:54 BST, end at Wed 2017-10-25 00:03:54 BST. --
Oct 24 22:48:54 matt-laptop systemd[1]: Started Uncomplicated firewall.
matt@matt-laptop:~$ systemctl status ufw
● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2017-10-24 22:48:54 BST; 1h 15min ago
     Docs: man:ufw(8)
  Process: 443 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
 Main PID: 443 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/ufw.service

Oct 24 22:48:54 matt-laptop systemd[1]: Started Uncomplicated firewall.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Changed in ufw (Ubuntu):
status: Incomplete → New
Matt Caswell (frodo-baggins) wrote :

This issue still seems to be a problem in 18.04.

If found a solution:
https://askubuntu.com/questions/1040539/how-do-i-get-ufw-to-start-on-boot/1040584

I edited /lib/systemd/system/ufw.service as follows:

$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig 2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 14:17:22.030681670 +0100
@@ -2,7 +2,7 @@
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
-Before=network.target
+After=network-pre.target

 [Service]
 Type=oneshot

According to this page

https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

the network-pre.target has this purpose:

"It's primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up"

Making the above change solves the problem so that ufw does seem to start up after boot. Is it a bug that ufw.service is not setup this way to start with?

Jamie Strandboge (jdstrand) wrote :

Wrt:

the network-pre.target has this purpose:

"It's primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up"

I'm not sure network-pre.target existed at the time ufw added a systemd unit, but regardless, this sounds like exactly what we should be doing. Thanks for the triage!

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ufw (Ubuntu Xenial):
status: New → Triaged
Changed in ufw (Ubuntu Artful):
status: New → Triaged
Changed in ufw (Ubuntu Bionic):
status: New → Triaged
Changed in ufw:
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Artful):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
Matt Caswell (frodo-baggins) wrote :

Unfortunately, after a few reboots using these settings it seems this is not the answer. While it does seem to work intermittently, it also sometimes fails. I've also had some issues with network not working at all. I'm not 100% sure that this change is the culprit - but for now I have reverted the change.

It still seems to me likely that there is some issue with the systemd dependencies. With the previous settings ufw never seems to be active after boot.

Marcos Felipe Mello (marcosfrm) wrote :

You need

Before=network-pre.target
Wants=network-pre.target

(Wants is necessary because network-pre.target is a passive target)
(Before=network.target can be removed)

And then network management software needs to have After=network-pre.target. systemd-networkd and NetworkManager are fine, but I do not know about legacy stuff like ifupdown.

BTW, why DefaultDependencies=no is being set?

network-pre.target is systemd 214+. Since Debian Jessie has 215, it is probably safe use it.

Matt Caswell (frodo-baggins) wrote :

I just tried that:

$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig 2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-07-17 16:50:45.545596167 +0100
@@ -2,7 +2,8 @@
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
-Before=network.target
+Before=network-pre.target
+Wants=network-pre.target

 [Service]
 Type=oneshot

But after a reboot, nothing changed:

$ sudo ufw status
Status: inactive

Christian (bolek2000) wrote :

On latest Ubuntu 18.04 I have an inconsistent state of ufw on reboots (sometimes even ssh doesn't work):
root@us-proxy1:~# uname -a
Linux us-proxy1 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@us-proxy1:~# dpkg -l |grep ufw
ii ufw 0.35-5 all program for managing a Netfilter firewall

When I login via console, 'ufw status' looks ok, but still not all services work. 'systemctl status ufw is FAILED'. Restarting the Firewall solves the issue, but always logging into a server via console if ssh doesn't work is not acceptable. I will try the workaround mentioned above.
Errors always happen on COMMIT of ruleset:

root@us-proxy1:~# journalctl -u ufw.service
-- Logs begin at Thu 2018-07-19 13:09:26 UTC, end at Mon 2018-07-23 08:27:50 UTC. --
Jul 19 13:09:27 guest systemd[1]: Started Uncomplicated firewall.
-- Reboot --
Jul 19 14:12:46 us-proxy1 ufw-init[415]: iptables-restore: line 77 failed
Jul 19 14:12:47 us-proxy1 ufw-init[415]: Problem running '/etc/ufw/before.rules'
Jul 19 14:12:47 us-proxy1 systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
Jul 19 14:12:47 us-proxy1 systemd[1]: ufw.service: Failed with result 'exit-code'.
Jul 19 14:12:47 us-proxy1 systemd[1]: Failed to start Uncomplicated firewall.
-- Reboot --
Jul 19 14:54:06 us-proxy1 ufw-init[421]: iptables-restore: line 44 failed
Jul 19 14:54:07 us-proxy1 ufw-init[421]: Problem running '/etc/ufw/user.rules'
Jul 19 14:54:07 us-proxy1 systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
Jul 19 14:54:07 us-proxy1 systemd[1]: ufw.service: Failed with result 'exit-code'.
Jul 19 14:54:07 us-proxy1 systemd[1]: Failed to start Uncomplicated firewall.
Jul 19 15:09:51 us-proxy1 systemd[1]: Starting Uncomplicated firewall...
Jul 19 15:09:51 us-proxy1 ufw-init[1985]: Firewall already started, use 'force-reload'
Jul 19 15:09:51 us-proxy1 systemd[1]: Started Uncomplicated firewall.
-- Reboot --
Jul 19 15:21:17 us-proxy1 ufw-init[413]: ip6tables-restore: line 138 failed
Jul 19 15:21:17 us-proxy1 ufw-init[413]: Problem running '/etc/ufw/before6.rules'
Jul 19 15:21:17 us-proxy1 systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
Jul 19 15:21:17 us-proxy1 systemd[1]: ufw.service: Failed with result 'exit-code'.
Jul 19 15:21:17 us-proxy1 systemd[1]: Failed to start Uncomplicated firewall.
Jul 19 15:22:29 us-proxy1 systemd[1]: Starting Uncomplicated firewall...
Jul 19 15:22:29 us-proxy1 ufw-init[1424]: Firewall already started, use 'force-reload'

Christian (bolek2000) wrote :

I changed this:
-Before=network.target
+Before=network-pre.target
+Wants=network-pre.target

and get following:
Jul 23 09:40:53 us-proxy1 ufw-init[424]: ip6tables-restore: line 4 failed
Jul 23 09:40:53 us-proxy1 systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
Jul 23 09:40:53 us-proxy1 systemd[1]: ufw.service: Failed with result 'exit-code'.
Jul 23 09:40:53 us-proxy1 systemd[1]: Failed to start Uncomplicated firewall.

When I look at /lib/ufw/ufw-init-functions:
 147 printf "*filter\n"\
    148 ":INPUT DROP [0:0]\n"\
    149 ":FORWARD DROP [0:0]\n"\
    150 ":OUTPUT DROP [0:0]\n"\
    151 "-A INPUT -i lo -j ACCEPT\n"\
    152 "-A OUTPUT -o lo -j ACCEPT\n"\
    153 "COMMIT\n" | ip6tables-restore || error="yes"

This might be realted to loopback interface not beeing configured ? So ufw starts too early ?

Christian (bolek2000) wrote :

If I use in /lib/systemd/system/ufw.service:
-Before=network.target
+After=network.target

ufw starts without errors, so there seem to be dependencies in the network.target, that are not allowing ufw-init-functions to complete successfully.

Christian (bolek2000) wrote :

Also tested:
After=network-pre.target
Wants=network-pre.target

This works as well, so this seems to be the appropriate config ? Maybe @marcosfrm has a typo in his recommendation ?

Christian (bolek2000) wrote :

Sorry after some more reboots the problem persists with:
After=network-pre.target
Wants=network-pre.target

So only working setup for me at the moment is:
After=network.target

Matt Caswell (frodo-baggins) wrote :

I just tried:
After=network.target

After 5 reboot tests I got mixed results:
The first two reboots failed to start networking at all and ufw reported its status as "inactive" immediately after boot.
The next two reboots networking started successfully, and ufw reported as active.
The final reboot, networking again did not start and ufw status was "inactive"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers