ufw does not start automatically at boot

Bug #1726856 reported by Matt Caswell on 2017-10-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Undecided
Jamie Strandboge
ufw (Ubuntu)
Status tracked in Cosmic
Xenial
Undecided
Jamie Strandboge
Artful
Undecided
Jamie Strandboge
Bionic
Undecided
Jamie Strandboge
Cosmic
Undecided
Jamie Strandboge

Bug Description

Whenever I boot into 17.10 ufw is always inactive, even though /etc/ufw/ufw.conf has this:

# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ufw 0.35-5
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 24 13:56:40 2017
InstallationDate: Installed on 2015-04-01 (936 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to artful on 2017-10-24 (0 days ago)
mtime.conffile..etc.default.ufw: 2015-06-17T22:01:02.089170

Matt Caswell (frodo-baggins) wrote :
Seth Arnold (seth-arnold) wrote :

Hi Matt, can you give the output of:

systemctl status ufw

and

journalctl -u ufw.service

Thanks

Changed in ufw (Ubuntu):
status: New → Incomplete
Matt Caswell (frodo-baggins) wrote :

Hi Seth,

This is what I get:

matt@matt-laptop:~$ sudo ufw status
Status: inactive
matt@matt-laptop:~$ journalctl -u ufw.service
-- Logs begin at Tue 2017-10-24 22:48:54 BST, end at Wed 2017-10-25 00:03:54 BST. --
Oct 24 22:48:54 matt-laptop systemd[1]: Started Uncomplicated firewall.
matt@matt-laptop:~$ systemctl status ufw
● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2017-10-24 22:48:54 BST; 1h 15min ago
     Docs: man:ufw(8)
  Process: 443 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
 Main PID: 443 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/ufw.service

Oct 24 22:48:54 matt-laptop systemd[1]: Started Uncomplicated firewall.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Changed in ufw (Ubuntu):
status: Incomplete → New
Matt Caswell (frodo-baggins) wrote :

This issue still seems to be a problem in 18.04.

If found a solution:
https://askubuntu.com/questions/1040539/how-do-i-get-ufw-to-start-on-boot/1040584

I edited /lib/systemd/system/ufw.service as follows:

$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig 2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 14:17:22.030681670 +0100
@@ -2,7 +2,7 @@
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
-Before=network.target
+After=network-pre.target

 [Service]
 Type=oneshot

According to this page

https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

the network-pre.target has this purpose:

"It's primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up"

Making the above change solves the problem so that ufw does seem to start up after boot. Is it a bug that ufw.service is not setup this way to start with?

Jamie Strandboge (jdstrand) wrote :

Wrt:

the network-pre.target has this purpose:

"It's primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up"

I'm not sure network-pre.target existed at the time ufw added a systemd unit, but regardless, this sounds like exactly what we should be doing. Thanks for the triage!

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ufw (Ubuntu Xenial):
status: New → Triaged
Changed in ufw (Ubuntu Artful):
status: New → Triaged
Changed in ufw (Ubuntu Bionic):
status: New → Triaged
Changed in ufw:
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Artful):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
Matt Caswell (frodo-baggins) wrote :

Unfortunately, after a few reboots using these settings it seems this is not the answer. While it does seem to work intermittently, it also sometimes fails. I've also had some issues with network not working at all. I'm not 100% sure that this change is the culprit - but for now I have reverted the change.

It still seems to me likely that there is some issue with the systemd dependencies. With the previous settings ufw never seems to be active after boot.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers