UFW as an active service on Ubuntu

2

1

  • Every time I restart my computer, and check the status of the UFW firewall (sudo ufw status), it is disabled, even if I then enable and restart it.
  • I tried putting sudo ufw enable as one of the startup applications but it asks for the sudo password every time I log on, and I'm guessing it does not protect anyone else who logs on my computer.

How can I setup ufw so it is activated when I turn on my computer, and protects all accounts?

Update

I just tried /etc/init.d/ufw start, and it activated the firewall. Then I restarted the computer, and again it was disabled.

content of /etc/ufw/ufw.conf

# /etc/ufw/ufw.conf
# 

# set to yes to start on boot
ENABLED=yes

# set to one of 'off', 'low', 'medium', 'high'
LOGLEVEL=full

content of /etc/default/ufw

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW inbound packets on the INPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW outbound packets on the OUTPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# extra connection tracking modules to load
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"

Update

Followed your advise and ran update-rc.d with no luck.

lester@mcgrath-pc:~$ sudo update-rc.d ufw defaults
update-rc.d: warning: /etc/init.d/ufw missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
 Adding system startup for /etc/init.d/ufw ...
   /etc/rc0.d/K20ufw -> ../init.d/ufw
   /etc/rc1.d/K20ufw -> ../init.d/ufw
   /etc/rc6.d/K20ufw -> ../init.d/ufw
   /etc/rc2.d/S20ufw -> ../init.d/ufw
   /etc/rc3.d/S20ufw -> ../init.d/ufw
   /etc/rc4.d/S20ufw -> ../init.d/ufw
   /etc/rc5.d/S20ufw -> ../init.d/ufw

lester@mcgrath-pc:~$ ls -l /etc/rc?.d/*ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc0.d/K20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc1.d/K20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc2.d/S20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc3.d/S20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc4.d/S20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc5.d/S20ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 13 2009-12-20 20:34 /etc/rc6.d/K20ufw -> ../init.d/ufw

lamcro

Posted 2009-11-28T17:42:51.260

Reputation: 802

please edit your question and include the content of the /etc/default/ufw and /etc/ufw/ufw.conf files. also, which ubuntu version are you using? – quack quixote – 2009-11-28T20:10:54.317

I am using Ubuntu 9.10. Upgraded from 9.04 by way of "Update Manager". – lamcro – 2009-11-28T21:01:33.107

Answers

2

I remembered that in my frustration of not having the ufw stick as "active" on startup I repeatedly bypassed the 10 second grub countdown immediately as I rebooted to check the results of the earlier suggestions.

I wondered, since it was mentioned that the script ran at startup, if I was somehow cutting off the script before it could execute. Not so. ufw "active" still appears to stick after choosing ubuntu 9.1 the moment grub pops up.

It would appear that there was some conflict between ufw's default startup and one or both of Firewall Configuration or Firestarter. Uninstalling them seems to have fixed my problem.

Hopefully this works for others as well.

Joe

Posted 2009-11-28T17:42:51.260

Reputation:

Good idea. I try and uninstall all firewall apps, then just install what I need. Gracias! – lamcro – 2010-04-06T11:38:41.247

0

I've been having the same issue - very frustrating since this is my first foray into making a linux my main os. I tried the solutions presented here with the same negative results.

However, for some reason I decided to try something else and it looks like it worked...

I'm not sure whether it was a combination of the two or just removing one but I removed/uninstalled both the Firestarter and Firewall Configuration Tool. I then did the sudo ufw enable once again and rebooted.

Now it seems to stick. I've rebooted several times with the same results. sudo ufw status comes up active after every bootup now.

However - I have one more thing to test... be back in a second...

Joe

Posted 2009-11-28T17:42:51.260

Reputation:

0

The UncomplicatedFirewall docs and a related UbuntuForums post suggest sudo ufw enable is all you need to do for UFW settings to persist across reboots.

But you indicate that running sudo ufw status after doing an enable still shows the firewall as disabled. ... If true, this indicates something is broken.

Does it help if you run /etc/init.d/ufw start (or restart)? Have you tried installing the gufw GUI (via Synaptic or other package manager) and configuring with that?

Please edit your question and include the content of /etc/default/ufw and /etc/ufw/ufw.conf.

Update:

OK. Running the init script works, so it appears the service isn't getting started at boot-up properly. It's hard to say exactly why, but I'd bet some inconsistency between Jaunty and Karmic that got confused during the dist-upgrade.

Use update-rc.d (more info) to create the startup links in the right place:

sudo update-rc.d ufw defaults

Then verify that the startup script links have been created:

ls -l /etc/rc?.d/*ufw

-- you should get a list of symbolic links like this (or very similar -- the numbers in the link name could be different):

lrwxrwxrwx 1 root root 17 2009-10-06 22:33 /etc/rc1.d/K01ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 17 2009-10-06 22:33 /etc/rc2.d/S99ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 17 2009-10-06 22:33 /etc/rc3.d/S99ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 17 2009-10-06 22:33 /etc/rc4.d/S99ufw -> ../init.d/ufw
lrwxrwxrwx 1 root root 17 2009-10-06 22:33 /etc/rc5.d/S99ufw -> ../init.d/ufw

If those are in place, your firewall should get started automatically next time you reboot.

Update 2: I updated the update-rc.d line above; the old should work but I think this version is a bit more "proper". The old probably won't create the K01ufw links.

quack quixote

Posted 2009-11-28T17:42:51.260

Reputation: 37 382

Yes, I've tried it, but when I restart the computer and check (sudo ufw status), it is disabled. – lamcro – 2009-11-28T19:57:19.837

I just re-phrased the bullets to make the problem clearer. – lamcro – 2009-11-28T20:03:39.340

I meant to indicate that, after enabling ufw and restarting the PC, the ufw is again disabled. – lamcro – 2009-11-28T20:38:37.070

another rephrase, first bullet. – lamcro – 2009-11-28T20:39:54.993

I have gufw, but does not help. I have not tries "ufw start" yet. – lamcro – 2009-11-28T20:40:55.973

0

You could create a script in /etc/rc2.d. This runlevel is the same that starts system-wide services like pulseaudio or webservices...

Upadate

  1. It seems that ~quack took the proposal of making a rc script and expanded it to a nice how-to in his answer, so you might want to try that instead of editing your file by hand.
  2. A doubt stroke me though: UFW is just a frontend for iptables, so you could check if iptables is using the rules you set for it. From the shell, type sudo iptables -L; you should get the list of rules currently in use. For example I opened a few ports, and in the rules listed out I find them in the form:

(part of the output)

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:51813 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5550 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:29970

So, if your rules are in use, you actually do not need to do any additional operation...

mac

Posted 2009-11-28T17:42:51.260

Reputation: 1 439

shouldn't be necessary, and you'd need it in /etc/rc2.d -- Ubuntu follows Debian in that runlevels 2-5 are basically the same, and by default the system boots into runlevel 2. – quack quixote – 2009-11-28T20:12:01.490

@~quack - You are right. I updated the original post – mac – 2009-11-29T11:32:06.893

Asked: 2009-11-28T17:42:51.260

Viewed: 7 054 times

Active: 2010-03-22T20:43:32.673