LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Ubuntu firewall doesn't start on boot (https://www.linuxquestions.org/questions/linux-newbie-8/ubuntu-firewall-doesnt-start-on-boot-681943/)

khdani 11-08-2008 05:58 AM

Ubuntu firewall doesn't start on boot
 
Hello,
I'm using Ubuntu 8.04, I want the UFW (Uncomplicated Firewall) to start on system boot.
When I write 'ufw enable', it writes 'Firewall started and enabled on system startup', however it doesn't. I even added to rc.local 'ufw enable', same thing, no result.

klearview 11-08-2008 06:42 AM

What's the output if you do:

Quote:

sudo ufw status
?

khdani 11-08-2008 08:08 AM

It will say that the firewall is not loaded until I manually load it with 'sudo ufw enable'.

klearview 11-08-2008 08:28 AM

Are you using customized networking set-up? ufw must start prior to networking and /usr must already be mounted.

Just in case here is my /etc/init.d/ufw:

#!/bin/sh -e

### BEGIN INIT INFO
# Provides: ufw
# Required-Start: mountall.sh
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: start firewall
### END INIT INFO

PATH="/sbin:/bin:/usr/sbin:/usr/bin"

[ -x /usr/sbin/ufw ] || exit 0

. /lib/lsb/init-functions

if [ -s /etc/default/ufw ]; then
. /etc/default/ufw
else
log_failure_msg "Could not find /etc/default/ufw (aborting)"
exit 1
fi
if [ -s /etc/ufw/ufw.conf ]; then
. /etc/ufw/ufw.conf
else
log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)"
exit 1
fi

RULES_PATH="/etc/ufw"
USER_PATH="/var/lib/ufw"

case "$1" in
start)
if iptables -L ufw-user-input -n >/dev/null 2>&1 ; then
# if firewall loaded, tell to reload instead
log_action_msg "Firewall already started, use 'force-reload'"
exit 0
fi
if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
log_action_begin_msg "Starting firewall:" "ufw"
for m in $IPT_MODULES
do
modprobe $m || true
done

execs="iptables"

# IPv6 setup
if [ "$IPV6" = "yes" ] || [ "$IPV6" = "YES" ]; then
if ip6tables -L INPUT >/dev/null 2>&1; then
execs="$execs ip6tables"
else
log_action_cont_msg "Problem loading ipv6 (skipping)"
fi
else
if ip6tables -L INPUT >/dev/null 2>&1; then
# IPv6 support disabled but available in the kernel, so
# default DROP and accept all on loopback
ip6tables -F || error="yes"
ip6tables -X || error="yes"
ip6tables -P INPUT DROP || error="yes"
ip6tables -P OUTPUT DROP || error="yes"
ip6tables -P FORWARD DROP || error="yes"
ip6tables -A INPUT -i lo -j ACCEPT || error="yes"
ip6tables -A OUTPUT -o lo -j ACCEPT || error="yes"
if [ "$error" = "yes" ]; then
log_action_cont_msg "Problem setting default IPv6 policy"
fi
fi
fi

for exe in $execs
do
type=""
if [ "$exe" = "ip6tables" ]; then
type="6"
fi
BEFORE_RULES="$RULES_PATH/before${type}.rules"
AFTER_RULES="$RULES_PATH/after${type}.rules"
USER_RULES="$USER_PATH/user${type}.rules"

# flush the chains
$exe -F || error="yes"
$exe -X || error="yes"

# setup built-in chains' default policy
$exe -P INPUT $DEFAULT_INPUT_POLICY || error="yes"
$exe -P OUTPUT $DEFAULT_OUTPUT_POLICY || error="yes"
$exe -P FORWARD $DEFAULT_FORWARD_POLICY || error="yes"

# setup some other chains that can be used later
if [ "$type" != "6" ]; then
$exe -N ufw${type}-not-local || error="yes"
fi

# setup ufw${type}-before-* chains
$exe -N ufw${type}-before-input || error="yes"
$exe -N ufw${type}-before-output || error="yes"
$exe -N ufw${type}-before-forward || error="yes"
$exe -A INPUT -j ufw${type}-before-input || error="yes"
$exe -A OUTPUT -j ufw${type}-before-output || error="yes"
$exe -A FORWARD -j ufw${type}-before-forward || error="yes"
if [ -s "$RULES_PATH" ]; then
if ! $exe-restore -n < $BEFORE_RULES ; then
log_action_cont_msg "Problem running '$BEFORE_RULES'"
error="yes"
fi
else
log_action_cont_msg "Couldn't find '$BEFORE_RULES'"
fi

# setup ufw${type}-user chain
if [ -s "$USER_PATH" ]; then
$exe -N ufw${type}-user-input || error="yes"
$exe -N ufw${type}-user-output || error="yes"
$exe -N ufw${type}-user-forward || error="yes"
$exe -A ufw${type}-before-input -j ufw${type}-user-input || error="yes"
$exe -A ufw${type}-before-output -j ufw${type}-user-output || error="yes"
$exe -A ufw${type}-before-forward -j ufw${type}-user-forward || error="yes"
if ! $exe-restore -n < $USER_RULES ; then
log_action_cont_msg "Problem running '$USER_RULES'"
error="yes"
fi
# don't include the RETURN lines here, as they will
# be in the USER_PATH file
fi

# now return from the chain
$exe -A ufw${type}-before-input -j RETURN || error="yes"
$exe -A ufw${type}-before-output -j RETURN || error="yes"
$exe -A ufw${type}-before-forward -j RETURN || error="yes"

# setup ufw${type}-after-* chains
$exe -N ufw${type}-after-input || error="yes"
$exe -N ufw${type}-after-output || error="yes"
$exe -N ufw${type}-after-forward || error="yes"
$exe -A INPUT -j ufw${type}-after-input || error="yes"
$exe -A OUTPUT -j ufw${type}-after-output || error="yes"
$exe -A FORWARD -j ufw${type}-after-forward || error="yes"
if [ -s "$AFTER_RULES" ]; then
if ! $exe-restore -n < $AFTER_RULES ; then
log_action_cont_msg "Problem running '$AFTER_RULES'"
error="yes"
fi
else
log_action_cont_msg "Couldn't find '$AFTER_RULES'"
fi
$exe -A ufw${type}-after-input -j RETURN || error="yes"
$exe -A ufw${type}-after-output -j RETURN || error="yes"
$exe -A ufw${type}-after-forward -j RETURN || error="yes"
done

if [ ! -z "$IPT_SYSCTL" ] && [ -s "$IPT_SYSCTL" ]; then
sysctl -e -q -p $IPT_SYSCTL || true
fi

if [ "$error" = "yes" ]; then
log_action_end_msg 1
exit 1
else
log_action_end_msg 0
fi
else
log_action_begin_msg "Skipping firewall:" "ufw (not enabled)"
log_action_end_msg 0
fi
;;
stop)
log_action_begin_msg "Stopping firewall:" "ufw"
error=""

execs="iptables"
if ip6tables -L INPUT >/dev/null 2>&1; then
execs="$execs ip6tables"
fi

for exe in $execs
do
$exe -F || error="yes"
$exe -X || error="yes"
$exe -P INPUT ACCEPT || error="yes"
$exe -P OUTPUT ACCEPT || error="yes"
$exe -P FORWARD ACCEPT || error="yes"
done

if [ "$error" = "yes" ]; then
log_action_end_msg 1
exit 1
else
log_action_end_msg 0
fi
;;
restart|force-reload)
if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
$0 stop
$0 start
else
log_warning_msg "Skipping $1 (not enabled)"
fi
;;
status)
err=""
iptables -L ufw-user-input -n >/dev/null 2>&1 || {
log_failure_msg "Firewall is not running"
exit 3
}

if [ "$IPV6" = "yes" ] || [ "$IPV6" = "YES" ]; then
ip6tables -L ufw6-user-input -n >/dev/null 2>&1 || {
# unknown state: ipv4 ok, but ipv6 isn't
log_failure_msg "Firewall in inconsistent state (IPv6 enabled but not running)"
exit 4
}
fi

log_success_msg "Firewall is running"
;;
*)
echo "Usage: /etc/init.d/ufw {start|stop|restart|force-reload|status}"
exit 1
;;
esac

exit 0

khdani 11-08-2008 08:53 AM

i haven't touched the ufw configuration file, i think mine looks just like yours.
what do you mean customized networking setup ?

klearview 11-08-2008 09:13 AM

Quote:

what do you mean customized networking setup ?
using if-up.d or replacing network start-up scripts in some other way - basically the problem that it does not run at start-up might lie in the order not being followed: /usr gets mounted first, then ufw starts, then networking starts.

khdani 11-08-2008 09:33 AM

no, as far as i remember i hadn't changed the order, however is there a way to verify that it's in the order you specified ?

klearview 11-08-2008 09:58 AM

Sure. In /etc/rcS.d directory look at the names of the symbolic links there - the smaller the number after S the sooner the script starts. Therefore S35mountall.sh -> S39ufw -> S40networking on my system.

klearview 11-08-2008 10:00 AM

Also it is things like that why I disable boot splash at start-up - less pretty but sometimes watching 'crap scroll on the screen' can alert you to a problem you didn't know was there.

khdani 11-08-2008 10:04 AM

i have same order of scripts like yours.
disabling boot splash is a good idea. i'll disable it and restart my pc to check for any messages.

khdani 11-10-2008 04:32 PM

It's indeed writes during boot up that Starting of UFW failed.

yaddab 09-26-2010 04:57 AM

Ubuntu firewall doesn't start on boot
 
I had the same problem, I just launched Startup Applications, added new: name: ufw, command: ufw. Restarted, in terminal wrote: ufw status, and it's running

khdani 09-27-2010 01:41 AM

though it's an old post,
thank you for posting this


All times are GMT -5. The time now is 12:39 PM.