You are not logged in.

#1 2013-09-16 10:01:21

fantab
Member
From: 3rd Rock from the Sun
Registered: 2011-06-07
Posts: 152

[Solved] Problem keeping UFW enabled

I am having problem keeping UFW enabled with system boot (restart). I have to run:

# ufw enable
# systemctl enable ufw.service

everytime I boot my machine.

The "ufw.service" is started at boot according to systemd-analyze blame. However when I check with ufw status it says "inactive".

Also, though I have enabled 'logging', no log is to be found on my system.

Need a little help with these...

Regards...

Last edited by fantab (2013-09-18 01:55:10)


"Evolution is the nature's way of issuing upgrades".
__________________________________________________________
Arch_x64-Gnome-Shell ~ Arch-lts_x64-Xfce ~ LMDE_x64-Cinnamon

Offline

#2 2013-09-16 22:38:20

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [Solved] Problem keeping UFW enabled

What does

systemctl status ufw.service

show?

Also, take a look in the journal using journalctl (man journalctl for details and options to help parse the output).


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2013-09-16 23:14:42

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: [Solved] Problem keeping UFW enabled

Not really contributing much here, but I do actively use gufw, with the ufw.service enabled and I am having no problems.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#4 2013-09-17 07:10:14

fantab
Member
From: 3rd Rock from the Sun
Registered: 2011-06-07
Posts: 152

Re: [Solved] Problem keeping UFW enabled

Here's the output:

$ systemctl status ufw.service
ufw.service - CLI Netfilter Manager
   Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled)
   Active: active (exited) since Tue 2013-09-17 12:36:05 IST; 1min 25s ago
  Process: 129 ExecStart=/usr/lib/ufw/ufw-init start (code=exited, status=0/SUCCESS)

I will check the journalctl... and report what it has to say.

EDIT: I have cheked 'journalctl', and I found:

-- Reboot -- [OLDER]
Mar 19 21:39:17 Echo systemd[1]: Starting CLI Netfilter Manager...
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo ufw-init[138]: WARNING: The state match is obsolete. Use conntrack instead.
Mar 19 21:39:19 Echo systemd[1]: Started CLI Netfilter Manager.


-- Reboot -- [TODAY]
Sep 17 11:55:17 Echo systemd[1]: Starting CLI Netfilter Manager...
Sep 17 11:55:22 Echo systemd[1]: Started CLI Netfilter Manager.

Then I did:

$ systemctl | grep -i exited
ip6tables.service           loaded active exited    IPv6 Packet Filtering Framework
iptables.service            loaded active exited    Packet Filtering Framework
systemd-remount-fs.service  loaded active exited    Remount Root and Kernel File Systems
systemd-sysctl.service      loaded active exited    Apply Kernel Variables
systemd-...es-setup.service loaded active exited    Recreate Volatile Files and Directories
systemd-...-trigger.service loaded active exited    udev Coldplug all Devices
systemd-update-utmp.service loaded active exited    Update UTMP about System Reboot/Shutdown
systemd-...sessions.service loaded active exited    Permit User Sessions
systemd-...le-setup.service loaded active exited    Setup Virtual Console
ufw.service                 loaded active exited    CLI Netfilter Manager

Then I found:

-- Reboot --
Sep 05 19:45:14 Echo systemd[1]: Starting Packet Filtering Framework...
Sep 05 19:45:14 Echo systemd[1]: Started Packet Filtering Framework.
Sep 05 19:45:59 Echo iptables-flush[703]: /usr/sbin/iptables
Sep 05 19:45:59 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 07 05:10:46 Echo systemd[1]: Starting Packet Filtering Framework...
Sep 07 05:10:46 Echo systemd[1]: Started Packet Filtering Framework.
-- Reboot --
Sep 08 16:45:22 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 08 17:16:51 Echo iptables-flush[4255]: /usr/sbin/iptables
Sep 08 17:16:51 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 13 17:54:13 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 14 07:53:42 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 16 14:36:24 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 16 15:02:03 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 16 21:35:07 Echo systemd[1]: Stopped Packet Filtering Framework.
-- Reboot --
Sep 17 12:20:40 Echo systemd[1]: Stopped Packet Filtering Framework.

I hope the pasted outputs will be helpful...

Last edited by fantab (2013-09-17 08:34:00)


"Evolution is the nature's way of issuing upgrades".
__________________________________________________________
Arch_x64-Gnome-Shell ~ Arch-lts_x64-Xfce ~ LMDE_x64-Cinnamon

Offline

#5 2013-09-17 21:21:19

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [Solved] Problem keeping UFW enabled

OK. I don't know quite how ufw does things but that doesn't look odd to me. What does

# iptables --list-rules
# ip6tables --list-rules

give? As far as I know ufw is just a frontend to iptables/ip6tables so if it is working properly, this should list the rules you've set.

EDIT: Well obviously the complaint about "state" is odd in the sense that you need to change it to use "conntrack" but apart from that, it doesn't look odd.

Last edited by cfr (2013-09-17 21:22:49)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#6 2013-09-17 21:45:49

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [Solved] Problem keeping UFW enabled

fantab wrote:
$ systemctl | grep -i exited
ip6tables.service           loaded active exited    IPv6 Packet Filtering Framework
iptables.service            loaded active exited    Packet Filtering Framework
..
ufw.service                 loaded active exited    CLI Netfilter Manager

You need to disable iptables in systemd. ufw will take care & be using it. You cannot have both enabled at the same time.

Offline

#7 2013-09-18 01:54:42

fantab
Member
From: 3rd Rock from the Sun
Registered: 2011-06-07
Posts: 152

Re: [Solved] Problem keeping UFW enabled

Strike0 wrote:
fantab wrote:
$ systemctl | grep -i exited
ip6tables.service           loaded active exited    IPv6 Packet Filtering Framework
iptables.service            loaded active exited    Packet Filtering Framework
..
ufw.service                 loaded active exited    CLI Netfilter Manager

You need to disable iptables in systemd. ufw will take care & be using it. You cannot have both enabled at the same time.

That was it. I disabled both ip6tables.service and iptables.service and now ufw.service status is 'Active' from boot. I wonder how and when 'iptables' got enabled in systemd.
Thanks a lot Strike0 and cfr.


"Evolution is the nature's way of issuing upgrades".
__________________________________________________________
Arch_x64-Gnome-Shell ~ Arch-lts_x64-Xfce ~ LMDE_x64-Cinnamon

Offline

Board footer

Powered by FluxBB