How do I get ufw to start on boot?
UFW is not starting for me on boot. My /etc/ufw/ufw.conf file looks like this:
# /etc/ufw/ufw.conf
#
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low
So it seems it should start ok. However straight after boot I always get this:
$ sudo ufw status
Status: inactive
Using the "service" script to start it does not seem to work:
$ sudo service ufw start
$ sudo ufw status
Status: inactive
If I force a reload it will work just fine:
$ sudo ufw reload
Firewall reloaded
$ sudo ufw status
Status: active
And after that the "service" script works just fine:
$ sudo ufw status
Status: active
$ sudo service ufw stop
$ sudo ufw status
Status: inactive
$ sudo service ufw start
$ sudo ufw status
Status: active
How do I get ufw to start on boot?
Edit:
I am using Ubuntu 18.04 so systemd is being used. systemctl is-enabled reports as follows:
$ sudo ufw status verbose
Status: inactive
$ sudo systemctl is-enabled ufw.service
enabled
I also tried this:
$ sudo systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw
$ sudo ufw status verbose
Status: inactive
And after a reboot it remains inactive. journalctl -p err reports nothing interesting. journalctl -u ufw reports:
$ journalctl -u ufw
...<snip>...
-- Reboot --
May 26 12:53:36 matt-laptop systemd[1]: Started Uncomplicated firewall.
So it certainly appears that it is attempting to start up ufw...it just seems that it doesn't actually do it!
I came up with a solution of sorts. I made this edit to /lib/systemd/system/ufw.service:
$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig 2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 13:46:04.443673265 +0100
@@ -2,7 +2,7 @@
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
-Before=network.target
+After=network.target
[Service]
Type=oneshot
So, this causes ufw to start after the network is up instead of before it. This seems to do the trick - ufw is always enabled after I boot. I don't know if this is the best way to do things. I worry that there is a small window of time between the network starting and the firewall starting... but at least it starts which is better than before!
Maybe someone can come up with a better solution. Or maybe this is the correct way to do things - in which case is it a bug that it defaults to starting before the network?
Edit:
An even better solution is:
$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig 2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 14:17:22.030681670 +0100
@@ -2,7 +2,7 @@
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
-Before=network.target
+After=network-pre.target
[Service]
Type=oneshot
According to this page
https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
the network-pre.target has this purpose:
Its primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up.
Which really makes me wonder why it wasn't set to this by default. Setting it to this value seems to solve all my problems.
The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent
Run this command:
sudo nano /lib/systemd/system/ufw.service
And add this text:
[Unit]
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
Before=network.target
After=netfilter-persistent.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/lib/ufw/ufw-init start quiet
ExecStop=/lib/ufw/ufw-init stop
[Install]
WantedBy=multi-user.target
Source: UFW service not loading after a reboot