14.04 missing "/etc/init.d/ufw"? my firewall never auto starts

firewall ufw

6,618

Solution 1

I also do not have /etc/init.d/ufw and ufw was not auto starting on reboot. But I did this

sudo apt-get install iptables-persistent

On rebooting I checked with

sudo ufw status

It showed active, It always used to show inactive in previous reboots and I used to have to do

sudo ufw enable

I have not installed gufw, I am beginner desktop user, so I have no idea why it worked and whether it will work for you, but it seemed simpler, may be it will help somebody.

Solution 2

[Check this first (I will validate it when I have time), properly configuring ufw may be the best thing to do, this answer here would then just be a fallback.]

Based on this answer and log tip from this answer, I added this:

exec 2> /tmp/rc.local.log      # send stderr from rc.local to a log file                                                                
exec 1>&2                      # send stdout to the same log file                                                                       
#set -x                         # tell sh to display commands before execution                                                          

# this wont exit until successful!
while ! ufw enable;do 
  if ufw status |grep "Status: active";then
    break
  fi
  echo "Failed to apply ufw rules at `date`" >>/dev/stderr;
  sleep 10;
done

to /etc/rc.local before the exit 0 and now it properly loads ufw rules on boot!

But this is a user workaround and not a fix to the system...

I opted also to "change" the rules instead of applying them as default as suggest this answer, because I am not completely sure my custom rules are trouble free.

IMPORTANT: the "if" code did not work once, so I created the "while" code that til now has not caused trouble.

Solution 3

For the effort that went into figuring out the solution, the answer is surprisingly simple.

In /etc/init/ufw.conf:

1) Comment out lines 9 - 11
2) Insert after line 11: start on startup

Fixes the whole problem, including logging to /var/log/ufw.log.

Note
If you have iptables-persistent installed, you must disable it. Move iptables-persistent out of /etc/init.d and rename all the symlinks in rc0.d-rcS.d by making the 1st letter (S or K) lower case. (Or move them out.)

Solution 4

Maybe is your path wrong. Not /etc/init.d/wfw than /etc/init/ufw.conf

I have files with ufw in the name on the fallowing places

xxx@xxx ~/xxx $ sudo find / -name ufw*
[sudo] password for xxx: 
/lib/ufw
/lib/ufw/ufw-init-functions
/lib/ufw/ufw-init
/etc/bash_completion.d/ufw
/etc/default/ufw
/etc/init/ufw.conf
/etc/logrotate.d/ufw
/etc/ufw
/etc/ufw/ufw.conf
/usr/lib/python3/dist-packages/ufw-0.33_0ubuntu4.egg-info
/usr/lib/python3/dist-packages/ufw
/usr/share/doc/ufw
/usr/share/man/man8/ufw-framework.8.gz
/usr/share/man/man8/ufw.8.gz
/usr/share/locale-langpack/en_CA/LC_MESSAGES/ufw.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/ufw.mo
/usr/share/locale-langpack/en_AU/LC_MESSAGES/ufw.mo
/usr/share/lintian/overrides/ufw
/usr/share/ufw
/usr/share/ufw/ufw.conf
/usr/share/icons/Mint-X/apps/22/ufw-frontends.png
/usr/share/icons/Mint-X/apps/48/ufw-frontends.png
/usr/share/icons/Mint-X/apps/32/ufw-frontends.png
/usr/share/icons/Mint-X/apps/16/ufw-frontends.png
/usr/share/icons/Mint-X/apps/24/ufw-frontends.png
/usr/share/icons/Mint-X/apps/scalable/ufw-frontends.svg
/usr/sbin/ufw
/var/lib/dpkg/info/ufw.md5sums
/var/lib/dpkg/info/ufw.postinst
/var/lib/dpkg/info/ufw.list
/var/lib/dpkg/info/ufw.prerm
/var/lib/dpkg/info/ufw.conffiles
/var/lib/dpkg/info/ufw.templates
/var/lib/dpkg/info/ufw.config
/var/lib/dpkg/info/ufw.preinst
/var/lib/dpkg/info/ufw.postrm
/var/lib/dpkg/info/ufw.triggers
/var/log/ufw.log.4.gz
/var/log/ufw.log.2.gz
/var/log/ufw.log.1
/var/log/ufw.log
/var/log/ufw.log.3.gz

Output from init file

cat /etc/init/ufw.conf
# ufw - Uncomplicated Firewall
#
# The Uncomplicated Firewall is a front-end for iptables, to make managing a
# Netfilter firewall easier.

description "Uncomplicated firewall"

# Make sure we start before an interface receives traffic
start on (starting network-interface
          or starting network-manager
          or starting networking)

stop on runlevel [!023456]

console output

pre-start exec /lib/ufw/ufw-init start quiet
post-stop exec /lib/ufw/ufw-init stop

EDIT 1

xxx@xxx ~ $ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
69                         ALLOW       Anywhere
22                         ALLOW       Anywhere (v6)
69                         ALLOW       Anywhere (v6)

View more solutions

6,618

Aquarius Power

Updated on September 18, 2022

Comments

Aquarius Power over 1 year
I need to know how to fix the missing "/etc/init.d/ufw" file, is it some package or some command?

I used the gufw to enable it, but on reboot my firewall was still off...

I created a symlink /etc/init.d/ufw -> /lib/init/upstart-job but I could not make it work like start ufw (neither after reboot).

I found this file /lib/ufw/ufw-init, it looks like a init.d file! can I copy or symlink it there?

Additional (optional) questions:
How to find what package has that file? apt-cache search didnt work..
Can we safely create such a script?
Any idea why is it missing?

Obs.:
My /etc/ufw/ufw.conf has ENABLED=yes (but seems useless).
iptables -L becomes different after I ufw enable, so ufw rules are not being applied on boot by any other means.

PS.: this script did NOT work either
```
sudo ln -s /lib/ufw/ufw-init /usr/sbin/ufw-init
sudo ln -s /lib/init/upstart-job /etc/init.d/ufw-init
#sudo update-rc.d -f ufw-init remove
sudo update-rc.d ufw-init defaults 99
sudo -k
```
Aquarius Power almost 10 years

could you confirm that your firewall is actually starting on boot by issuing ufw status on terminal? because your system have no entry on init.d either; and just after boot when I type it here I get "Status: inactive"; and as I understand, ufw.conf should only be a configuration file (even if it has commands on it), so that file should be called by some other script to actually work, not by itself. If your firewall is being started, could you check if some other file at /etc/ can be calling ufw in some way?
2707974 almost 10 years

Yes, work and start on stratup. You have My edit.
Aquarius Power almost 10 years

so, do you have a clue how your ufw is being activated? I think what is missing is a grep for uwf at /etc to see what scripts can be calling it? because as far I checked, my system is equal to yours (except ufw version that mine is 0.34) as I compared the outputs with meld :(
Aquarius Power over 9 years

I have not it installed yet; also sometimes ufw seems to work automatically, but most times it doesnt; I think there is default rules and when we activate ufw, it apply new rules; and this package make such new rules be the default; I am still not sure if I want to make my new rules be the default so in case I boot without ufw, the vanilla default will be kept; but indeed may be helpful, thx!
gone about 8 years

Thanks Aquarius, your script does work for me. However there is a significant delay before it invokes ufw. I am able to log in and run ufw status (which shows 'status: inactive') before ufw gets loaded. Perhaps there is a way of getting this done quicker.
Aquarius Power about 8 years

@gone I believe, changing the line sleep 10; to 1s will not cause system overhead in a sense that, you may not login faster than 1s, and still ufw enable each second MAY not cause trouble, but, it will have to be tested...
Aquarius Power about 8 years

Sounds interesting, so basically we have to modify the "start on ..." command. I will validate it as soon I can ,thx!
gone about 8 years

I think the problem is related to the fact that none of the start on conditions in the conf script are actual UpStart events: upstart-events - Well-known Upstart events summary
Aquarius Power about 8 years

This sounds like a bug or iptables limitation (not implemented functionality). We shouldnt have to remove functionalities to workaround something that should work normally :(. My iptables version is v1.4.21, what is yours?
gone about 8 years

Since UFW and iptables-persistent both manage iptables, I think the problem of having both of them operating is due to race conditions. So sometimes UFW gets in 1st, and then iptables-persistent overwrites with its settings, and other times, the opposite. dpkg -l iptables-persistent says I have version 0.5.7 and my iptables version is 1.4.21-1ubuntu1 , and my test system's packages are up-to-date. Since I've disables iptables-persistent, my UFW is always active as soon as I log in.
Aquarius Power about 8 years

interestingly enough, I do not have iptables-persistent installed :>
gone about 8 years

Another possible source of race conditions between UFW and other iptables management sources could come from using some of the suggestions offered in Ubuntu IptablesHowTo guide. I had Solution #1 implemented on my system but commented it out. I think this is a good option if there is no need to change firewall settings. I assume you've tried changing the startup condition to start on startup. Is UFW loading reliably since you did this?