Why UFW has to be (re)started at boot time if it's only iptables rule manager?
Solution 1
When system is booted, there is no firewall rules. Kernel is not saving those to anywhere.
If you don't start UFW (or some other firewall manager), your iptables is empty. Also, default rule for each chain (FORWARD, INPUT, OUTPUT) is ACCEPT, so everything is allowed.
So UFW is not just checking, it's actually putting those rules in place, and creating additional chains it uses for rule management.
Solution 2
When you run iptables (the lowlevel tool for manipulating netfilter firewall rules in Linux), the rule is loaded into the kernel only, and therefore are in RAM. When you shutdown or reboot, the kernel is reinitialized since RAM is not persistent memory, and it defaults to ACCEPT for all tables (or no firewall).
Therefore to have a firewall available after booting, you must load iptables rules into the kernel. You can do this manually by adding iptables rules to a script that is run on boot, such as /etc/rc.local, or use a tool to do the for you. ufw is one such tool and when enabled it will take care of loading firewall rules on boot for you, if it is integrated into the boot process like the README says. If ufw is packaged for your distribution, like it is in Ubuntu, then the packaging will take care of that for you. Simply put, after installing ufw via apt-get in Ubuntu, you don't have to do anything more to integrate it into the system other than run 'sudo ufw enable'.
Solution 3
To save ufw status you have to run this command:
sudo invoke-rc.d iptables-persistent save
then you rules will be saved and loaded after reboot.
Related videos on Youtube
Pawel K
Updated on September 17, 2022Comments
-
Pawel K over 1 year
README from source package says:
When installing ufw from source, you will also need to integrate it into your boot process for the firewall to start when you restart your system. Depending on your needs, this can be as simple as adding the following to a startup script (eg rc.local for systems that use it): # /lib/ufw/ufw-init start For systems that use SysV initscripts, an example script is provided in doc/initscript.example. See doc/upstart.example for an Upstart example. Consult your distribution's documentation for the proper way to modify your boot process.
On my system I have this:
# /etc/ufw/ufw.conf # # Set to yes to start on boot. If setting this remotely, be sure to add a rule # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp' ENABLED=yes
So, why does simple iptables rule manager need to be started at boot time? Is there any secret to that, or it merely checks if all rules are in place ?
-
Pawel K about 13 yearsSo.. iptables rules are not persistent? Whoa, I didn't know that :-)
-
Olli about 13 yearsYes, that's correct. They are persistent as in you don't have to run anything to keep those up. But when you power down your computer, all rules disappear. That's why there is UFW and others.
-
Pawel K about 13 yearsMany thanks Olli! Linux is very logical, unless you don't read and ask, then it's magical :-)
-
mathepic about 13 years@tomasz Although it is quite trivial to implement a rule-saver for iptables so you don't have to use some other wrapper. I think theres some command to reload/save somewhere. So it is in a way persistent if you configure correctly. Frankly I think a better system would be to use this and have UFW edit the iptables rules directly rather than UFW handling the load of the rules.
-
Aquarius Power almost 10 yearsat 14.04 would be
sudo invoke-rc.d iptables-save
? -
Aquarius Power almost 10 yearsI added this
if ! ufw enable;then exit 1;fi
to/etc/rc.local
before theexit 0
and now it works thanks! -
gone about 8 yearsOn 14.04, need
apt-get install iptables-persistent
to use theiptables-persistent save
command