UFW inactive at startup

[KonfuseKitty]

I have enabled UFW with default values of Deny for Incoming and Allow for outgoing. However, after every startup, when I run <sudo ufw status> the reply is 'inactive'. This was on original 10.04 that I installed last week. I did a complete update today, and the behaviour is the same. Am I doing something wrong, do I need to issue a command to make the setting stick?

A related question about the system update: the startup screen now presents the updated kernel as a system I can load, as well as the old kernel. Is this normal? I would have expected the update would have replaced the kernel.

[cdenley]

Post this output

Code:

grep ^ENABLED /etc/ufw/ufw.conf
sudo service ufw start
sudo ufw status
cat /etc/init/ufw.conf

Also, kernels are not removed or replaced when you install a newer version. That way, if the newer kernel breaks something, you can boot to the previous one.

[KonfuseKitty]

Thank you, here it is:

Code:

lynx@lynx-desktop:~$ sudo ufw status
[sudo] password for lynx: 
Status: inactive
lynx@lynx-desktop:~$ grep ^ENABLED /etc/ufw/ufw.conf
ENABLED=yes
lynx@lynx-desktop:~$ sudo service ufw start
start: Job is already running: ufw
lynx@lynx-desktop:~$ sudo ufw status
Status: inactive
lynx@lynx-desktop:~$ cat /etc/init/ufw.conf
# ufw - Uncomplicated Firewall
#
# The Uncomplicated Firewall is a front-end for iptables, to make managing a
# Netfilter firewall easier.

description    "Uncomplicated firewall"

# Make sure we start before an interface receives traffic
start on (starting network-interface
          or starting network-manager
          or starting networking)

stop on runlevel [!023456]

console output

pre-start exec /lib/ufw/ufw-init start quiet
post-stop exec /lib/ufw/ufw-init stop
lynx@lynx-desktop:~$

Can you make sense of that?

[Fatman_UK]

Sorry if this is a silly question but have you done a

Code:

$ sudo ufw enable

? I think it sets some internal state... it's tripped me before.

[KonfuseKitty]

Yes, of course, Fatman. I've since reinstalled Ubuntu and the firewall is now active at statup. I'll be reinstalling once more when I'm done researching and testing things, so hopefully all will be well. I think what spooked things up for me was that I downloaded two GUIs for ufw and there may have been a conflict. Now I just use the command line.

[bodhi.zazen]

Yes, of course, Fatman. I've since reinstalled Ubuntu and the firewall is now active at statup. I'll be reinstalling once more when I'm done researching and testing things, so hopefully all will be well. I think what spooked things up for me was that I downloaded two GUIs for ufw and there may have been a conflict. Now I just use the command line.

That is most likely your problem.

The graphical tools configure itpables and if you install both firestarter and ufw the config files conflict and ufw will not start.

The problem is simply removing firestarter does not solve this as remove does not remove the firestarter config files, you need to purge firestarter.

Code:

sudo apt-get purge firestarter

Of course you may nee dto re-install it before you can purge it, lol.

I reported this bug (firestarter vs ufw) more then a year ago.

[KonfuseKitty]

Interesting info, thank you. In general terms is the "purge" parameter what I should use to completely get rid of any software? When I removed Firefox I noticed some files were not removed and deleted them manually. Would purge have done that for me?

[cdenley]

Interesting info, thank you. In general terms is the "purge" parameter what I should use to completely get rid of any software? When I removed Firefox I noticed some files were not removed and deleted them manually. Would purge have done that for me?

The command to purge a package was already given. A purge should remove all configuration files created when a package was installed. Files which may have been created by the application, such as your firefox profile in your home directory (~/.mozilla/firefox), would not be deleted by removing or purging the package. Also, other related packages such as firefox-branding or firefox-gnome-support sometimes get installed as dependencies.

[Vimmander]

I, too, have noticed this issue in both Ubuntu 10.04 and the sister release of Linux Mint 9 Isadora. When I restart after doing the following:

sudo ufw enable
sudo ufw default deny

And I then do:

sudo iptables -L

None of the output I see indicates my "default deny" settings. Upon checking the status of ufw with the appropriate command, it is listed as inactive. And when I activate ufw, the settings from "default deny" magically reappear. This happens in both virtual machines and "real" installs on partitions, which I painstakingly set up and tested. It's quite annoying and very discouraging. When I read that ufw is enabled on startup, I expect to see that hold true when I use the "sudo ufw status" command, and I also expect to see the "default deny" rules in iptables whenever I do "sudo iptables -L". It's a simple matter of control: I want my system to do what I want it to do and what it says it will do, so why does it do neither?

[cdenley]

I, too, have noticed this issue in both Ubuntu 10.04 and the sister release of Linux Mint 9 Isadora. When I restart after doing the following:

sudo ufw enable
sudo ufw default deny

And I then do:

sudo iptables -L

None of the output I see indicates my "default deny" settings. Upon checking the status of ufw with the appropriate command, it is listed as inactive. And when I activate ufw, the settings from "default deny" magically reappear. This happens in both virtual machines and "real" installs on partitions, which I painstakingly set up and tested. It's quite annoying and very discouraging. When I read that ufw is enabled on startup, I expect to see that hold true when I use the "sudo ufw status" command, and I also expect to see the "default deny" rules in iptables whenever I do "sudo iptables -L". It's a simple matter of control: I want my system to do what I want it to do and what it says it will do, so why does it do neither?

Have you ever installed another package which may update iptables? Do your systems have a network connection? I can't seem to reproduce your problem.