linux

Fix ufw service not loading after a reboot
Uncomplicated FireWall and Docker

Reading time of 293 words
1 minute
Reading time of 293 words ~ 1 minute


Did you find this article helpful?
Please consider tipping me a coffee as a thank you.
Ko-fi Buy Me a Coffee
Did you find this article helpful? Please consider tipping me a coffee or three as a thank you.
Tip using Ko-fi or Buy Me a Coffee

I have a Ubuntu 18.04 LTS server running ufw (Uncomplicated Firewall) and Docker. Docker relies on iptables-persistent, an interface to a much more powerful and complicated firewall that many people would rather avoid.

The problem is that ufw and iptables-persistent are both ways for creating the same firewall. On my server, only one service would ever run at startup, negating the other.

After a reboot, ufw is always disabled.

$ sudo ufw status

Status: inactive

Even though the ufw service is enabled, the active service has exited if you look closely.

$ sudo systemctl status ufw

● ufw.service - Uncomplicated firewall
    Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
    Active: active (exited)

If I check the server services, both ufw and netfilter-persistent are enabled. The netfilter-persistent is a means for managing iptables on Debian and Ubuntu systems.

$ sudo service --status-all

 [ + ]  netfilter-persistent
 [ + ]  ufw

The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent.

Find and backup the ufw service.

$ ls -l /lib/systemd/system/ufw.service

-rw-r--r-- 1 root root  266 Aug 15  2017  ufw.service
$ cd /lib/systemd/system/
$ sudo cp ufw.service ufw.service.original
$ cat /lib/systemd/system/ufw.service

 [Unit]
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
 Before=network.target

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/lib/ufw/ufw-init start quiet
 ExecStop=/lib/ufw/ufw-init stop

 [Install]
 WantedBy=multi-user.target

Update and save the modified service by appending After=netfilter-persistent.service to the [Unit] block.

$ sudo nano /lib/systemd/system/ufw.service
 1 [Unit]
 2 Description=Uncomplicated firewall
 3 Documentation=man:ufw(8)
 4 DefaultDependencies=no
 5 Before=network.target
 6 After=netfilter-persistent.service
 7
 8 [Service]
 9 Type=oneshot
10 RemainAfterExit=yes
11 ExecStart=/lib/ufw/ufw-init start quiet
12 ExecStop=/lib/ufw/ufw-init stop
13
14 [Install]
15 WantedBy=multi-user.target

Reboot and test. Hopefully, ufw status should now always be active!

$ sudo reboot
$ sudo ufw status

Status: active
 To                         Action      From
 --                         ------      ----
 OpenSSH                    ALLOW       Anywhere
 Nginx Full                 ALLOW       Anywhere

Written by Ben Garrett

Did you find this article helpful?
Please consider tipping me a coffee as a thank you.
Ko-fi Buy Me a Coffee
Did you find this article helpful? Please consider tipping me a coffee or three as a thank you.
Tip using Ko-fi or Buy Me a Coffee