Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
"ERROR: problem running ufw-init" from UFW with 3.5.4 kernel
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom

PostPosted: Mon Sep 24, 2012 8:32 pm    Post subject: "ERROR: problem running ufw-init" from UFW with 3. Reply with quote

Code:
# uname -a
Linux meshedgedx 3.5.4-gentoo #1 SMP Sat Sep 22 07:25:14 BST 2012 x86_64 Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz GenuineIntel GNU/Linux

Up until today I was using kernel linux-3.3.5-gentoo (~amd64), and ufw worked perfectly. I could enable and disable ufw from the command line and there were no error messages.

But today I installed kernel linux-3.5.4-gentoo, and now ufw displays an error message at boot and also if I enable it from the command line (I don't lose connectivity, though):

Code:
# ufw enable
ERROR: problem running ufw-init

Some experiments with ufw are shown below:

Code:
# ufw disable
Firewall stopped and disabled on system startup
# /etc/init.d/ufw restart
 * WARNING: you are stopping a boot service
 * Stopping ufw ...                                                                                                                                                                                                                          [ ok ]
 * Starting ufw ...
 * Not starting firewall (not enabled), use "ufw enable" first.                                                                                                                                                                              [ !! ]
 * ERROR: ufw failed to start
# ufw enable
ERROR: problem running ufw-init
# /etc/init.d/ufw restart
 * Starting ufw ...                                                                                                                                                                                                                          [ ok ]
# ufw status
Status: active

To                         Action      From
--                         ------      ----
CIFS                       ALLOW       192.168.1.0/24
Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere
5210/tcp                   ALLOW OUT   Anywhere
5211/udp                   ALLOW OUT   Anywhere

# ufw disable
Firewall stopped and disabled on system startup
# ufw status
Status: inactive
# ufw enable
ERROR: problem running ufw-init
# ufw status
Status: active

To                         Action      From
--                         ------      ----
CIFS                       ALLOW       192.168.1.0/24
Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere
5210/tcp                   ALLOW OUT   Anywhere
5211/udp                   ALLOW OUT   Anywhere
# ufw disable
Firewall stopped and disabled on system startup
# ufw enable
ERROR: problem running ufw-init
# ufw enable
ERROR: Could not load logging rules
# ufw enable
ERROR: Could not load logging rules


It looks to me like ufw is not working at all:

Code:
# /etc/init.d/ufw stop
 * WARNING: you are stopping a boot service
 * Stopping ufw ...                                                                                                                                                                                                                          [ ok ]
# cat /var/log/messages | grep -i --text ufw
Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service
# /etc/init.d/ufw start
 * Starting ufw ...
 * Not starting firewall (not enabled), use "ufw enable" first.                                                                                                                                                                              [ !! ]
 * ERROR: ufw failed to start
# ufw enable
ERROR: problem running ufw-init
# /etc/init.d/ufw start
 * Starting ufw ...                                                                                                                                                                                                                          [ ok ]
# cat /var/log/messages | grep -i --text ufw
Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service
Sep 24 21:25:22 meshedgedx /etc/init.d/ufw[14740]: ERROR: ufw failed to start
# ufw status
Status: active

To                         Action      From
--                         ------      ----
CIFS                       ALLOW       192.168.1.0/24
Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere
5210/tcp                   ALLOW OUT   Anywhere
5211/udp                   ALLOW OUT   Anywhere

Here are the contents of my /etc/default/ufw config file, which worked fine with the 3.3.5 kernel:

Code:
# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW inbound packets on the INPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW outbound packets on the OUTPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

And here are the relevant modules that are loaded:

Code:
$ lsmod | grep nf_
nf_conntrack_ipv6       5592  6
nf_defrag_ipv6          5429  1 nf_conntrack_ipv6
ipv6                  256565  106 nf_defrag_ipv6,nf_conntrack_ipv6
nf_conntrack_netbios_ns      989  0
nf_conntrack_broadcast     1085  1 nf_conntrack_netbios_ns
nf_nat_ftp              1436  0
nf_nat                 12704  1 nf_nat_ftp
nf_conntrack_ipv4      10352  8 nf_nat
nf_defrag_ipv4          1235  1 nf_conntrack_ipv4
nf_conntrack_ftp        5237  1 nf_nat_ftp
nf_conntrack           53079  8 nf_nat_ftp,nf_conntrack_netbios_ns,nf_nat,xt_state,nf_conntrack_broadcast,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6

I've tried making IPV6=no, and I've tried making IPT_MODULES="", neither of which got rid of the error message.

Does anyone ideas how to get ufw working correctly with the 3.5.4 kernel?
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom

PostPosted: Tue Oct 23, 2012 2:29 pm    Post subject: Reply with quote

It's a bug in UFW as a result of a change in IPTables: UFW Bug #1065297: use conntrack instead of state.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum