View previous topic :: View next topic |
Author |
Message |
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Mon Sep 24, 2012 8:32 pm Post subject: "ERROR: problem running ufw-init" from UFW with 3. |
|
|
Code: | # uname -a
Linux meshedgedx 3.5.4-gentoo #1 SMP Sat Sep 22 07:25:14 BST 2012 x86_64 Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz GenuineIntel GNU/Linux |
Up until today I was using kernel linux-3.3.5-gentoo (~amd64), and ufw worked perfectly. I could enable and disable ufw from the command line and there were no error messages.
But today I installed kernel linux-3.5.4-gentoo, and now ufw displays an error message at boot and also if I enable it from the command line (I don't lose connectivity, though):
Code: | # ufw enable
ERROR: problem running ufw-init |
Some experiments with ufw are shown below:
Code: | # ufw disable
Firewall stopped and disabled on system startup
# /etc/init.d/ufw restart
* WARNING: you are stopping a boot service
* Stopping ufw ... [ ok ]
* Starting ufw ...
* Not starting firewall (not enabled), use "ufw enable" first. [ !! ]
* ERROR: ufw failed to start
# ufw enable
ERROR: problem running ufw-init
# /etc/init.d/ufw restart
* Starting ufw ... [ ok ]
# ufw status
Status: active
To Action From
-- ------ ----
CIFS ALLOW 192.168.1.0/24
Anywhere ALLOW 5212/udp
80/tcp ALLOW OUT Anywhere
5210/tcp ALLOW OUT Anywhere
5211/udp ALLOW OUT Anywhere
# ufw disable
Firewall stopped and disabled on system startup
# ufw status
Status: inactive
# ufw enable
ERROR: problem running ufw-init
# ufw status
Status: active
To Action From
-- ------ ----
CIFS ALLOW 192.168.1.0/24
Anywhere ALLOW 5212/udp
80/tcp ALLOW OUT Anywhere
5210/tcp ALLOW OUT Anywhere
5211/udp ALLOW OUT Anywhere
# ufw disable
Firewall stopped and disabled on system startup
# ufw enable
ERROR: problem running ufw-init
# ufw enable
ERROR: Could not load logging rules
# ufw enable
ERROR: Could not load logging rules |
It looks to me like ufw is not working at all:
Code: | # /etc/init.d/ufw stop
* WARNING: you are stopping a boot service
* Stopping ufw ... [ ok ]
# cat /var/log/messages | grep -i --text ufw
Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service
# /etc/init.d/ufw start
* Starting ufw ...
* Not starting firewall (not enabled), use "ufw enable" first. [ !! ]
* ERROR: ufw failed to start
# ufw enable
ERROR: problem running ufw-init
# /etc/init.d/ufw start
* Starting ufw ... [ ok ]
# cat /var/log/messages | grep -i --text ufw
Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service
Sep 24 21:25:22 meshedgedx /etc/init.d/ufw[14740]: ERROR: ufw failed to start
# ufw status
Status: active
To Action From
-- ------ ----
CIFS ALLOW 192.168.1.0/24
Anywhere ALLOW 5212/udp
80/tcp ALLOW OUT Anywhere
5210/tcp ALLOW OUT Anywhere
5211/udp ALLOW OUT Anywhere |
Here are the contents of my /etc/default/ufw config file, which worked fine with the 3.3.5 kernel:
Code: | # /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW inbound packets on the INPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW outbound packets on the OUTPUT
# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note
# that if you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" |
And here are the relevant modules that are loaded:
Code: | $ lsmod | grep nf_
nf_conntrack_ipv6 5592 6
nf_defrag_ipv6 5429 1 nf_conntrack_ipv6
ipv6 256565 106 nf_defrag_ipv6,nf_conntrack_ipv6
nf_conntrack_netbios_ns 989 0
nf_conntrack_broadcast 1085 1 nf_conntrack_netbios_ns
nf_nat_ftp 1436 0
nf_nat 12704 1 nf_nat_ftp
nf_conntrack_ipv4 10352 8 nf_nat
nf_defrag_ipv4 1235 1 nf_conntrack_ipv4
nf_conntrack_ftp 5237 1 nf_nat_ftp
nf_conntrack 53079 8 nf_nat_ftp,nf_conntrack_netbios_ns,nf_nat,xt_state,nf_conntrack_broadcast,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6 |
I've tried making IPV6=no, and I've tried making IPT_MODULES="", neither of which got rid of the error message.
Does anyone ideas how to get ufw working correctly with the 3.5.4 kernel? _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Tue Oct 23, 2012 2:29 pm Post subject: |
|
|
It's a bug in UFW as a result of a change in IPTables: UFW Bug #1065297: use conntrack instead of state. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|