Ubuntu – How to get ufw to start on boot

firewallsystemdufw

UFW is not starting for me on boot. My /etc/ufw/ufw.conf file looks like this:

# /etc/ufw/ufw.conf
#

# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes

# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low

So it seems it should start ok. However straight after boot I always get this:

$ sudo ufw status
Status: inactive

Using the "service" script to start it does not seem to work:

$ sudo service ufw start
$ sudo ufw status
Status: inactive

If I force a reload it will work just fine:

$ sudo ufw reload
Firewall reloaded
$ sudo ufw status
Status: active

And after that the "service" script works just fine:

$ sudo ufw status
Status: active
$ sudo service ufw stop
$ sudo ufw status
Status: inactive
$ sudo service ufw start
$ sudo ufw status
Status: active

How do I get ufw to start on boot?

Edit:

I am using Ubuntu 18.04 so systemd is being used. systemctl is-enabled reports as follows:

$ sudo ufw status verbose
Status: inactive
$ sudo systemctl is-enabled ufw.service
enabled

I also tried this:

$ sudo systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw
$ sudo ufw status verbose
Status: inactive

And after a reboot it remains inactive. journalctl -p err reports nothing interesting. journalctl -u ufw reports:

$ journalctl -u ufw
...<snip>...
-- Reboot --
May 26 12:53:36 matt-laptop systemd[1]: Started Uncomplicated firewall.

So it certainly appears that it is attempting to start up ufw…it just seems that it doesn't actually do it!

Best Answer

I came up with a solution of sorts. I made this edit to /lib/systemd/system/ufw.service:

$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig    2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 13:46:04.443673265 +0100
@@ -2,7 +2,7 @@
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
-Before=network.target
+After=network.target
 
 [Service]
 Type=oneshot

So, this causes ufw to start after the network is up instead of before it. This seems to do the trick - ufw is always enabled after I boot. I don't know if this is the best way to do things. I worry that there is a small window of time between the network starting and the firewall starting... but at least it starts which is better than before!

Maybe someone can come up with a better solution. Or maybe this is the correct way to do things - in which case is it a bug that it defaults to starting before the network?

Edit:

An even better solution is:

$ diff -u ufw.service.orig ufw.service
--- ufw.service.orig    2018-05-26 13:45:48.696356561 +0100
+++ ufw.service 2018-05-26 14:17:22.030681670 +0100
@@ -2,7 +2,7 @@
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
-Before=network.target
+After=network-pre.target
 
 [Service]
 Type=oneshot

According to this page

https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

the network-pre.target has this purpose:

Its primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up.

Which really makes me wonder why it wasn't set to this by default. Setting it to this value seems to solve all my problems.

Related Question