README from source package says:
When installing ufw from source, you will also need to integrate it into your
boot process for the firewall to start when you restart your system. Depending
on your needs, this can be as simple as adding the following to a startup
script (eg rc.local for systems that use it):
# /lib/ufw/ufw-init start
For systems that use SysV initscripts, an example script is provided in
doc/initscript.example. See doc/upstart.example for an Upstart example. Consult
your distribution's documentation for the proper way to modify your boot
process.
On my system I have this:
# /etc/ufw/ufw.conf
#
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
So, why does simple iptables rule manager need to be started at boot time? Is there any secret to that, or it merely checks if all rules are in place ?
Best Answer
When system is booted, there is no firewall rules. Kernel is not saving those to anywhere.
If you don't start UFW (or some other firewall manager), your iptables is empty. Also, default rule for each chain (FORWARD, INPUT, OUTPUT) is ACCEPT, so everything is allowed.
So UFW is not just checking, it's actually putting those rules in place, and creating additional chains it uses for rule management.