UFW with Kernel 4.9.40 doesn't work

I’m trying to run UFW firewall on Ubuntu Bionic built with Fenix script. Kernel version is 4.9.40 and apparently it lacks conntrack module:

khadas@gytis-vim1:~$ lsmod
Module                  Size  Used by
aufs                  262144  0
zram                   32768  4
gxbb_wdt               16384  0
dhd                   987136  0
mali                  274432  0

I have a feeling because it lacks nf_conntrack I have problems enabling UFW:

khadas@gytis-vim1:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 33 failed
ip6tables-restore: line 142 failed

Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'

And

khadas@gytis-vim1:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: Could not load logging rules

Any ideas? :neutral_face:

Hello Gytis,

I tried it and the same result as yours. But when I check the status of UFW, it seems actived.

root@Khadas:~# ufw enable      
ERROR: Could not load logging rules
root@Khadas:~# 
root@Khadas:~# 
root@Khadas:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
22/tcp                     DENY        Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
22/tcp (v6)                DENY        Anywhere (v6)             

Does ufw persist enabled when you reboot device as well?

Hi @Gytis , I try it with VIM1. If you enable UFW failure. you maybe need to do something to setup it.
This is my step . I hope it can help you.

Frist I install ufw in my VIM1. Then I run command ufw status & ufw enable.

root@Khadas:~# ufw enable
ERROR: problem running ufw-init
iptables-restore: line 11 failed
ip6tables-restore: line 138 failed

Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'

root@Khadas:~# ufw status
Status: active

It look nothing that you should setup it.

  • setup with default
root@Khadas:~# ufw disable

Firewall stopped and disabled on system startup

root@Khadas:~# ufw default deny incoming

Default incoming policy changed to 'deny'

(be sure to update your rules accordingly)

root@Khadas:~# ufw default allow outgoing

Default outgoing policy changed to 'allow'

(be sure to update your rules accordingly)

root@Khadas:~# ufw default deny outgoing

Default outgoing policy changed to 'deny'

(be sure to update your rules accordingly)

  • allow Connections
root@Khadas:~# ufw allow ssh
Skipping adding existing rule
Skipping adding existing rule (v6)
root@Khadas:~# ufw allow 22
Skipping adding existing rule
Skipping adding existing rule (v6)
root@Khadas:~# ufw allow 22/tcp
Skipping adding existing rule
Skipping adding existing rule (v6)
root@Khadas:~# ufw status
Status: inactive
root@Khadas:~# ufw enable
ERROR: problem running ufw-init
iptables-restore: line 35 failed
ip6tables-restore: line 138 failed
ip6tables-restore: line 35 failed

Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'

root@Khadas:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             

root@Khadas:~#

you can see the error still exists,but it just about user config. If you want to solve it ,you can modify the rules file.

  • Then I reboot it.
root@Khadas:~# ufw status
Status: inactive
root@Khadas:~# ufw enable
ERROR: problem running ufw-init
iptables-restore: line 35 failed
ip6tables-restore: line 138 failed
ip6tables-restore: line 35 failed

Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'

root@Khadas:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             

You can see that it can run after reboot.

@Gytis , If you need to do more setting such like ipaddr , you can find all in there .

Problem is that after reboot ufw does not persist as enabled.

Anyway I’ve found the problem - Kernel doesn’t support logging - see ufw’s bug tracker:

Expecting Kahda’s Kernel 4.9 might have the same problem I have disabled logging:

sudo ufw logging off

And also because I have disabled IPv6, I needed to disable IPv6 in ufw config too:

sudo nano /etc/default/ufw

And set:

IPV6=no

Now enabling ufw gives no error:

khadas@gytis-vim1:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

And persists after reboot:

khadas@gytis-vim1:~$ sudo ufw status
[sudo] password for khadas: 
Status: active

Downside is having no ufw logs. If anyone who has experience with Kernel modules could check what’s missing, would be great :slightly_smiling_face:

The same applies to VIM3.

1 Like