How to start UFW before any other applications

Asked by Bill on 2015-10-12

Is there a way to prioritize the startup of UFW to load as early as possible during boot-up? I'd like to make sure that no applications have a chance to send and receive information before UFW loads.

Thanks.

Bill

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Solved by:
N1ck 7h0m4d4k15
Solved:
2015-11-02
Last query:
2015-11-02
Last reply:
2015-10-14

Add it to an earlier run level at startup.

Bill (billvh375) said : #2

I am loading it in rc.local like this:

/lib/ufw/ufw-init start

But I am not familiar with how to add ufw to "an earlier run level". Are you suggesting I start my system in a lower run level as a single user system, and launch ufw while the system is single user? And then dynamically change the run level by "init 5" in rc.local?

Even if I'm starting in single user mode, where can I go to see the sequence of applications being loaded, so I can make sure ufw is before everything else (except what it needs to run)?

Thanks in advance for any help which can be provided.

Bill

N1ck 7h0m4d4k15 (nicktux) said : #3

Hello,

you don't need to add UFW at rc.local. Please remove any entry related to UFW from this file.

The only thing you need to do is to run the following command

    sudo ufw enable

and it will enable UFW at startup and I'm pretty sure in earlier stage from rc.local.

Regards
NickTh

Friendly Reminder: Mark the question as [SOLVED], when done.

Bill (billvh375) said : #4

"sudo ufw enable" was my starting point that led me to here. By itself, every reboot, the firewall is disabled, even though running "sudo ufw enable" says "Firewall is active and enabled on system startup". I have read many people commenting who are in the same situation. Most either use "iptables-persistent" or put a start-up command in rc.local, like I did. Both work, but neither lets me know what applications are loading before the firewall.

for the record, I removed my firewall start command from rc.local, and ran "sudo ufw enable" (again), to be able to tell you that I followed your suggestion exactly. But it had the same result. On reboot, the firewall was down.

The main point here is not auto-starting my firewall, because I have two solutions that work to do this. The main point is how can I find out where in the boot process the firewall is loading relative to other other programs which are loading. Is there a central location, like somewhere in /etc that lists all startup programs, and the order in which they're loading? I'm ready to dive into my linux internals to have a deeper understanding of this, so I can feel confident about the security of my system.

Thanks.

Best N1ck 7h0m4d4k15 (nicktux) said : #5

Hello,

the command 'sudo ufw enable' should work. If it's not then something is bad configured in your system or a dependency is missing.

It's not so easy to re-order the startup execution because lots of programs have as dependencies other programs.

Have a look in

    gedit /etc/init.d/ufw

also in

    gedit /etc/rcS.d/S02ufw

and

    gedit /etc/rcS.d/README

See the result of

    ls -l /etc/rcS.d/S02ufw

it should be a symlink to /etc/init.d/ufw

If you wan to re-order the execution of UFW you need to change the number from S02 to something earlier , ie S01 , but I think it won't work.

UFW depends on network-manager and other programs in order to start.
Network-Manager depends on 'dbus' and other programs in order to start.

It's something like a chain you should not break.

Have a read in following link:
https://help.ubuntu.com/community/UpstartHowto

BE AWARE all above apply in Ubuntu 14.04 LTS.

From Ubuntu 15.04 and later 'systemd' has replaced 'System V init/Upstart' and several things are different now.

Regards
NickTh

Friendly Reminder: Mark the question as [SOLVED], when done.

Bill (billvh375) said : #6

When the most recent suggestion did not solve my problem, and sudo ufw enable did not automatically restart the firewall every boot, I reinstalled my operating system. Now "sudo ufw enable" works, and the firewall is on at startup. I would still like to know how to get it to load before any other application has an opportunity to communicate before the ports are closed by the IPTABLES rules, but I will save that for another day. I am marking this solved, with many thanks to NickTh for sticking with me until the end.

Bill (billvh375) said : #7

Thanks NickTh , that solved my question.