UFW blocks most ports until disabled and re-enabled after reboot

Question

I have UFW running on my server. When I restart it:

$sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
1194/udp                   ALLOW       Anywhere                  
5550                       ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
8000                       ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
1194/udp (v6)              ALLOW       Anywhere (v6)             
5550 (v6)                  ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
8000 (v6)                  ALLOW       Anywhere (v6)

When I try to run it however, my ports 8000 and 1194 are currently being blocked.

When I run:

$sudo ufw disable
$sudo ufw enable

Then the ports are open. When I run status after that, it is the exact same as previously pasted.

I'm having the same issue, did you find a resolution? – Nick Barrett May 17 '17 at 01:09 — Nick Barrett, May 17 '17 at 01:09
No, still has the same issue. – Diesel May 17 '17 at 10:10 — Diesel, May 17 '17 at 10:10

score 8 · Answer 1 · answered Nov 26 '19 at 15:45

Thanks to the reminder from @Nicholas. The problem is caused by iptables-persistent indeed. However, simply remove iptables-persistent is not a good solution as there maybe other rules applied through iptables. Thus if iptables-persistent is installed, a better way may be to persistent ufw rules using iptables-persistent, i.e.,

sudo ufw reload
sudo netfilter-persistent save

score 7 · Answer 2 · answered Jun 17 '19 at 00:50

7

The real solution is to uninstall iptables-persistent and its dependency: sudo apt remove iptables-persistent and sudo apt autoremove.

As per: https://github.com/pivpn/pivpn/issues/414

answered Jun 17 '19 at 00:50

Nicholas

73
1
4

I'll check it out if I get some time soon, thanks for the response. – Diesel Jun 18 '19 at 01:56
this works for me in Ubuntu 20.04 – Wild Teddy Mar 16 '22 at 08:45

score 4 · Answer 3 · answered Aug 29 '17 at 00:19

I'm having same issue with my http and https ports that they are blocked by ufw by reboot. After i disable and enable UFW all ports are running from my UFW firewall rules. Same with sudo ufw reload command.

So i create a workaround by my machine and create a system.d service which starts a simple script in /etc/systemd/system/firewall.service.

[Unit]
Description=Firewall restart blocking solution.

[Service]
Type=simple
ExecStart=/var/scripts/firewall.sh

[Install]
WantedBy=multi-user.target

Then my script is simple

#!/bin/bash
sudo ufw reload

At least i setup to start my init.d on boot

sudo systemctl enable firewall.service

Then all my ports works after a reboot fine. It's maybee a workaround of this issue.

I'm seeing the same issue with ufw after a restart of my server. I implemented the service suggested above and that works for me, but I would like to know why ufw is behaving like it does as that doesn't seem to be how ufw is supposed to work. — turnip_cyberveggie, May 03 '18 at 12:14

score 2 · Answer 4 · answered Jul 27 '18 at 01:23

My impression is that the changes made with ufw have not been saved and are transient. Rebooting without saving the new rules results in loading the previously saved older rules.

Save the new rules with:

iptables-save > /etc/iptables.rules

These rules should be reloaded automatically by the system at boot time. Or they can be reloaded with:

iptables-restore < /etc/iptables.rules

UFW blocks most ports until disabled and re-enabled after reboot

4 Answers4