# "ERROR: problem running ufw-init" from UFW with 3.5.4 kernel

## Fitzcarraldo

```
# uname -a

Linux meshedgedx 3.5.4-gentoo #1 SMP Sat Sep 22 07:25:14 BST 2012 x86_64 Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz GenuineIntel GNU/Linux
```

Up until today I was using kernel linux-3.3.5-gentoo (~amd64), and ufw worked perfectly. I could enable and disable ufw from the command line and there were no error messages.

But today I installed kernel linux-3.5.4-gentoo, and now ufw displays an error message at boot and also if I enable it from the command line (I don't lose connectivity, though):

```
# ufw enable

ERROR: problem running ufw-init
```

Some experiments with ufw are shown below:

```
# ufw disable

Firewall stopped and disabled on system startup

# /etc/init.d/ufw restart

 * WARNING: you are stopping a boot service

 * Stopping ufw ...                                                                                                                                                                                                                          [ ok ]

 * Starting ufw ...

 * Not starting firewall (not enabled), use "ufw enable" first.                                                                                                                                                                              [ !! ]

 * ERROR: ufw failed to start

# ufw enable

ERROR: problem running ufw-init

# /etc/init.d/ufw restart

 * Starting ufw ...                                                                                                                                                                                                                          [ ok ]

# ufw status

Status: active

To                         Action      From

--                         ------      ----

CIFS                       ALLOW       192.168.1.0/24

Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere

5210/tcp                   ALLOW OUT   Anywhere

5211/udp                   ALLOW OUT   Anywhere

# ufw disable

Firewall stopped and disabled on system startup

# ufw status

Status: inactive

# ufw enable

ERROR: problem running ufw-init

# ufw status

Status: active

To                         Action      From

--                         ------      ----

CIFS                       ALLOW       192.168.1.0/24

Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere

5210/tcp                   ALLOW OUT   Anywhere

5211/udp                   ALLOW OUT   Anywhere

# ufw disable

Firewall stopped and disabled on system startup

# ufw enable

ERROR: problem running ufw-init

# ufw enable

ERROR: Could not load logging rules

# ufw enable

ERROR: Could not load logging rules
```

It looks to me like ufw is not working at all:

```
# /etc/init.d/ufw stop

 * WARNING: you are stopping a boot service

 * Stopping ufw ...                                                                                                                                                                                                                          [ ok ]

# cat /var/log/messages | grep -i --text ufw

Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service

# /etc/init.d/ufw start

 * Starting ufw ...

 * Not starting firewall (not enabled), use "ufw enable" first.                                                                                                                                                                              [ !! ]

 * ERROR: ufw failed to start

# ufw enable

ERROR: problem running ufw-init

# /etc/init.d/ufw start

 * Starting ufw ...                                                                                                                                                                                                                          [ ok ]

# cat /var/log/messages | grep -i --text ufw

Sep 24 21:25:08 meshedgedx /etc/init.d/ufw[14563]: WARNING: you are stopping a boot service

Sep 24 21:25:22 meshedgedx /etc/init.d/ufw[14740]: ERROR: ufw failed to start

# ufw status

Status: active

To                         Action      From

--                         ------      ----

CIFS                       ALLOW       192.168.1.0/24

Anywhere                   ALLOW       5212/udp

80/tcp                     ALLOW OUT   Anywhere

5210/tcp                   ALLOW OUT   Anywhere

5211/udp                   ALLOW OUT   Anywhere
```

Here are the contents of my /etc/default/ufw config file, which worked fine with the 3.3.5 kernel:

```
# /etc/default/ufw

#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback

# accepted). You will need to 'disable' and then 'enable' the firewall for

# the changes to take affect.

IPV6=yes

# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.

# ACCEPT enables connection tracking for NEW inbound packets on the INPUT

# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note

# that if you change this you will most likely want to adjust your rules.

DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.

# ACCEPT enables connection tracking for NEW outbound packets on the OUTPUT

# chain, whereas ACCEPT_NO_TRACK does not use connection tracking. Please note

# that if you change this you will most likely want to adjust your rules.

DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that

# if you change this you will most likely want to adjust your rules

DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please

# note that setting this to ACCEPT may be a security risk. See 'man ufw' for

# details

DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw

# manage the built-in chains too. Warning: setting this to 'yes' will break

# non-ufw managed firewall rules

MANAGE_BUILTINS=no

#

# IPT backend

#

# only enable if using iptables backend

IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in

# net/netfilter/Kconfig of your kernel source. Some common modules:

# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support

# nf_conntrack_netbios_ns: NetBIOS (samba) client support

# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT

# nf_conntrack_ftp, nf_nat_ftp: active FTP support

# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
```

And here are the relevant modules that are loaded:

```
$ lsmod | grep nf_

nf_conntrack_ipv6       5592  6 

nf_defrag_ipv6          5429  1 nf_conntrack_ipv6

ipv6                  256565  106 nf_defrag_ipv6,nf_conntrack_ipv6

nf_conntrack_netbios_ns      989  0 

nf_conntrack_broadcast     1085  1 nf_conntrack_netbios_ns

nf_nat_ftp              1436  0 

nf_nat                 12704  1 nf_nat_ftp

nf_conntrack_ipv4      10352  8 nf_nat

nf_defrag_ipv4          1235  1 nf_conntrack_ipv4

nf_conntrack_ftp        5237  1 nf_nat_ftp

nf_conntrack           53079  8 nf_nat_ftp,nf_conntrack_netbios_ns,nf_nat,xt_state,nf_conntrack_broadcast,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6
```

I've tried making IPV6=no, and I've tried making IPT_MODULES="", neither of which got rid of the error message.

Does anyone ideas how to get ufw working correctly with the 3.5.4 kernel?

----------

## Fitzcarraldo

It's a bug in UFW as a result of a change in IPTables: UFW Bug #1065297: use conntrack instead of state.

----------

