Issues with Ubuntu’s UFW on OpenVZ VPS

1 minute read

Updates

  • 2013.06.28 - Simplify patch and add notes about disabling IPv6.

Overview

I bit the bullet and signed up from a cheap vps from chicagovps.com. It’s $55/year for 120 GB of disk space, and 3 GB of RAM. Not bad, I expect the servers are significantly oversold.

First thing I did was update to Ubuntu 12.04 LTS (started at 11.10), and then attempted to setup the firewall. The update went pretty seemlessly other then having to configure some locale stuff.

Nevertheless I ran into an issue setting up the firewall on it using ufw:

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init

Take a closer look at what’s failing:

# /lib/ufw/ufw-init force-reload
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module nf_conntrack_ftp not found.
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module nf_nat_ftp not found.
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module nf_conntrack_netbios_ns not found.
iptables-restore: line 69 failed
iptables-restore: line 30 failed
ip6tables-restore: line 65 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/before6.rules'

What does this really mean? Means two things: 1. We’re trying to load modules in a cheap VM, can’t do that. 2. We’re trying to use features provided by modules that aren’t being loading.

Stop Loading modules and ipv6 in the OpenVZ VM

  1. Open /etc/default/ufw
  2. Comment out the line starting with “IPT_MODULES” and “IPV6”
  3. The first three and last one error are solved.

Disable Unsupported Firwall Rules

The default ufw configuration uses some features not support by the kernel running my vm (2.6.32-042stab074.10). We know from the output above there is a problem in /etc/ufw/before.rules at or before line 69. Line 69 in my case was the commit line, which implicates all the rules trying to be committed to that table.

There is some guess and check here unless you know what you’re doing. Modify the file, and run ufw-init force-reload again until all issues are resolved.

Aftermath

After all is said and done, ufw enable should work great:

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Since my first course of action on any new machine is to setup etckeeper, it’s very simple to track my changes to make ufw happy, obligatory patch:

Comments