Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Error when enabeling ufw

    Support
    8
    20
    267
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by A Former User

      Hello all,

      after I installed UT on my phone, I was curious about the firewall. So I ran
      "sudo ufw status" and realized that the fw was not running at all.
      Thought "uhhh", no problem lets enable it.

      And this led to my question. What needs to be done to get the firewall up and running?
      Does someone made the same experience and was able to fix it?

      Thanks for your hints,
      Tellina

      Steps I processed:

      sudo ufw enable

      Error: problem running ufw-init
      modprobe: ERROR ../libkmod/libkmod.c:586

      .....

      ERROR: problem running ufw-init
      iptables-restore: line 77 failed
      iptables-restore: line 30 failed
      iptables-restore: line 35 failed

      Running script check-requirements in /usr/share/ufw
      Output:
      Has python: ERROR: could not find valid python

      Checking python used with ufw:
      sudo find /usr/lib/ -name "ufw"
      -> /usr/lib/python3/dist-packages/ufw

      Checking python version:
      python3 ––version
      -> Python 3.5.2

      Running out of ideas.

      Phone: Volla Phone
      OS: Ubuntu 16.04 (2020-08-07)

      ? 1 Reply Last reply Reply Quote 1
      • ?
        A Former User @Guest last edited by

        @Tellina Due to the lack of other issues with my phone I looked a second time to ufw.

        First I set default rules:
        sudo ufw default deny incoming
        sudo ufw default allow outgoing

        And activated access from my internal network:

        SSH: sudo ufw allow from 192.XXX.XXX.1/24 to any port 22
        FTP: sudo ufw allow from 192.XXX.XXX.1/24 to any port 21

        Because no errors poped up, I also ran to display the maintained rules:
        sudo ufw status verbose

        Then started the firewall:
        sudo ufw enable

        Unfortunately I got this errors:
        ERROR: problem running ufw-init
        ERROR: Could not load logging rules

        So what to do? To fix the problem with "logging rules" I switched them off.
        sudo ufw logging off

        And in case problems occure with IPv6 this is disabled in ufw config with:
        sudo nano /etc/default/ufw
        by setting: IPV6=no

        After this modifications I tried again to start ufw:
        sudo ufw enable

        And firewall has been activated. 🙂

        But, I recognized until now one additional issue. After a boot of the device ufw is not acitve. Damn!

        To fix this, I tried:

        sudo nano /lib/systemd/system/ufw.service
        To edit the UNIT section in the ufw.service file.
        Change: Before=network.target to After=network-online.target

        What a pitty, I ended up with this message:
        unable to create directory /root/.nano: Read-only system

        Two questions to the community:

        1. How to overcome the read-only issue?
        2. Did I have overseen something how to configure ufw just to get it up and running?

        Thanks
        T.

        AppLee 1 Reply Last reply Reply Quote 0
        • AppLee
          AppLee @Guest last edited by

          @Tellina said in Error when enabeling ufw:

          Two questions to the community:

          How to overcome the read-only issue?

          You can remount the Filesystem RW, but it's not recommended.
          Your issue is to modify the file, so you can use vi instead of nano ; vi does not create a file in the home directory if not explicitly asked.

          Did I have overseen something how to configure ufw just to get it up and running?

          UT is not a traditional Linux distro so it's a bit hacky to make modifications like that to your system.
          About how to run a script automatically after a reboot, there is an open thread here in the forum.

          1 Reply Last reply Reply Quote 0
          • 3
            3T_Ed last edited by

            When checking ufw status my OP3T returns

            Warn: Uid is 0 but '/' is owned by 109
            Status: Active

            Could anyone explain please?

            1 Reply Last reply Reply Quote 0
            • Lakotaubp
              Lakotaubp last edited by

              This question was covered in the last Q&A https://youtu.be/50Ar0aJuGWk basically it is not enabled as UT has no open ports that need blocking. The blog and audio of Q&A83 will be released shortly for full details or use YouTube link.

              1 Reply Last reply Reply Quote 0
              • 3
                3T_Ed last edited by

                @Lakotaubp
                Thank you for your response and link. The Q&A is over 1:17h so I will try to capture that moment.

                Without having heard the specific answer on the Q&A 83, do you mean UFW isn't useful on UT regardless of what my terminal output says?

                Lakotaubp 1 Reply Last reply Reply Quote 0
                • Lakotaubp
                  Lakotaubp @3T_Ed last edited by

                  @3T_Ed

                  Firewall in UT

                  Telnina said “don’t want to be nasty but” is there a plan or a timeline for a firewall in UT? We have not enabled a firewall in UT because the architecture is unusual. There are no ports open in UT by default. There are also no services running by default. A firewall would add a medium amount of weight to the system and would consume battery. Provided that there is nothing open, there is nothing that needs blocking. It is one of those issues which is worth revisiting periodically and Marius will dig into it a little deeper with the Canonical engineers who initially decided to exclude it.

                  Florian commented that if someone was able to do something malicious with UT, to force a port to open, then a firewall could play a useful role by closing it. One thing for sure is that a firewall is very dependent on the kernel and since we are often working with old kernels, that could make any introduction of a firewall messy.

                  In a follow up, it was asked if it could have a role in blocking certain outbound traffic? Well the issue there is one of complexity. For the average user controlling functions like that would need a graphical interface and how would they make sense of the settings? That difficulty really suggests the option of an app installable from the OpenStore for those who do know what they are doing, rather than exposing a confusing settings dialogue in
                  the installed system.

                  To save you looking a bit of a preview of the blog 😉 don't tell

                  ? 1 Reply Last reply Reply Quote 1
                  • ?
                    A Former User @Lakotaubp last edited by

                    @Lakotaubp : So I wonder, if it is not needed at UT, why don´t we skip the UFW from the standard installation and update the documents that inexperienced user do not ask for such topic? And away from the FW.
                    Would you be so kind and explain whats the root cause of "Warn: Uid is 0 but '/' is owned by 109" (as per my understanding this was the question). Please enlighten me. Thanks

                    1 Reply Last reply Reply Quote 1
                    • 3
                      3T_Ed last edited by

                      @Lakotaubp
                      Thank you very much for taking the time to do the write up regarding UT view on UFW. 👍

                      Like @Tellina I'm still interested in the initial question regarding the error stated above. If you could explain that would be highly appreciated.

                      1 Reply Last reply Reply Quote 0
                      • Lakotaubp
                        Lakotaubp last edited by

                        The write up is by the UBports Writers team, so not me and as for the the other stuff again I have not a clue on the tech reasons. Somone will though I'm sure.

                        1 Reply Last reply Reply Quote 0
                        • 3
                          3T_Ed last edited by

                          @Alter posted a comment in todays Q&A 84 thread today. A link was included to an earlier blog post about using the firewall. In that section a screenshot shows the error '...is owned by 109' mentioned earlier.

                          Besides the really interesting question raised by @Alter's question, I wonder if anyone can answer the question as to what does the error tells us and warns about?

                          1 Reply Last reply Reply Quote 0
                          • Keneda
                            Keneda last edited by Keneda

                            Back in the [Canonical] time there was : https://open-store.io/app/antivirus.iprogramer

                            With fonctions :

                            This is an App For Scanning and Protecting Ubuntu Devices from Malware, Viruses and RootKits.

                            Features:
                            Scan your Device For "Malicious Apps"
                            Scan your Device For "Malicious Connections"
                            Scan your Device For "Listening Ports"
                            Scan your Device For "Malicious Startup Commands"

                            Manage your "Firewall"
                            Manage your "Active Services"

                            Check an IP for "Malicious Activity"
                            Generate "Password with Pattern"

                            Don't know why it's been deprecated.

                            1 Reply Last reply Reply Quote 1
                            • arubislander
                              arubislander last edited by

                              @Keneda said in Error when enabeling ufw:

                              Don't know why it's been deprecated.

                              This app was not deprecated as such. Simply that the author never recompiled it to run 9against 16.04 when. The underlying OS was updated.

                              I also seem to remember claims that the app did not do all that it advertised. The code is out lucky hosted on Launchpad though, so anyone with time available who can read code (including me) could examine it.

                              I took a quick look at the C code on my phone (not ideal, I know) and it does use some interesting techniques I might be applying in my own apps.

                              Lakotaubp 1 Reply Last reply Reply Quote 0
                              • Lakotaubp
                                Lakotaubp @arubislander last edited by

                                @arubislander Your right on that. It was pointed out a few times that the app was doing very little if not nothing by flohack.

                                Keneda 1 Reply Last reply Reply Quote 0
                                • Keneda
                                  Keneda @Lakotaubp last edited by Keneda

                                  @Lakotaubp
                                  I found post of him about that :
                                  https://forums.ubports.com/topic/2768/are-there-any-attack-vectors-based-on-sd-card/3?_=1599561104795

                                  He tells that the app was confined, beside it was unconfined with full system access.

                                  Did Brian Douglass published unconfined apps without reviewing it?

                                  Scanning polemic appart, it had a firewall interface, that too was bullshit?

                                  Lakotaubp 1 Reply Last reply Reply Quote 0
                                  • Lakotaubp
                                    Lakotaubp @Keneda last edited by

                                    @Keneda It states the app was fully confined so could not do anything other than scan it's self. As for the full app history I cannot remember but it was about a long time age so might have been a hang around from canonical day. As for Firewall thing again I have no idea but it seems it was just a pretty interface doing nothing. Maybe @Flohack can remember full details.

                                    Keneda 1 Reply Last reply Reply Quote 0
                                    • Keneda
                                      Keneda @Lakotaubp last edited by Keneda

                                      @Lakotaubp said in Error when enabeling ufw:

                                      It states the app was fully confined

                                      It wasn't in 2016 when app was released and i installed it, and it's still tagged as "full system access" right now.
                                      But maybe it was a fake "unconfined" app after all, but that would mean crap can be released on store without review, no?

                                      Sources are still available on launchpad i believe.
                                      https://bazaar.launchpad.net/~hosein-iprogramer/antivirus/trunk/files

                                      Flohack 1 Reply Last reply Reply Quote 0
                                      • Flohack
                                        Flohack @Keneda last edited by

                                        @Keneda @bhdouglass can you please check this app, this fake virus scanner should be removed I think, it was either an experiment or just a bad joke.

                                        bhdouglass 1 Reply Last reply Reply Quote 0
                                        • bhdouglass
                                          bhdouglass @Flohack last edited by bhdouglass

                                          @Flohack What's the problem? It's not available for xenial and if I recall there wasn't anything wrong with it back in the day. I also think it was a beta and not fully completed.

                                          Flohack 1 Reply Last reply Reply Quote 1
                                          • Flohack
                                            Flohack @bhdouglass last edited by

                                            @bhdouglass Ok if its not in xenial I am fine with it 🙂

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post