Error when enabeling ufw

A Former User

Hello all,

after I installed UT on my phone, I was curious about the firewall. So I ran
"sudo ufw status" and realized that the fw was not running at all.
Thought "uhhh", no problem lets enable it.

And this led to my question. What needs to be done to get the firewall up and running?
Does someone made the same experience and was able to fix it?

Thanks for your hints,
Tellina

Steps I processed:

sudo ufw enable

Error: problem running ufw-init
modprobe: ERROR ../libkmod/libkmod.c:586
.....

ERROR: problem running ufw-init
iptables-restore: line 77 failed
iptables-restore: line 30 failed
iptables-restore: line 35 failed

Running script check-requirements in /usr/share/ufw
Output:
Has python: ERROR: could not find valid python

Checking python used with ufw:
sudo find /usr/lib/ -name "ufw"
-> /usr/lib/python3/dist-packages/ufw

Checking python version:
python3 ––version
-> Python 3.5.2

Running out of ideas.

Phone: Volla Phone
OS: Ubuntu 16.04 (2020-08-07)

A Former User

@Tellina Due to the lack of other issues with my phone I looked a second time to ufw.

First I set default rules:
sudo ufw default deny incoming
sudo ufw default allow outgoing
And activated access from my internal network:

SSH: sudo ufw allow from 192.XXX.XXX.1/24 to any port 22
FTP: sudo ufw allow from 192.XXX.XXX.1/24 to any port 21

Because no errors poped up, I also ran to display the maintained rules:
sudo ufw status verbose

Then started the firewall:
sudo ufw enable

Unfortunately I got this errors:
ERROR: problem running ufw-init
ERROR: Could not load logging rules

So what to do? To fix the problem with "logging rules" I switched them off.
sudo ufw logging off

And in case problems occure with IPv6 this is disabled in ufw config with:
sudo nano /etc/default/ufw
by setting: IPV6=no

After this modifications I tried again to start ufw:
sudo ufw enable

And firewall has been activated.

But, I recognized until now one additional issue. After a boot of the device ufw is not acitve. Damn!

To fix this, I tried:

sudo nano /lib/systemd/system/ufw.service
To edit the UNIT section in the ufw.service file.
Change: Before=network.target to After=network-online.target

What a pitty, I ended up with this message:
unable to create directory /root/.nano: Read-only system

Two questions to the community:

1. How to overcome the read-only issue?
2. Did I have overseen something how to configure ufw just to get it up and running?

Thanks
T.

AppLee

@Tellina said in Error when enabeling ufw:

Two questions to the community:

How to overcome the read-only issue?

You can remount the Filesystem RW, but it's not recommended.
Your issue is to modify the file, so you can use vi instead of nano ; vi does not create a file in the home directory if not explicitly asked.

Did I have overseen something how to configure ufw just to get it up and running?

UT is not a traditional Linux distro so it's a bit hacky to make modifications like that to your system.
About how to run a script automatically after a reboot, there is an open thread here in the forum.

3T_Ed

When checking ufw status my OP3T returns

Warn: Uid is 0 but '/' is owned by 109
Status: Active

Could anyone explain please?

Lakotaubp

This question was covered in the last Q&A https://youtu.be/50Ar0aJuGWk basically it is not enabled as UT has no open ports that need blocking. The blog and audio of Q&A83 will be released shortly for full details or use YouTube link.

3T_Ed

@Lakotaubp
Thank you for your response and link. The Q&A is over 1:17h so I will try to capture that moment.

Without having heard the specific answer on the Q&A 83, do you mean UFW isn't useful on UT regardless of what my terminal output says?

Lakotaubp

@3T_Ed

Firewall in UT

Telnina said “don’t want to be nasty but” is there a plan or a timeline for a firewall in UT? We have not enabled a firewall in UT because the architecture is unusual. There are no ports open in UT by default. There are also no services running by default. A firewall would add a medium amount of weight to the system and would consume battery. Provided that there is nothing open, there is nothing that needs blocking. It is one of those issues which is worth revisiting periodically and Marius will dig into it a little deeper with the Canonical engineers who initially decided to exclude it.

Florian commented that if someone was able to do something malicious with UT, to force a port to open, then a firewall could play a useful role by closing it. One thing for sure is that a firewall is very dependent on the kernel and since we are often working with old kernels, that could make any introduction of a firewall messy.

In a follow up, it was asked if it could have a role in blocking certain outbound traffic? Well the issue there is one of complexity. For the average user controlling functions like that would need a graphical interface and how would they make sense of the settings? That difficulty really suggests the option of an app installable from the OpenStore for those who do know what they are doing, rather than exposing a confusing settings dialogue in
the installed system.

To save you looking a bit of a preview of the blog don't tell

A Former User

@Lakotaubp : So I wonder, if it is not needed at UT, why don´t we skip the UFW from the standard installation and update the documents that inexperienced user do not ask for such topic? And away from the FW.
Would you be so kind and explain whats the root cause of "Warn: Uid is 0 but '/' is owned by 109" (as per my understanding this was the question). Please enlighten me. Thanks

3T_Ed

@Lakotaubp
Thank you very much for taking the time to do the write up regarding UT view on UFW.

Like @Tellina I'm still interested in the initial question regarding the error stated above. If you could explain that would be highly appreciated.

Lakotaubp

The write up is by the UBports Writers team, so not me and as for the the other stuff again I have not a clue on the tech reasons. Somone will though I'm sure.

3T_Ed

@Alter posted a comment in todays Q&A 84 thread today. A link was included to an earlier blog post about using the firewall. In that section a screenshot shows the error '...is owned by 109' mentioned earlier.

Besides the really interesting question raised by @Alter's question, I wonder if anyone can answer the question as to what does the error tells us and warns about?

Keneda

Back in the [Canonical] time there was : https://open-store.io/app/antivirus.iprogramer

With fonctions :

This is an App For Scanning and Protecting Ubuntu Devices from Malware, Viruses and RootKits.

Features:
Scan your Device For "Malicious Apps"
Scan your Device For "Malicious Connections"
Scan your Device For "Listening Ports"
Scan your Device For "Malicious Startup Commands"

Manage your "Firewall"
Manage your "Active Services"

Check an IP for "Malicious Activity"
Generate "Password with Pattern"

Don't know why it's been deprecated.

arubislander

@Keneda said in Error when enabeling ufw:

Don't know why it's been deprecated.

This app was not deprecated as such. Simply that the author never recompiled it to run 9against 16.04 when. The underlying OS was updated.

I also seem to remember claims that the app did not do all that it advertised. The code is out lucky hosted on Launchpad though, so anyone with time available who can read code (including me) could examine it.

I took a quick look at the C code on my phone (not ideal, I know) and it does use some interesting techniques I might be applying in my own apps.

Lakotaubp

@arubislander Your right on that. It was pointed out a few times that the app was doing very little if not nothing by flohack.

Keneda

@Lakotaubp
I found post of him about that :
https://forums.ubports.com/topic/2768/are-there-any-attack-vectors-based-on-sd-card/3?_=1599561104795

He tells that the app was confined, beside it was unconfined with full system access.

Did Brian Douglass published unconfined apps without reviewing it?

Scanning polemic appart, it had a firewall interface, that too was bullshit?

Lakotaubp

@Keneda It states the app was fully confined so could not do anything other than scan it's self. As for the full app history I cannot remember but it was about a long time age so might have been a hang around from canonical day. As for Firewall thing again I have no idea but it seems it was just a pretty interface doing nothing. Maybe @Flohack can remember full details.

Keneda

@Lakotaubp said in Error when enabeling ufw:

It states the app was fully confined

It wasn't in 2016 when app was released and i installed it, and it's still tagged as "full system access" right now.
But maybe it was a fake "unconfined" app after all, but that would mean crap can be released on store without review, no?

Sources are still available on launchpad i believe.
https://bazaar.launchpad.net/~hosein-iprogramer/antivirus/trunk/files

flohack

@Keneda @bhdouglass can you please check this app, this fake virus scanner should be removed I think, it was either an experiment or just a bad joke.

bhdouglass

@Flohack What's the problem? It's not available for xenial and if I recall there wasn't anything wrong with it back in the day. I also think it was a beta and not fully completed.

flohack

@bhdouglass Ok if its not in xenial I am fine with it