Hi Guys,

For some reason ufw is not starting after server reboot. I think it is related to the error message when I see in the console when i start it manually.

Even though I see the error below, ufw starts, and functions correctly.

BASH-root@oruvmlnd /var/log# service ufw start
[....] Starting firewall: ufw...libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.9.3-x86_64-linode33/modules.dep.bin'
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.9.3-x86_64-linode33/modules.dep.bin'
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.9.3-x86_64-linode33/modules.dep.bin'
[ ok ng kernel variables (/etc/ufw/sysctl.conf)...done.
BASH-root@oruvmlnd /var/log#

BASH-root@oruvmlnd /var/log# service ufw status
[ ok all is running...done.
BASH-root@oruvmlnd /var/log#


I tried turning it on using chkconfig ufw on , but it didn't help.

BASH-root@oruvmlnd /var/log# chkconfig --list | grep ufw
ufw 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:on
BASH-root@oruvmlnd /var/log# chkconfig ufw on
BASH-root@oruvmlnd /var/log# chkconfig --list | grep ufw
ufw 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:on
BASH-root@oruvmlnd /var/log#

Ran into that in the past.
Double funny when the earlier versions of kmod failed silently with zero error messages (just a failure return code) when modules.dep.bin was missing. Took me a bit of ptracing to find out what's the problem.

Anyway:

% sudo -s
# cd /lib/modules/`uname -r`
# depmod
(ignore warnings)
# ls
(you should see, among others, modules.dep.bin)
# <Ctrl-D>
%

While I agree that kmod should fail more gracefully in such cases, it obviously doesn't, and we have to deal with it.
I've suggested quite a while ago that Linode should upgrade their "Modules.dep helper" feature (in your boot profile settings) to not only create a dummy modules.dep that was enough to satisfy old modprobe, but also modules.dep.bin for kmod.

It might be just as easy as writing the header

b0 07 f4 57 00 02 00 01  00 00 00 0c

into the modules.dep.bin...
Thoughts, Linode?

_________________
rsk, providing useless advice on the Internet since 2005.

I followed your instructions, but I am not sure if it worked right.

$ su - root
Password:
$ cd /lib/modules/`uname -r`
$ /lib/modules/3.9.3-x86_64-linode33# depmod
WARNING: could not open /lib/modules/3.9.3-x86_64-linode33/modules.order: No such file or directory
WARNING: could not open /lib/modules/3.9.3-x86_64-linode33/modules.builtin: No such file or directory
$ /lib/modules/3.9.3-x86_64-linode33# ls
modules.alias modules.builtin.bin modules.dep.bin modules.softdep modules.symbols.bin
modules.alias.bin modules.dep modules.devname modules.symbols
$ /lib/modules/3.9.3-x86_64-linode33#
$ /root# ls
$ /root# logout

I see the same result as before - weird error messages about linode modules when I start ufw, but it starts and functions okay.

$ /root# service ufw status
[ ok all is running...done.
$ service ufw stop
[ ok ] Stopping firewall: ufw...done.
$ service ufw start
[....] Starting firewall: ufw...libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/3.9.3-x86_64-linode33/modules.builtin.bin'
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/3.9.3-x86_64-linode33/modules.builtin.bin'
FATAL: Module nf_nat_ftp not found.
libkmod: ERROR ../libkmod/libkmod.c:505 kmod_lookup_alias_from_builtin_file: could not open builtin file '/lib/modules/3.9.3-x86_64-linode33/modules.builtin.bin'
[ ok ng kernel variables (/etc/ufw/sysctl.conf)...done
$ /root#

Ugh.
Not same as before, now it complains about a different file - what's weird is that the file it complains about now has also been created (it is visible in your ls output).

Anyway, the core problem is that ufw assumes a modular kernel and tries to blindly load the netfilter modules - while they're statically built in on a Linode kernel.

A bit of Google tells me you should edit /etc/default/ufw and comment-out the IPT_MODULES=(...) line by putting a # in front of it.

On a separate note, a firewall is usually not a daemon, so the "service status" command may be telling you everything is fine because there's nothing to check for.
So please also tell me what makes you assume it's "not running after reboot" - just the chkconfig output? Or are all your iptables actually empty after bootup?

Good luck!

_________________
rsk, providing useless advice on the Internet since 2005.