Join Log in
Score:1
avatar Ubuntu

Diskless Ubuntu client - UFW enable hangs system

hk flag
user1257255

I have successfully created diskless Ubuntu system instance via this community help page and it works perfectly. However, I would like to enable firewall with UFW and when I tried to do that the problem appeared.

As part of the tutorial on help page I prepared complete "filesystem" with other installation and already bootstraped OS with my settings there (installed necessary packages, changed configs, ...). Later on I copied it to NFS directory and booted it via diskless machine. Everything was successfully loading (printing out OK status when started each service to console) until the moment when a loader with unlimited start time was shown. One of the starting services was also UFW. At some point system became unresponsive (I could still move the console with Shift-Pg Up/Down, but nothing was actually happening there). I could not get around that until I figured out UFW is the main problem causing this. So I disabled UFW in /etc/ufw/ufw.conf (directly on NFS server) and retry with booting. At that time everything went well and system was successfully booted up.

But still I would like to have UFW enabled, so I tried to do that directly from the machine. And there the same problem reappeared. Soon as I executed ufw enable system became unresponsive. I have captured output from dmesg when this command executes:

[ xxxx.xxxxxx ] bpfilter: Loaded bpfilter_umh pid 748
[ xxxx.xxxxxx ] Started filter

And then system was unresponsive for 2 minutes, when I got another few messages:

[ xxxx.xxxxxx ] INFO: task systemd-journal:278 blocked for more than 120 seconds.
[ xxxx.xxxxxx ]       Not tainted 5.4.0-86-generic #97-Ubuntu
[ xxxx.xxxxxx ] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

I thought there may be problem with default rules disallowing NFS connection. So I added next rules (step by step and tried to enable UFW after each):

ufw allow from 192.168.0.5    # NFS server
ufw allow from 192.168.0.0/24 # local network
ufw allow in on eth0          # client network interface

But no luck with this (also I was not expecting it, as those rules should not have any impact by logic).

So here I am now, without any idea at the moment how to do any progress on this. I can also point out there is another problem in dmesg, but it probably does not have any relation to the one with UFW:

[ xxx.xxxxxx] systemd-journald[276]: Failed to set ACL on /var/log/jorunal/.../user-101.journal, ignoring: Operation not permitted

I believe there must be some rule with UFW which by default denies access to NFS share and therefore complete system hangs up. Any suggestion/point in the right direction would be greatly appreciated.

EDIT: iptables output when UFW is enabled and my rules are also added (copied from the original installation) is here: https://pastebin.com/rp5QWLCh

145
0 + 0
nfs
ufw
Doug Smythies avatar
gn flag
Doug Smythies
ufw is just a front end for iptables. edit your question with the output from `sudo iptables -xvnL`. While ufw generated iptables rule sets are difficult to follow, perhaps it will help.
0
Reply
hk flag
user1257255
@DougSmythies I have added link to pastebin where iptables output is pasted.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
You mention "So I disabled UFW in /etc/ufw/ufw.conf (directly on NFS server)" Do I understand correctly that the iptables rule set you listed runs on the server and not on the diskless client? If yes, then I agree it will not work. If no, it runs on the diskless client, then I do not know why it is not working, looks O.K. to me.
0
Reply
hk flag
user1257255
The quoted text means that I powered off diskless client and then edited option `enabled = yes` to `enabled = no` in client's file `ufw.conf` directly from NFS server (NOT the file which is for NFS server itself, because the server does not have ufw at all, but I believe the server's firewall is correctly configured as everything works otherwise) ...
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
While I agree that it shouldn't make a difference, could you please post the `sudo iptables -xvnL` listing with `ufw allow from 192.168.0.5 # NFS server` added.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Try a higher log level, maybe `LOGLEVEL=high` in `/etc/ufw/ufw.conf` and post its contents.
0
Reply
hk flag
user1257255
Output from iptables with that specific rule: https://pastebin.com/dEVPKZDF I also changed `LOGLEVEL` (before diskless client boot), but after I tried to enable ufw on diskless client only `bpfilter` logs were added (two lines as in the post above) in `dmesg`. As expected system hanged then.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
We don't want to go to log level "full", because it would flood your system. I have been trying to figure out why the "bpfilter_umh" module is loading in the first place. It doesn't on my system. I haven't figured out what to do to have it not load, even if just for a test. I can think of two tests to attempt to gain more insight: First, use UFW but allow everything, i.e. UFW is enabled but basically a no-op; Second , try a simple iptables script, to see if it works and if the "bpfilter_umh" module is still loaded.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
describe your client computer hardware. Processor make and model, NIC etc. I had a problem earlier this year, where my hardware was too new for the 5.4 series kernels. Depending on your hardware, and as a test, try a newer kernel, say [mainline ppa 5.15-rc3](https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15-rc3/) (it seems there was a compile problem with 5.15-rc4).
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
On multiple computers, I have tried basic ufw and iptables rule sets and the bpfilter_umh module is never loaded.
0
Reply
Carles Mateo avatar
cn flag
Carles Mateo
Can you check/share: **ufw status numbered**
0
Reply
hk flag
user1257255
@DougSmythies it is not problem with specific hardware - it can be KVM or custom built machine on Intel 775 socket or HP DC7800 SFF (this is what I tested with so far and I don't believe it could be a hardware related problem). I will try with different kernel anyway and let you know. Originally I used Ubuntu minimal cloud img in VM and then converted it to generic kernel and removed cloud-init/netplan related stuff - it could also be that this affected system somehow.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.