Attempting to Solve Conflicts between UFW and Network Manager

This problem bugged me since the day I installed Kubuntu on my laptop and desktop. The problem was when I activated UFW and reboot, the system gets stuck on Kubuntu logo, and when I pressed F2 to check what happened, it appeared Network Manager had conflicts with UFW, UFW getting stuck on starting up as a result.

I ignored this problem until last week when my lecturer encouraged us students to attack peers’ devices with consent. I decided to check the problem again and set up a proper first-line defense.

After a few rounds of forced shutdown and rebooting, I discovered the culprit was probably Network Manager’s connectivity check daemon. I could not reproduce this in virtual machines, so I decided to get my hands dirty and experiment on my laptop first.

I decided to do the following in order to solve the conflict:

  1. Shorten the time before a start / stop job is terminated
  2. Disable NetworkManager-wait-online.service
  3. Automatically start and save UFW rules through Network Manager Dispatcher service
  4. Turn off Network Manager’s connectivity check
  5. Allow the system to terminate user processes

1. Shorten the time before a start / stop job is terminated

The default timeout before termination for a start and stop job is 90 seconds, unacceptable when diagnosing bugs and rebooting computer. I decided to make a change.

Edit the two parameters below found in /etc/systemd/system.conf and /etc/systemd/user.conf :

#DefaultTimeoutStartSec=90s
#DefaultTimeoutStopSec=90s

I set them to 10s.

2. Disable NetworkManager-wait-online.service

This service appears to be related with checking connectivity, useless if you are connected to the Internet anyway, and appears to conflict with UFW, so I wanted to disable it.

Fire up your terminal and type the following commands:

sudo systemctl stop NetworkManager-wait-online.service
sudo systemctl disable NetworkManager-wait-online.service

To check whether it is disabled:

sudo systemctl status NetworkManager-wait-online.service

See the line “Loaded”, it will say disabled.

3. Automatically start and save UFW rules through Network Manager Dispatcher service

According to this page in Ubuntu Community Wiki, iptables has tendencies to conflict with Network Manager and therefore firewall rules might not get saved on shutdown, or loaded on boot. This issue can be mitigated by running a script through NetworkManager-dispatcher service.

Open Kate or Nano in /etc/NetworkManager/dispatcher.d , paste and save the following content as 01firewall

if [ -x /usr/bin/logger ]; then
        LOGGER="/usr/bin/logger -s -p daemon.info -t FirewallHandler"
else
        LOGGER=echo
fi

case "$2" in
        up)
                if [ ! -r /etc/iptables.rules ]; then
                        ${LOGGER} "No iptables rules exist to restore."
                        return
                fi
                if [ ! -x /sbin/iptables-restore ]; then
                        ${LOGGER} "No program exists to restore iptables rules."
                        return
                fi
                ${LOGGER} "Restoring iptables rules"
                /sbin/iptables-restore -c < /etc/iptables.rules
                ;;
        down)
                if [ ! -x /sbin/iptables-save ]; then
                        ${LOGGER} "No program exists to save iptables rules."
                        return
                fi
                ${LOGGER} "Saving iptables rules."
                /sbin/iptables-save -c > /etc/iptables.rules
                ;;
        *)
                ;;
esac

4. Turn off Network Manager’s connectivity check

The reasoning is the same as 2. I don’t need this to verify whether I can connect to the Internet.

Edit the file /etc/NetworkManager/20-connectivity.conf ; Create it if it does not exist. Copy and paste the following code and save the file.

[connectivity]
.set.enabled=false

5. Allow the system to terminate user processes

Actually this isn’t directly related to the problem, but I did it anyway for the sake of a cleaner logout and reboot.

Edit the following parameter found in /etc/systemd/logind.conf :

#KillUserProcesses=no

Just swap no out for yes.

Then reboot with the reboot button in application menu. Everything should be fine now. I tested it by rebooting and shutting down my laptop & desktop for many times. This seems to work, at least for now. This might not be the best approach to solving the conflict, but it mitigates the biggest problem of not being able to turn on firewall for the time being.