7.4. Troubleshooting ufw

If your system is running the ufw firewall, it is necessary to allow traffic from K3s' pod subnet (by default and service subnet (by default via ufw for K3s to work properly 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:

Allow traffic from and via ufw?

Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).


If you opt out of the proposed remediation, K3s may malfunction.

The remediation attempted by configure-firewall is equivalent to 3:

ufw allow from to any

ufw allow from to any

ufw reload

By default, K3s' pod subnet is and service subnet is, but if you customized your K3s installation to use other subnets, you should substitute them here.


If your system did not initially use ufw at the time K3s was installed, but later does (for example because ufw becomes enabled), run this command in the lockss user's lockss-installer directory as a privileged user who can become root via sudo 4:






See Installing K3s.


By default, K3s' pod subnet is and service subnet is


See Running Commands as a Privileged User.