In short, sell me on ufw.
I learned recently that yfw is basically replacing iptables “everywhere”, and as I’m getting old and crusty, this means that I have to learn something new when I’d much rather practice yelling at kids to get off my lawn.
To me, iptables is fine, and I like its flexibility. I’ve been using it ever since it de facto replaced ipchains, so ease of use isn’treally a factor in this equation.
So my more pointed question is: Can I just stick to iptables, or am I missing out on something that can only be done with ufw?
You must log in or # to comment.
The way I understand it, ufw is a frontend for iptables. So no.
These days it’s a frontend for nftables. iptables is a legacy system that’s eventually going to be removed (just like ipchains before it).
On modern systems, iptables is a wrapper around nftables. So you’re essentially using nftables except without the ability to use any of its more powerful features.
I was about to say the same – and also: nftables syntax is a lot cleaner compared to iptables, and the whole configuration can be loaded from a single file just like pf, without doing the dump/reload cycle that iptables required. Unless UFW does features like defining zones which a user might need (like firewalld), then it’s not a huge improvement on bare nftables usability-wise.
Exactly. You can build rules with ufw and view them on iptables. Maybe the one thing ufw does better out of the box is persistent rules and simpler “firewall on/off” switch, but specially on this particular question I don’t think they matter.
I thought nftables where replacing iptables?
UFW is an interface to a subset of iptables.
There’s things iptables can do that UFW can’t. Nothing that UFW does, is impossible to do with iptables.
By why might one use UFW I hear you wonder? Convenience.
If you already master the art of iptables, no reason to learn UFW instead.
I think you got it wrong. Nft is replacing iptables. Ufw is only a frontend.
Actually, your uoyabled might just be a wrapper on nft.
UFW syntax is easier. And it wraps nftables now which means I don’t have to bother learning even more arcane syntax.
UFW is a wrapper which just makes interfacing with iptables bearable. UFW is iptables.
iptables is a legacy system that’s going away. If you don’t learn ufw, you’ll have to learn nftables.
Edit: Not sure why I’m being downvoted for telling the truth lol
Don’t know either, other than they can’t stand the thruth for a good reason? :/ We have been using iptables for years and now we have to relearn everything?
Yeah it’s unfortunate. The nftables syntax is a lot easier though!
The same thing has happened before, around 15 years ago… Before iptables there was a system called ipchains. Migration took a while, but it was eventually done, and nobody talks about ipchains any more.
If you know iptables, just stick with that. In my testing, docker containers seem to ignore ufw rules. Supposedly, iptable rules are respected but I haven’t learned iptables yet so I can’t verify.
There’s a forked ufw specifically to solve docker’s issues. (1)
But yes, docker + ufw is something to be carefull about.
Docker really doesn’t like firewalls, and doesn’t seem to play nicely with them.
