UFW syntax is easier. And it wraps nftables now which means I don't have to bother learning even more arcane syntax.
this post was submitted on 24 Mar 2025
17 points (90.5% liked)
Linux
52309 readers
1376 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
The way I understand it, ufw is a frontend for iptables. So no.
Exactly. You can build rules with ufw and view them on iptables. Maybe the one thing ufw does better out of the box is persistent rules and simpler "firewall on/off" switch, but specially on this particular question I don't think they matter.
These days it's a frontend for nftables. iptables is a legacy system that's eventually going to be removed (just like ipchains before it).
On modern systems, iptables is a wrapper around nftables. So you're essentially using nftables except without the ability to use any of its more powerful features.
I was about to say the same -- and also: nftables syntax is a lot cleaner compared to iptables, and the whole configuration can be loaded from a single file just like pf, without doing the dump/reload cycle that iptables required. Unless UFW does features like defining zones which a user might need (like firewalld), then it's not a huge improvement on bare nftables usability-wise.
UFW is an interface to a subset of iptables.
There's things iptables can do that UFW can't. Nothing that UFW does, is impossible to do with iptables.
By why might one use UFW I hear you wonder? Convenience.
If you already master the art of iptables, no reason to learn UFW instead.
I thought nftables where replacing iptables?
I think you got it wrong. Nft is replacing iptables. Ufw is only a frontend.
Actually, your uoyabled might just be a wrapper on nft.
UFW is a wrapper which just makes interfacing with iptables bearable. UFW is iptables.
If you know iptables, just stick with that. In my testing, docker containers seem to ignore ufw rules. Supposedly, iptable rules are respected but I haven't learned iptables yet so I can't verify.
There's a forked ufw specifically to solve docker's issues. (1)
But yes, docker + ufw is something to be carefull about.
Docker really doesn't like firewalls, and doesn't seem to play nicely with them.
iptables is a legacy system that's going away. If you don't learn ufw, you'll have to learn nftables.
Edit: Not sure why I'm being downvoted for telling the truth lol
Don't know either, other than they can't stand the thruth for a good reason? :/ We have been using iptables for years and now we have to relearn everything?
Yeah it's unfortunate. The nftables syntax is a lot easier though!
The same thing has happened before, around 15 years ago... Before iptables there was a system called ipchains. Migration took a while, but it was eventually done, and nobody talks about ipchains any more.