UFW: what exactly is it?
up vote
10
down vote
favorite
What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.
The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.
The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)
If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?
But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!
Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.
So what does ufw status = inactive mean?
That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.
Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?
Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?
Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.
iptables firewall ufw
edited 2 days ago
Zanna
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
add a comment |
up vote
10
down vote
favorite
What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.
The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.
The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)
If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?
But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!
Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.
So what does ufw status = inactive mean?
That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.
Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?
Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?
Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.
iptables firewall ufw
edited 2 days ago
Zanna
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
2
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday
add a comment |
up vote
10
down vote
favorite
up vote
10
down vote
favorite
What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.
The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.
The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)
If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?
But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!
Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.
So what does ufw status = inactive mean?
That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.
Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?
Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?
Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.
iptables firewall ufw
edited 2 days ago
Zanna
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.
The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.
The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)
If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?
But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!
Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.
So what does ufw status = inactive mean?
That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.
Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?
Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?
Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.
iptables firewall ufw
iptables firewall ufw
edited 2 days ago
Zanna
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
edited 2 days ago
Zanna
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
edited 2 days ago
Zanna
48.8k13120232
edited 2 days ago
Zanna
48.8k13120232
edited 2 days ago
Zanna
48.8k13120232
48.8k13120232
asked Nov 5 at 5:03
gwideman
1538
asked Nov 5 at 5:03
gwideman
1538
asked Nov 5 at 5:03
gwideman
1538
1538
2
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday
add a comment |
2
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday
2
2
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday
add a comment |
1 Answer
1
active
oldest
votes
up vote
18
down vote
accepted
ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.
ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.
ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.
If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.
If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.
Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.
You can tell if your firewall rules have been applied at any given time using iptables directly:
sudo iptables -L
sudo ip6tables -L
answered Nov 5 at 5:12
thomasrutter
26.1k46288
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
|
show 3 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
18
down vote
accepted
ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.
ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.
ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.
If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.
If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.
Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.
You can tell if your firewall rules have been applied at any given time using iptables directly:
sudo iptables -L
sudo ip6tables -L
answered Nov 5 at 5:12
thomasrutter
26.1k46288
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
|
show 3 more comments
up vote
18
down vote
accepted
ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.
ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.
ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.
If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.
If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.
Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.
You can tell if your firewall rules have been applied at any given time using iptables directly:
sudo iptables -L
sudo ip6tables -L
answered Nov 5 at 5:12
thomasrutter
26.1k46288
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
|
show 3 more comments
up vote
18
down vote
accepted
up vote
18
down vote
accepted
ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.
ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.
ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.
If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.
If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.
Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.
You can tell if your firewall rules have been applied at any given time using iptables directly:
sudo iptables -L
sudo ip6tables -L
answered Nov 5 at 5:12
thomasrutter
26.1k46288
ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.
ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.
ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.
If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.
If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.
Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.
You can tell if your firewall rules have been applied at any given time using iptables directly:
sudo iptables -L
sudo ip6tables -L
answered Nov 5 at 5:12
thomasrutter
26.1k46288
edited Nov 5 at 5:33
answered Nov 5 at 5:12
thomasrutter
26.1k46288
answered Nov 5 at 5:12
thomasrutter
26.1k46288
answered Nov 5 at 5:12
thomasrutter
26.1k46288
26.1k46288
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
|
show 3 more comments
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
1
1
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09
1
1
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07
|
show 3 more comments
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1090122%2fufw-what-exactly-is-it%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45
@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46
I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37
Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday