UFW: what exactly is it?











up vote
10
down vote

favorite
2












What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.



The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.



The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)



If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?



But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!



Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.



So what does ufw status = inactive mean?




  1. That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.


  2. Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?


  3. Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?



Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.










share|improve this question




















  • 2




    iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
    – Jan Hudec
    Nov 5 at 12:45










  • @JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
    – gwideman
    Nov 5 at 13:46










  • I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
    – Jan Hudec
    Nov 6 at 6:37










  • Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
    – gwideman
    yesterday















up vote
10
down vote

favorite
2












What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.



The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.



The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)



If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?



But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!



Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.



So what does ufw status = inactive mean?




  1. That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.


  2. Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?


  3. Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?



Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.










share|improve this question




















  • 2




    iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
    – Jan Hudec
    Nov 5 at 12:45










  • @JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
    – gwideman
    Nov 5 at 13:46










  • I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
    – Jan Hudec
    Nov 6 at 6:37










  • Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
    – gwideman
    yesterday













up vote
10
down vote

favorite
2









up vote
10
down vote

favorite
2






2





What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.



The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.



The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)



If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?



But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!



Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.



So what does ufw status = inactive mean?




  1. That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.


  2. Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?


  3. Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?



Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.










share|improve this question















What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.



The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.



The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)



If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?



But other answers on that question disagree -- no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!



Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.



So what does ufw status = inactive mean?




  1. That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.


  2. Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?


  3. Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?



Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.







iptables firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









Zanna

48.8k13120232




48.8k13120232










asked Nov 5 at 5:03









gwideman

1538




1538








  • 2




    iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
    – Jan Hudec
    Nov 5 at 12:45










  • @JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
    – gwideman
    Nov 5 at 13:46










  • I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
    – Jan Hudec
    Nov 6 at 6:37










  • Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
    – gwideman
    yesterday














  • 2




    iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
    – Jan Hudec
    Nov 5 at 12:45










  • @JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
    – gwideman
    Nov 5 at 13:46










  • I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
    – Jan Hudec
    Nov 6 at 6:37










  • Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
    – gwideman
    yesterday








2




2




iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45




iptables is the firewall. It also holds the rules, because it obviously needs to, but calling it a ‘database’ is stretching it a bit as kernel provides no persistency; loading them at boot time has to be taken care of by some tool like ufw.
– Jan Hudec
Nov 5 at 12:45












@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46




@JanHudec I see some people talk about iptables as though it's the firewall, but so far as I can tell, netfilter provides the firewall functionality, while iptables provides the date for netfilter. I like your point that iptables only holds data in memory, and thus "database" is also misleading.
– gwideman
Nov 5 at 13:46












I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37




I would personally consider netfilter to be part of iptables, but I might be wrong in this fine point.
– Jan Hudec
Nov 6 at 6:37












Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday




Zanna edited my question to tidy things like URLs (thanks!), but has substituted "UFW" for all instances of "ufw". I now believe that lowercase is the proper case (as shown in manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html and wiki.ubuntu.com/UncomplicatedFirewall, but I'm not interested in an edit war on this. Zanna please revert to lower case if you buy my evidence.
– gwideman
yesterday










1 Answer
1






active

oldest

votes

















up vote
18
down vote



accepted










ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.



ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.



ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.



If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.



If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.



Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.



You can tell if your firewall rules have been applied at any given time using iptables directly:



sudo iptables -L
sudo ip6tables -L





share|improve this answer



















  • 1




    Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
    – thomasrutter
    Nov 5 at 5:32










  • Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
    – gwideman
    Nov 5 at 7:44












  • Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
    – gwideman
    Nov 5 at 7:46










  • Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
    – thomasrutter
    Nov 5 at 10:09






  • 1




    Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
    – thomasrutter
    Nov 6 at 13:07













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1090122%2fufw-what-exactly-is-it%23new-answer', 'question_page');
}
);

Post as a guest
































1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
18
down vote



accepted










ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.



ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.



ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.



If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.



If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.



Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.



You can tell if your firewall rules have been applied at any given time using iptables directly:



sudo iptables -L
sudo ip6tables -L





share|improve this answer



















  • 1




    Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
    – thomasrutter
    Nov 5 at 5:32










  • Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
    – gwideman
    Nov 5 at 7:44












  • Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
    – gwideman
    Nov 5 at 7:46










  • Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
    – thomasrutter
    Nov 5 at 10:09






  • 1




    Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
    – thomasrutter
    Nov 6 at 13:07

















up vote
18
down vote



accepted










ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.



ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.



ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.



If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.



If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.



Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.



You can tell if your firewall rules have been applied at any given time using iptables directly:



sudo iptables -L
sudo ip6tables -L





share|improve this answer



















  • 1




    Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
    – thomasrutter
    Nov 5 at 5:32










  • Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
    – gwideman
    Nov 5 at 7:44












  • Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
    – gwideman
    Nov 5 at 7:46










  • Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
    – thomasrutter
    Nov 5 at 10:09






  • 1




    Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
    – thomasrutter
    Nov 6 at 13:07















up vote
18
down vote



accepted







up vote
18
down vote



accepted






ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.



ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.



ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.



If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.



If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.



Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.



You can tell if your firewall rules have been applied at any given time using iptables directly:



sudo iptables -L
sudo ip6tables -L





share|improve this answer














ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.



ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.



ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.



If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.



If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.



Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.



You can tell if your firewall rules have been applied at any given time using iptables directly:



sudo iptables -L
sudo ip6tables -L






share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 5 at 5:33

























answered Nov 5 at 5:12









thomasrutter

26.1k46288




26.1k46288








  • 1




    Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
    – thomasrutter
    Nov 5 at 5:32










  • Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
    – gwideman
    Nov 5 at 7:44












  • Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
    – gwideman
    Nov 5 at 7:46










  • Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
    – thomasrutter
    Nov 5 at 10:09






  • 1




    Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
    – thomasrutter
    Nov 6 at 13:07
















  • 1




    Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
    – thomasrutter
    Nov 5 at 5:32










  • Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
    – gwideman
    Nov 5 at 7:44












  • Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
    – gwideman
    Nov 5 at 7:46










  • Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
    – thomasrutter
    Nov 5 at 10:09






  • 1




    Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
    – thomasrutter
    Nov 6 at 13:07










1




1




Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32




Note: I personally don't use ufw, I use a package called netfilter-persistent which allows you to write up native iptables rules into a file and have them re-applied at boot. At boot, it essentially does what ufw does: runs a start script which applies the configuration. The difference is it's not translating from its own simplified syntax, it's merely sending the iptables commands directly to iptables.
– thomasrutter
Nov 5 at 5:32












Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44






Lots of good stuff there. Thanks. On this: "If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own." Does ufw actively delete all existing iptables rules? Or are you just saying with ufw in the picture, you can't rely on iptables commands/rules taking effect because they might get overwritten by ufw?
– gwideman
Nov 5 at 7:44














Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46




Also to thomas: "netfilter-persistent" > does that relate to iptables-persistent?
– gwideman
Nov 5 at 7:46












Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09




Yes that's what it used to be called. If your Ubuntu version has both, then the iptables-persistent package will probably just be a transitional package to give people from older versions an upgrade path.
– thomasrutter
Nov 5 at 10:09




1




1




Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07






Sorry if I confused you mentioning resolv.conf, I was just using as an example of another piece of configuration in Ubuntu which might be controlled by some other service overriding any changes you make directly. It's not connected.
– thomasrutter
Nov 6 at 13:07




















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1090122%2fufw-what-exactly-is-it%23new-answer', 'question_page');
}
);

Post as a guest




















































































這個網誌中的熱門文章

Xamarin.form Move up view when keyboard appear

Post-Redirect-Get with Spring WebFlux and Thymeleaf

Anylogic : not able to use stopDelay()