What are the advantages of ufw, is it really needed?
I am quite enough familiar with iptables and I find iptables -L -v
easy enough to read. Backuping is easy and I am happy with that.
However in recent versions of Ubuntu there is ufw that quite pollute iptables. Insead of a clean list of rules I have plenty of not easy to read rules:
$ iptables -L -v
Chain INPUT (policy DROP 6114 packets, 331K bytes)
pkts bytes target prot opt in out source destination
131K 76M ufw-before-logging-input all -- any any anywhere anywhere
131K 76M ufw-before-input all -- any any anywhere anywhere
6618 368K ufw-after-input all -- any any anywhere anywhere
6191 346K ufw-after-logging-input all -- any any anywhere anywhere
6191 346K ufw-reject-input all -- any any anywhere anywhere
6191 346K ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
390K 324M ufw-before-logging-forward all -- any any anywhere anywhere
390K 324M ufw-before-forward all -- any any anywhere anywhere
4 2160 ufw-after-forward all -- any any anywhere anywhere
4 2160 ufw-after-logging-forward all -- any any anywhere anywhere
4 2160 ufw-reject-forward all -- any any anywhere anywhere
4 2160 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
326K 317M ufw-before-logging-output all -- any any anywhere anywhere
326K 317M ufw-before-output all -- any any anywhere anywhere
164 14960 ufw-after-output all -- any any anywhere anywhere
164 14960 ufw-after-logging-output all -- any any anywhere anywhere
164 14960 ufw-reject-output all -- any any anywhere anywhere
164 14960 ufw-track-output all -- any any anywhere anywhere
...
From this perspective. I don't really understand the purpose of ufw. It seems to add complexity over iptables with no real advantages.
Am I wrong?
Solution 1:
If you know iptables
, if you find iptables -L -v
easy enough to read and if you prefer it, then you don't need ufw
.
iptables
works with the tables of packet filter rules in the Linux kernel. The tables, chains and rules you can create constitute a tool that is powerful and flexible, but often intimidating and not quite intuitive. With them advanced things are possible but basic things are not always as easy as novice users (or users in general) would like them to be.
Here enters ufw
(or another similar tool) as an extra layer on top of iptables
. It makes basic things easy, but does not necessarily allow advanced things. Anyone who prefers GUI can use gufw
. Ubuntu ships ufw
because it targets users who may not be interested in how things work under the hood. They want a simple interface similar to what they have seen in Windows or in HTTP interfaces of their home routers. Advanced users may deactivate ufw
and use iptables
"manually".
The purpose of ufw
is to have a simple front end. For average Joe this front end is simpler than any equivalent "clean list of rules" you can create in iptables
. The "plenty of not easy to read rules" ufw
actually creates are now the back end. You're right ufw
adds complexity, but Joe never sees it.
Once you decide to use ufw
(or to keep using it, if it's there by default), you should not care about the back end. Treat the back end as an internal part of the tool that provides the front end.
If you want iptables
to be your front end then don't use ufw
, because ufw
puts itself "more in front".