What are the advantages of ufw, is it really needed?

I am quite enough familiar with iptables and I find iptables -L -v easy enough to read. Backuping is easy and I am happy with that.

However in recent versions of Ubuntu there is ufw that quite pollute iptables. Insead of a clean list of rules I have plenty of not easy to read rules:

$ iptables -L -v
Chain INPUT (policy DROP 6114 packets, 331K bytes)
 pkts bytes target     prot opt in     out     source               destination
 131K   76M ufw-before-logging-input  all  --  any    any     anywhere             anywhere
 131K   76M ufw-before-input  all  --  any    any     anywhere             anywhere
 6618  368K ufw-after-input  all  --  any    any     anywhere             anywhere
 6191  346K ufw-after-logging-input  all  --  any    any     anywhere             anywhere
 6191  346K ufw-reject-input  all  --  any    any     anywhere             anywhere
 6191  346K ufw-track-input  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 390K  324M ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
 390K  324M ufw-before-forward  all  --  any    any     anywhere             anywhere
    4  2160 ufw-after-forward  all  --  any    any     anywhere             anywhere
    4  2160 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
    4  2160 ufw-reject-forward  all  --  any    any     anywhere             anywhere
    4  2160 ufw-track-forward  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination
 326K  317M ufw-before-logging-output  all  --  any    any     anywhere             anywhere
 326K  317M ufw-before-output  all  --  any    any     anywhere             anywhere
  164 14960 ufw-after-output  all  --  any    any     anywhere             anywhere
  164 14960 ufw-after-logging-output  all  --  any    any     anywhere             anywhere
  164 14960 ufw-reject-output  all  --  any    any     anywhere             anywhere
  164 14960 ufw-track-output  all  --  any    any     anywhere             anywhere
...

From this perspective. I don't really understand the purpose of ufw. It seems to add complexity over iptables with no real advantages.

Am I wrong?


Solution 1:

If you know iptables, if you find iptables -L -v easy enough to read and if you prefer it, then you don't need ufw.

iptables works with the tables of packet filter rules in the Linux kernel. The tables, chains and rules you can create constitute a tool that is powerful and flexible, but often intimidating and not quite intuitive. With them advanced things are possible but basic things are not always as easy as novice users (or users in general) would like them to be.

Here enters ufw (or another similar tool) as an extra layer on top of iptables. It makes basic things easy, but does not necessarily allow advanced things. Anyone who prefers GUI can use gufw. Ubuntu ships ufw because it targets users who may not be interested in how things work under the hood. They want a simple interface similar to what they have seen in Windows or in HTTP interfaces of their home routers. Advanced users may deactivate ufw and use iptables "manually".

The purpose of ufw is to have a simple front end. For average Joe this front end is simpler than any equivalent "clean list of rules" you can create in iptables. The "plenty of not easy to read rules" ufw actually creates are now the back end. You're right ufw adds complexity, but Joe never sees it.

Once you decide to use ufw (or to keep using it, if it's there by default), you should not care about the back end. Treat the back end as an internal part of the tool that provides the front end.

If you want iptables to be your front end then don't use ufw, because ufw puts itself "more in front".