Ubuntu – Is Uncomplicated FireWall (ufw) a service


I am currently studying iptables and ufw on Ubuntu server. While playing with them I came across an ambiguity about the true nature of the ufw.

Here is the problem:

  • When I run sudo ufw status in terminal, the output is Status: inactive.

  • But when I run sudo service ufw status the output is ufw start/running.

Also ufw does not appear in the services list when I run service --status-all.

So my questions are:

  1. Is ufw a service?
    • If yes, why it does not appear in the services list?
    • If no, why the terminal answers when I ask about it's status as a service?
  2. What is the difference between sudo ufw status and sudo service ufw status? And why I get different outputs for them?

Best Answer

ufw is an uncomplicated configuration tool for firewalls. It is designed to be usable by people who have no experience with firewalls or want an uncomplicated way to modify the underlying iptables and netfilter rulesets.

For example:

ufw allow all port 22 traffic (UDP and TCP):

ufw allow 22

iptables allow port 22 traffic (UDP and TCP):

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT

Comparatively, ufw permits users to modify the basic firewall needs with limited knowledge of iptables or such.

It in and of itself only modifies iptables / netfilter rules when 'enabled'. It does not run as its own process, in that sense, because the rules it applies are updated on the fly; I am fairly certain it doesn't continue to 'run'.

The only way I would consider ufw to be a service is in that, at boot time, it may be able to restore whatever rules are defined in it. However, iptables-persistent does the same thing, and is not really a service, therefore I do not consider ufw a service, as such, as to determine if ufw (that is, the actual firewall rules) are being enforced is with ufw status.

As per the Community Help Documentation on ufw, it says nothing about ufw being a service, which seems to support this.

And through testing, I have confirmed that ufw is just a less complicated way to 'configure' firewall rules - the real magic of ufw is that it sets up iptables / netfilter rules which you can then see with iptables -L when ufw is enabled.

Related Question