Ubuntu – UFW: what exactly is it

firewalliptablesufw

What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.

The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.

The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)

If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?

But other answers on that question disagree — no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!

Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.

So what does ufw status = inactive mean?

That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.
Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?
Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?

Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.

Best Answer

ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.

ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.

ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.

If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.

If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.

Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.

You can tell if your firewall rules have been applied at any given time using iptables directly:

sudo iptables -L
sudo ip6tables -L

Related Solutions

Ubuntu – See configured rules even when inactive

There is currently not a way to show the rules you have entered before enabling the firewall via the CLI command. You can inspect the rules files directly however. /lib/ufw/user*.rules contain the rules controlled via the 'ufw' CLI command. Eg:

 $ sudo grep '^### tuple' /lib/ufw/user*.rules

This will show output like the following (for the rule added with 'sudo ufw allow OpenSSH):

 /lib/ufw/user.rules:### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 OpenSSH - in

The 'tuple' is the shorthand used internally by ufw to keep track of rules, and can be interpreted as one of these:

 ### tuple ### <action> <proto> <dst port> <dst> <src port> <src> <direction>
 ### tuple ### <action> <proto> <dst port> <dst> <src port> <src> <dst app name> <src app name> <direction>

It might be useful to be able to add another status command to support this. Please consider filing a bug.

Ubuntu – What rules to use for UFW

If you've set ufw to enabled then you've enabled the preset rules, so it means ufw (via iptables) is actively blocking packets.

If you want more details, run

sudo ufw status verbose

and you will see something like this

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

which basically means that all incoming is denied and all outgoing allowed. It's a bit more complicated than that (for example ESTABLISHED - requested - packets are allowed in), and if you're interested in the full set of rules, see the output of sudo iptables -L.

If you have a public IP, you can use an online test to get an idea how good the filtering is, for example www.grc.com (look for ShieldsUP) or nmap-online.

You should also see messages about blocked/allowed packets in logs (/var/log/syslog and /var/log/ufw.log).

Best Answer

Related Solutions

Ubuntu – See configured rules even when inactive

Ubuntu – What rules to use for UFW

Related Question