Ubuntu – UFW: what exactly is it

firewalliptablesufw

What is UFW? You would think this is an easy question, but the more sources I read, the less clear it gets.

The acronym spells out to Uncomplicated FireWall, as though ufw actually implements a firewall itself. And indeed in many places it is referred to as a firewall per se, such as in this article.

The Ubuntu help wiki page on UFW says that UFW is a configuration tool for iptables. (In turn, the help wiki page on firewalls says that iptables is the database of firewall rules, and that it is also the actual firewall, as though a database is a firewall, which is obviously false. And of course 'iptables' is also the name of a program.)

If ufw is a configuration tool, then we might expect it to be a program that you run to configure something, and once done, you quit with the config having been established. That's the position of this question's accepted answer: Is Uncomplicated FireWall (ufw) a service?

But other answers on that question disagree — no, it's a service. And indeed on my 18.04 machine, I see that ufw is running as a service! Why the heck does a configuration tool run as a service?!

Further, systemctl list-units --all --type=service shows ufw.service is loaded and active (and also exited?!) yet ufw status shows inactive.

So what does ufw status = inactive mean?

  1. That "the firewall" (whatever that is) is inactive? That's what the ufw man page doc for 'status' would suggest.

  2. Or does it mean that the rules configured in ufw are inactive (but others configured in iptables are active)?

  3. Or does it mean that ufw started on bootup, instated its rules into ipconfig (or wherever they go) so that they are now in effect, and now ufw has nothing to do so it's inactive?

Of particular interest: I want to follow some instructions that require issuing some iptables commands, but am concerned that they will conflict with, or be overwritten by, the ufw apparatus.

Best Answer

ufw is a front-end for netfilter/iptables, the Linux mechanism for routing and filtering internet traffic.

ufw is completely optional and it's possible to create firewall and routing tables directly using the iptables commands. Some people prefer the syntax of ufw, which is supposed to make it a bit easier.

ufw itself is not the firewall, it's a tool for setting the configuration of netfilter/iptables. It is registered as a service because it needs to be run every time your machine starts up. I don't believe it stays resident in memory after it has done this configuration. "restarting" the service simply re-runs its scripts. It is not unusual for things in Linux distributions to be registered as services even though they are merely scripts that run at boot or shutdown without staying resident in between.

If you use ufw you can't set your own iptables rules using your own scripts, as they will be overwritten when ufw sets its own. This also means that ufw can conflict with other tools that set firewall rules.

If sudo ufw status returns "inactive", it means ufw has been disabled (and won't, for example, re-apply any rules at startup). You need to ensure ufw is enabled with sudo ufw enable, though you also need to configure rules for this to have meaning. If you are sure you have enabled ufw but it returns "inactive" there could be some other issue.

Note that "starting" the service doesn't enable ufw, it just activates the start-up script. If ufw is disabled when the start-up script runs it won't do anything.

You can tell if your firewall rules have been applied at any given time using iptables directly:

sudo iptables -L
sudo ip6tables -L