firewalld vs ufw

Brucehankins

So as the title says, what are the benefits of one over the other and what is the set up like, specifically on Solus? I'm familiar with both, using ufw and gufw on Solus previously and firewalld is the default on a few distros I've driven. From what I can tell, I like the applets and such with firewalld. Is there anything specific that needs to be done with config files on Solus or is it as simple to get up and running as gufw?
Generally, does one provide any added benefit over the other if you are just going for basic installation and set-up?

brent

if I just set ufw deny all incoming and forget about it then it's a measure of security I guess...and all I personally want from an app until I specify exclusions. no config files.

another question could be--I get this impression from reading--is while they may act as frontend/or interact with/or friends with IPTables....IPtables may not also be friends with them. I've read IPTables rules can be overwritten by these apps sometimes and sometimes IPTables have their own rules they have to abide by anyways. So now systemd comes into play. I read too much. That is when you now have seperate config files working in concert or not in concert. potential for conflicts is there but probaby is there for everything.

Brucehankins

brent Yeah, that's why I liked ufw on Solus, with GUFW I just set it for home, public, and private and selected the one I needed at the time. I'm intrigued to see what the more knowledgeable members of our community have to say about it. from a purely visual side, I prefer the look of the firewalld-applet and how it flows with the Plasma desktop. I've never tried it on Solus (yet, it will probably be installed soon) and I wasn't sure if it's packaged or pre-configured differently than it would be on something like MX or EOS.

EbonJaeger

Brucehankins I wasn't sure if it's packaged or pre-configured differently than it would be on something like MX or EOS.

The default rule setup should be the same set that EndeavourOS uses.

Harvey

ufw / gufw use iptables so yeah, they can overwrite each other because they are doing the same thing.

firewalld / firwalld-applet uses the newer nftables which to quote wikipedia:

replaces the legacy iptables portions of Netfilter. Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.

Source: https://en.wikipedia.org/wiki/Nftables

In other words nftables is a better designed / unified / simplified iptables replacement. But if you are not using them directly and use firewalld* or *ufw the benefit is not so clear to the end user.

From what I understand ufw can be made to use nftables but that is something we would need to address and probably should in the future as its less to maintain.

So it should be clear that it really doesn't matter what you use as at the end of the day its doing the same thing.

Brucehankins

penny-farthing yeah, I've used ufw and gufw for a while now on Linux and have had very few issues. I was more curious because I've seen more distros including firewalld now as default and it seems pretty straightforward.

Harvey thanks for the great explainer on this!

penny-farthing

As far as I'm concerned, I don't know firewalld, I've been using ufw as a firewall since I chose Linux as my default operating system. I found this procedure (in French):
https://www.leshirondellesdunet.com/pare-feu-ufw
giving simple instructions for configuring it correctly and it suits me for my daily use.

brent

Brucehankins If I cut and paste all the in-depth, well-explained, and vital forum responses of @Harvey 's over the years and put them in a linux book I swear I could rule the world🙂. Or without the hyperbole: he has improved my Linux Kung Fu greatly

Brucehankins

brent I know I wouldn't be doing the stuff I am today without Harvey, Algent, Staudey, and all the other team members who've helped me along the way.

jppelt

Personally, hoping that safing.io portmaster gets into the Solus package list 🙂 It is SOOOO good.

palto42

Since I'm using Ubuntu 22.04 on my home server which is supposed to use nftables by default, I was curious if my ufw config on that server now configured legacy iptables or new nftables.
After some Google search I found this interesting [post from RedHat] (https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables).

In short, there is a new flavor of iptables which uses the nftables backend!

If you do iptables -V you will see the difference. On Solus I get the output iptables v1.8.7 (legacy) but on Ubuntu 22.04 it shows iptables v1.8.7 (nf_tables).