An In-Depth Look at nftables, firewalld, and UFW

Posted on By ron No Comments on An In-Depth Look at nftables, firewalld, and UFW
Networking

Introduction

Every Linux system connected to a network needs a firewall. Firewalls control which network traffic is allowed to enter or leave a machine, helping protect servers, desktops, laptops, and embedded systems from unauthorized access.

Modern Linux systems use the Linux kernel’s Netfilter framework for packet filtering and firewall functionality. Over the years, several tools have been developed to manage Netfilter:

  • iptables
  • nftables
  • firewalld
  • UFW (Uncomplicated Firewall)

While these tools all interact with the same underlying kernel networking framework, they differ significantly in complexity, features, and intended use.

This article explores nftables, firewalld, and UFW in depth, explaining what they are, how they work, and when you should use each one.

The Foundation: Netfilter

Before discussing firewall management tools, it’s important to understand Netfilter.

Netfilter is a subsystem built directly into the Linux kernel.

Its responsibilities include:

  • Packet filtering
  • Network Address Translation (NAT)
  • Connection tracking
  • Packet mangling
  • Traffic logging

The architecture looks like:

Applications
      |
      v
Firewall Management Tool
      |
      v
Netfilter
      |
      v
Linux Kernel
      |
      v
Network Interface

The firewall tools merely configure rules. The actual packet processing occurs inside the kernel.

Why iptables Was Replaced

For many years, iptables was the standard firewall interface.

Although powerful, it had limitations:

  • Complex syntax
  • Multiple rule tables
  • Difficult management of large configurations
  • Performance issues with large rule sets
  • Separate handling of IPv4 and IPv6

As Linux networking evolved, developers created nftables as the successor.

What Is nftables?

nftables is the modern packet filtering framework introduced into Linux to replace iptables.

It became available in Linux kernel 3.13 and is now the recommended firewall technology on most modern distributions.

The user-space command is:

nft

Why nftables Was Created

The goals were:

  • Simpler syntax
  • Better performance
  • Unified IPv4 and IPv6 handling
  • Easier rule management
  • More flexible packet matching
  • Reduced code duplication

Instead of maintaining multiple separate tools:

iptables
ip6tables
arptables
ebtables

nftables combines everything into one framework.

nftables Architecture

nftables uses:

Tables
   |
   v
Chains
   |
   v
Rules

Very similar to iptables, but with greater flexibility.

Example:

table inet filter
    chain input
        rule

nftables Families

A family determines what traffic a table handles.

Common families:

ip      -> IPv4
ip6     -> IPv6
inet    -> IPv4 + IPv6
arp     -> ARP
bridge  -> Ethernet bridging

Most modern configurations use:

inet

because it handles both IPv4 and IPv6.

Creating a Basic nftables Firewall

Create a table:

sudo nft add table inet filter

Create an input chain:

sudo nft add chain inet filter input \
'{ type filter hook input priority 0 ; }'

Allow SSH:

sudo nft add rule inet filter input \
tcp dport 22 accept

View rules:

sudo nft list ruleset

Example nftables Ruleset

table inet filter {

    chain input {

        type filter hook input priority 0;

        policy drop;

        ct state established,related accept

        iif lo accept

        tcp dport 22 accept

        tcp dport 80 accept

        tcp dport 443 accept
    }
}

This configuration:

  • Drops all traffic by default
  • Allows established connections
  • Allows loopback traffic
  • Allows SSH
  • Allows HTTP
  • Allows HTTPS

Advantages of nftables

Better Performance

nftables uses more efficient internal data structures.

Instead of scanning thousands of rules sequentially, it can use sets and maps.

Unified IPv4 and IPv6

Single rule:

table inet filter

works for both protocols.

Cleaner Syntax

iptables:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

nftables:

tcp dport 22 accept

Much easier to read.

What Is firewalld?

firewalld is a firewall management service that acts as a higher-level interface to nftables.

Think of it like this:

firewalld
      |
      v
nftables
      |
      v
Netfilter

firewalld does not replace nftables.

Instead, it manages nftables automatically.

Why firewalld Exists

System administrators often found direct firewall rule management difficult.

firewalld provides:

  • Simpler administration
  • Dynamic updates
  • Zone-based management
  • Service definitions
  • Runtime changes

without requiring knowledge of nftables syntax.

firewalld Zones

One of firewalld’s biggest features is the concept of zones.

Zones represent trust levels.

Examples:

public
home
work
internal
trusted
drop
block

A network interface can belong to a zone.

Example Zone Concept

Home Wi-Fi:

Zone: home

Coffee shop Wi-Fi:

Zone: public

Corporate network:

Zone: work

Each zone can have different firewall rules.

Common firewalld Commands

Check status:

sudo firewall-cmd --state

View active zones:

sudo firewall-cmd --get-active-zones

View allowed services:

sudo firewall-cmd --list-all

Allow SSH

sudo firewall-cmd \
--permanent \
--add-service=ssh

Reload:

sudo firewall-cmd --reload

Allow Web Traffic

sudo firewall-cmd \
--permanent \
--add-service=http

sudo firewall-cmd \
--permanent \
--add-service=https

Reload:

sudo firewall-cmd --reload

Open a Custom Port

Example:

sudo firewall-cmd \
--permanent \
--add-port=8080/tcp

Reload:

sudo firewall-cmd --reload

Runtime vs Permanent Rules

firewalld has two configurations.

Runtime:

Active immediately
Lost after reboot

Permanent:

Saved to disk
Survives reboot

Apply permanent changes:

sudo firewall-cmd --reload

Advantages of firewalld

Dynamic Updates

Rules can change without restarting services.

Easy Zone Management

Excellent for laptops and systems that move between networks.

Service-Based Rules

Instead of remembering ports:

ssh
http
https
dns

you can use predefined service names.

What Is UFW?

UFW stands for:

Uncomplicated Firewall

Developed primarily for Ubuntu, UFW provides an extremely simple firewall interface.

Architecture:

UFW
  |
  v
nftables/iptables
  |
  v
Netfilter

Its goal is simplicity.

Why UFW Exists

Many users only need:

  • Allow SSH
  • Allow web traffic
  • Block everything else

iptables and nftables can seem overwhelming.

UFW simplifies common tasks.

Enable UFW

Install:

sudo apt install ufw

Enable:

sudo ufw enable

Check status:

sudo ufw status

Allow SSH

sudo ufw allow ssh

or:

sudo ufw allow 22/tcp

Allow HTTP and HTTPS

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

Deny a Port

sudo ufw deny 23/tcp

This blocks Telnet traffic.

Delete a Rule

View numbered rules:

sudo ufw status numbered

Delete:

sudo ufw delete 3

Default Policies

Block incoming traffic:

sudo ufw default deny incoming

Allow outgoing traffic:

sudo ufw default allow outgoing

These are common settings for servers.

Example UFW Server Configuration

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw allow ssh

sudo ufw allow http

sudo ufw allow https

sudo ufw enable

This creates a basic secure web server firewall.

Comparing nftables, firewalld, and UFW

nftables

Best for:

  • Linux professionals
  • Security engineers
  • Advanced administrators
  • High-performance environments

Advantages:

  • Maximum flexibility
  • Best performance
  • Full control

Disadvantages:

  • Steeper learning curve

firewalld

Best for:

  • Enterprise Linux
  • RHEL-based systems
  • Dynamic environments

Advantages:

  • Zones
  • Service management
  • Dynamic rule updates

Disadvantages:

  • More abstraction
  • Less direct control

UFW

Best for:

  • Ubuntu users
  • Small servers
  • Desktop Linux

Advantages:

  • Very easy to learn
  • Simple commands
  • Quick deployment

Disadvantages:

  • Limited advanced functionality

Which Firewall Should You Learn?

A good learning path is:

1. Understand networking fundamentals
2. Learn iptables concepts
3. Learn nftables
4. Learn firewalld or UFW

Even if you ultimately use firewalld or UFW, understanding nftables helps explain what happens underneath.

Conclusion

Modern Linux firewalls are built on the Netfilter framework within the kernel. nftables is the modern replacement for iptables and provides powerful, efficient packet filtering capabilities. firewalld builds on nftables to provide zone-based administration and dynamic management, while UFW focuses on simplicity and ease of use.

For desktop users and small servers, UFW is often sufficient. Enterprise Linux administrators frequently use firewalld. Security professionals and advanced Linux administrators benefit from learning nftables directly because it provides complete control over packet filtering and network security.

Understanding all three tools gives Linux users the flexibility to work comfortably across virtually any modern Linux distribution and networking environment.

You may also like

Networking
Network Programming with Sockets: Understanding TCP/IP Communication in Linux
June 17, 2026
Networking
Understanding TCP/IP in Depth
May 17, 2026
Networking
Networking Fundamentals: A Beginner’s Guide
June 2, 2026
Networking
An In-Depth Look at iptables
June 17, 2026

Leave a Reply