NFTables and g(ufw)

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
OldgoodSheo
Level 1
Level 1
Posts: 36
Joined: Sat Nov 04, 2017 10:58 am

NFTables and g(ufw)

Post by OldgoodSheo »

Hi! I am going to install Mint on one of my computers and i have a question about firewall.

As i understand most linux distros use NFTables now.

I have noticed some information about Debian (which is base for Ubuntu and Mint) using NFTables now. And Debian wiki says
"nftables in Debian the easy way If you want to enable a default firewall in Debian, follow these steps...
# aptitude install nftables
# systemctl enable nftables.service"
So i wonder now, should i at first install and enable ntfstables and only after that to enable (g)ufw? It seems logical, but i also have read in ArchWiki that
"Start and enable ufw.service to make it available at boot. Note that this will not work if iptables.service is also enabled (and same for its ipv6 counterpart)".
I guess that this rule can also be applied to NFTables..? And on Arch Reddit we can read:
"UFW, being a frontend wrapper, will require the nftables package to be installed and the [strikeout]service to be enabled/started[/strikeout]. Simply, it will use IPTables or NFTables depending on which is configured and in use. Edit: Only UFW service need be enabled to avoid conflict
So, in short i have following questions:

1) should i install NFTables?

2) Should i enable it as a service (and configure)?

3) Or just using GUFW is enough? Because it somehow automatically uses NFTables?

4) Do you really need a firewall on Linux? Because i read that it is already placed in kernel.

5) What does it mean "Deny incoming"? It filters all incoming traffic or what?
Last edited by LockBot on Mon Jul 31, 2023 10:00 pm, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
1000
Level 6
Level 6
Posts: 1020
Joined: Wed Jul 29, 2020 2:14 am

Re: NFTables and g(ufw)

Post by 1000 »

1) I have installed iptables and nftables in default in Ubuntu.
I do not know why. Maybe it's not yet finalized / finished.
Nftables boasts of greater speed and it's possible that old iptables will be slowly phased out.
You are the captain of your own ship and you decide which solution will be better for you.
Why ?
Old rules from iptables to nftbales are built differently sometimes they may be incompatible.
Maybe new rules will have to be written.
Doc in https://www.nftables.org/


4) Where did you read it ?

Maybe it's about something other ?
Call filtering takes up hardware resources and time.
Disabling services means you don't need to block them and it doesn't consume time or hardware resources.


5) I'll try to show it with an example.

From tcpdump

Code: Select all

20:49:33.770769 IP user.36494 > router: 12099+ ...
20:49:33.771464 IP router > user.36494: ...
In the first line, my computer tries to talk to the router.
In the second line, my router sends a response to my computer.

So we have incoming and outgoing calls.

How connections are filtered ?
- The system can tell you which connection is the answer.
This is used to filter incoming calls. And only these connections are filtered in the basic firewall.

Code: Select all

            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
The firewall can also detects connections on the system itself.
localhost https://en.wikipedia.org/wiki/Localhost
Applications use the connection to transfer information between themselves.
We usually allow these calls.

Code: Select all

 iptables -A INPUT -i lo -j ACCEPT 
Newer applications use different mechanisms
For example D-Bus https://en.wikipedia.org/wiki/D-Bus

So default firewall in iptables looks like:

Code: Select all

    iptables -P INPUT   DROP 
    iptables -P FORWARD DROP 
    iptables -P OUTPUT  ACCEPT 
            iptables -A INPUT -i lo -j ACCEPT 
            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
Edited:
I corrected "OUTPUT DROP" to "OUTPUT ACCEPT".
Explanation:
Outgoing connections from computer are allowed in the basic configuration.
When the connection is incoming to the firewall of the computer, then it is filtered.

The firewall can do one more thing.
DROP - it will only block
REJECT - it will block and it will reply that the firewall has rejected the connection.
This can be useful when you are checking to see if your firewall is blocking the connection or if there is another problem with the connection.

So "Deny incoming" This can be = REJECT

More in
1. https://en.wikipedia.org/wiki/Transmiss ... _operation
2. https://www.nftables.org/
OldgoodSheo
Level 1
Level 1
Posts: 36
Joined: Sat Nov 04, 2017 10:58 am

Re: NFTables and g(ufw)

Post by OldgoodSheo »

1000 wrote: Tue Feb 07, 2023 4:42 pm 1) I have installed iptables and nftables in default in Ubuntu.
Big thanks for your reply! But my question was more primitive)
1) should i install NFTables?
By install here i meant not that i choose between iptables and nftables. But whether should i install its package manually BEFORE using gUFW?
2) Should i enable it as a service (and configure)?
And... then enable it (nftables) as a systemd service?
3) Or just using GUFW is enough? Because it somehow automatically uses NFTables?
Or i can skip it all and just turn on gUFW BECAUSE it somehow itself uses nftables from the box?
1000
Level 6
Level 6
Posts: 1020
Joined: Wed Jul 29, 2020 2:14 am

Re: NFTables and g(ufw)

Post by 1000 »

You can just enable Gufw.
Gufw is a graphic overlay on rules made in ufw.
Uncomplicated FireWall ( UFW ) rules are made in iptables rules.

You can check commands for check firewalls

Code: Select all

sudo ufw status verbose
Edited For IPv4

Code: Select all

sudo iptables -S
Edited For IPv6

Code: Select all

sudo ip6tables -S

Code: Select all

sudo nft list ruleset
And check status of service

Code: Select all

systemctl list-unit-files | grep "STATE\|nftables\|tables\|ufw"
And check if IPv4 is used or IPv6 is used

All but grep filters to show only IP

Code: Select all

ip a | grep inet | awk '{print $1 " " $2}'
IPv4

Code: Select all

ip -4 addr
IPv6

Code: Select all

ip -6 addr
OldgoodSheo
Level 1
Level 1
Posts: 36
Joined: Sat Nov 04, 2017 10:58 am

Re: NFTables and g(ufw)

Post by OldgoodSheo »

1000 wrote: Tue Feb 14, 2023 8:20 pm You can just enable Gufw.
Ok! Thanks. I will know that i shouldn't beforehand install and enable nftables as a service to use ufw. Just install and activate ufw (+) gufw, right?
Uncomplicated FireWall ( UFW ) rules are made in iptables rules.
Is not it nftables now? You give commands with nft further.
sudo nft list ruleset
This ruleset is created by ufw?
1000
Level 6
Level 6
Posts: 1020
Joined: Wed Jul 29, 2020 2:14 am

Re: NFTables and g(ufw)

Post by 1000 »

Just install and activate ufw (+) gufw, right?
I gave you the commands for you, to check alone. :wink:
It means that
1. You run the Gufw firewall.
2. You restart your computer.
3. Check firewall in Gufw and in terminal.
If the Gufw firewall is running and rules exist that means the services have also started.
You can also check if the services are running.
Don't believe me. You can check, see commands above.

- - - - - -
Is not it nftables now? You give commands with nft further.
sudo nft list ruleset
This ruleset is created by ufw?
I see / I noticed that
- Gufw creates rules in firewall iptables and firewall nftables simultaneously.
- So now two firewalls are active. ( Double protection - :mrgreen: )
- iptables.service not exist -> probably iptables firewall is running from ufw.service

- - - - - -

Maybe I will write how to check the firewall physically.
If I do, it will be later.
OldgoodSheo
Level 1
Level 1
Posts: 36
Joined: Sat Nov 04, 2017 10:58 am

Re: NFTables and g(ufw)

Post by OldgoodSheo »

1000 wrote: Wed Feb 15, 2023 10:30 am
Just install and activate ufw (+) gufw, right?
I gave you the commands for you, to check alone. :wink:

Don't believe me. You can check, see commands above.
Yes, i did that, it works. Just was not sure if i need to do smth with nftables package itself (install and enable) to make ufw work right way.

I had discussion on other places, and now i am sure that i don't need nftables package installed and enabled beforehand (or after) isntalling and enabling ufw
I see / I noticed that
- Gufw creates rules in firewall iptables and firewall nftables simultaneously.

Maybe I will write how to check the firewall physically.
If I do, it will be later.
Ok! Thanks.
Locked

Return to “Networking”