Frequently Asked Question

What is a Linux firewall and how do nftables, iptables, and ufw relate?

The actual packet filter lives inside the kernel, in a framework called Netfilter that has hook points along the path every packet takes. The userland tool that loads rules into Netfilter has changed over the years: iptables is the classic interface (still ubiquitous), and nftables is its modern replacement, with a cleaner syntax and a single command (nft) that covers IPv4, IPv6, ARP, and bridge filtering. Most distributions now ship nftables as the back end, with iptables-nft translating old commands.

Because writing raw rules is error-prone, friendlier front ends exist: ufw (Uncomplicated Firewall) is Ubuntu's default and turns ufw allow 22/tcp into the right underlying calls; firewalld plays the same role on Fedora and RHEL, with the added idea of "zones" for different network interfaces. Both are thin layers, under the hood the kernel is still doing the work.

For a defender, the starting point on any server is: default deny inbound, allow only the ports the machine genuinely needs, allow outbound as required, and log unexpected drops. ss -tlnp shows what is currently listening; the firewall enforces what may reach those sockets from the network.