Why ufw Does Not Need A GUI

By | 2008/05/04

I’ve been hearing more and more recent requests (at OpenWeek -chat and in blog comments) regarding a request for a GUI on top of ufw.  I wanted to take a second and outline more clearly what ufw is, which will likely stop these requests.  I think its just a simple matter of not truly understand what ufw does which leads to these.  Bottom line, there are already a number of GUI firewall applications, adding one for ufw would be basically pointless. (Before you argue that point, keep reading.)

What is ufw?

ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool.  iptables has been around for quite a long time, is very, very robust and very widely used.  It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it.  (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)

The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”.  While iptables is already installed and available for use, the syntax can be complicated.  For example, lets say you wanted to block all connections from the IP address 10.100.0.5:

iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5

Another slightly more complicated example could be written for blocking specific ports and protocols:

iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5 to any port 22

ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way.  Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.

For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc.  Those are graphical tools which create and manage iptables / netfilter rules “under the hood”.  ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.

The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed.  ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.

14 thoughts on “Why ufw Does Not Need A GUI

  1. Darren

    Here is why I think people are asking for a GUI for UFW

    1) Firestarter is unmaintained upstream and only manages one interface at a time. So users who switch between interfaces often (ie laptop users) will have to reconfigure Firestarter each time. So Firestarter is not an option for users who want or need a desktop firewall. Plus it is a dead project anyway.

    2) Lokkit is no longer maintained either, Redhat expanded it to become the their firewall tool but that updated version is not available in any repos and the last time I installed it it didn’t even work.

    3) If Ubuntu is standardizing on UFW as their tool for managing iptables then it should really have a GUI and a command-line component. I guess those could be different tools but that would be a mess if you had UFW managing iptables from a command-line and then a separate GUI.

    So as of right now there is no Firewall GUI for Ubuntu users that is maintained or that meets the needs of most users. A simple GUI for UFW would meet those needs.

    Reply
  2. Stoffe

    Don’t know if it needs a direct front-end, but an “uncomplicated firewall gui” would be nice, and I’m not sure those mentioned actually meet that goal. Usable yes, nice yes, but not designed with “for human beings” in mind at all times?

    Ah heck I don’t know. It’s nice to have things collected, and it’s also a marketing thing (not sales!): it’s easy to tell people to look for the uncomplicated firewall, no matter if they are on desktop or server.

    Reply
  3. Chester

    Holy moly, Ubuntu gets its own firewall package and there’s no GUI, how ironic is that?

    I disagree with you, while I prefer the command line and generally often don’t need GUIs, a GUI for UFW is vital, IMO. I find Firestarter, despite how frequently it is used, lacking in many aspects and not updated as often as I’d like, despite the GUI being very nice.

    Reply
  4. kahrytan

    For something thats called ufw or “uncomplicated firewall”, it is extremely complicated. This is why it needs a GUI, to make the complicatedness of uwf into the uncomplicated.

    Reply
  5. richard

    I think the problem lies in the name. “Uncomplicated Firewall” implies that it is simple to use, but oh noes it has a CLI based interface give us a GUI.

    The solution is not to add a GUI to ufw but rather to make another GUI firewall that does the same thing specifically for Desktop users.

    Currently there seems to be a hole in that niche and people are trying to shoehorn ufw into it.

    Reply
  6. Arun

    If Ubuntu is really a Linux distribution for human beings (true so far), then they should supply a GUI for ufw unless ufw is only meant for server and not desktop. If it’s meant for desktops as well, then a GUI to control it is the right direction for end users and to market Ubuntu as user friendly.

    Reply
  7. Brad Johnson

    I think Ubuntu needs to standardize around one firewall method/platform. UFW seems to be a good place to start as it can easily exist in both Server & Workstation. Firestarter is NOT a good option for use with Network Manager and multiple networks.

    Instead of saying UFW needs a GUI, let’s just say that Ubuntu workstations need a Network Manager-aware GUI for ufw. Can you get behind that?

    Reply
  8. Conor

    By far one of the best posts I’ve found on this blog. You don’t update as frequently as I’m used to seeing on my feeds list, but I will trade frequent updates any day for this level of quality.

    Thank you, and keep it up, please!

    Reply
  9. Rusty

    I won’t argue over whether UFW needs a GUI. I would say instead that IPTables needs a maintained GUI that works with Network Manager. Perhaps as a plug in to Network Manager. Again though it need not be a front end to ufw.

    I would love to see ufw generally available upstream in Debian. An apt-cache search for ufw on my debian server comes back with hits for nufw and nuauth related packages, which from looking at the descriptions does not appear to be quite what ufw offers.

    The biggest problem that I have with manually configuring iptables is that I come from a network not a firewall background. The ufw syntax maps very nicely to the access list syntax on routers that I have worked on. Different key words at times, but it’s something I can fairly easily wrap my head around. IPTables has not been as easy for me to do the same with. I understand the general concept they came up with, however the syntax very quickly gets bogged down in trying to figure out why this rule or that is in this list, or that one.

    If there were one request out of any ui to IPTables, it would be that it would be able to spit out a ‘script’ that I could use to configure IPTables on a separate system that does not have that UI. i.e. I can create the UFW commands on my Ubuntu laptop or server, and get the resulting rules to paste onto my Debian server.

    And before someone says ‘well, why don’t you just compile ufw from source on the debian box?’ or ‘just install the pre-compiled package for debian from [arbitrary location].’ that’s not part of what I specifically asked for, and I’m not installing a compiler on my server, whether it is protected from with a firewall or not. My specific request was for it to be in the Debian collection of packages (stable) or for a syntax converter from ufw to iptables.

    Great work already though. Probably enough to get me to replace the underlying server distribution at my remote location. We’ll see.

    Reply
  10. polarizers 2 cents

    since firewall stuff is pretty technically and you’ve to know what you’re doin’ i’ve no problem with console only interface.

    >>90% of users not even know what an ip address is much less they know about ports or protocols.

    btw: the notation of the rules reminds me on openbsd’s packet filter (pf)

    polarizers 2 cents

    Reply
  11. matti

    Well. as the pool of Ubuntu users increases the composition of the users will include an increasing portion of the types of users falling into that >>90% category – regular human beings.
    At the same time, as the number of Ubuntu users reaches a critical mass, an increasing number of low life will shift their attention to these non technical human beings and their unprotected PCs.
    UFW needs a GUI for normal people. That’s all there is to it. To a normal person there is no such thing as an “uncomplicated terminal command”. It begs the question how the name UFW was decided on. Uncomplicated to whom? The normal users or the trailblazers of technology?

    Reply
  12. Roland Latour

    It doesn’t need a GUI, but it does need a config file. Order is important, and getting that order right is a PITA. Bug#260745.

    Reply
  13. Fr33d0m

    In general I agree with the need for a GUI to manage the firewall.

    https://launchpad.net/gui-ufw is one based around UFW–which is really not so much a firewall as a set of commands to manage a firewall.

    But gui-ufw is not an example of what I think is needed in a firewall GUI. It is partly there and it is a fairly new project so perhaps it will grow.

    Firewall rules are more complex–even in their relative simplicity–than a non-technical user can reasonably be expected to grasp. Something that combines the wizard approach of both Firestarter and lokkit is what is needed.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *