Getting UFW/GUFW Working With NFTables

ArchUsernameHere · 2025-01-31 20:29:00

I've been trying to get this working for a couple days using the Arch Wiki and it seems like a simple solution, but I'm not sure what I'm missing here.

When I check the status of ufw with `sudo ufw status` it always returns:

Status: inactive

When I type `sudo ufw enable` it returns:

ERROR: Could not load logging rules

NFTables systemctl status:

❯ sudo systemctl status nftables
○ nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:nft(8)

Jan 30 00:48:58 arch systemd[1]: Starting Netfilter Tables...
Jan 30 00:48:58 arch systemd[1]: nftables.service: Deactivated successfully.
Jan 30 00:48:58 arch systemd[1]: Finished Netfilter Tables.
~

UFW systemctl status:

❯ sudo systemctl status ufw
● ufw.service - CLI Netfilter Manager
     Loaded: loaded (/usr/lib/systemd/system/ufw.service; disabled; preset: disabled)
     Active: active (exited) since Fri 2025-01-31 03:05:19 PST; 8h ago
 Invocation: 020e4ff47f914e80a306734d6137959d
   Main PID: 1730002 (code=exited, status=0/SUCCESS)
   Mem peak: 1.6M
        CPU: 10ms

Jan 31 03:05:19 arch systemd[1]: Starting CLI Netfilter Manager...
Jan 31 03:05:19 arch ufw-init[1730006]: Skip starting firewall: ufw (not enabled)
Jan 31 03:05:19 arch systemd[1]: Finished CLI Netfilter Manager.
~

/etc/ufw/ufw.conf:

ENABLED=yes
LOGLEVEL=low
IPV6=no

/etc/nftables.conf file:

#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 100;
    policy drop;

    ct state invalid drop comment "early drop of invalid connections"
    ct state { established, related } accept comment "allow tracked connections"
    iif "lo" accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto icmpv6 accept comment "allow icmp v6"
    tcp dport 22 accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmp type admin-prohibited
    # For IPv6, uncomment the following line:
    pkttype host limit rate 5/second counter reject with icmpv6 type admin-prohibited
    counter
  }

  chain forward {
    type filter hook forward priority 100;
    policy drop;
  }

  chain output {
    type filter hook output priority 100;
    policy accept;
  }
}
~

Whats causing the "ERROR: Could not load logging rules" error?

Head_on_a_Stick · 2025-01-31 21:07:48

If you have a working nftables.conf why are you using ufw? That just adds another layer of stuff to go wrong.

Try

# systemctl enable --npw nftables

Then check

# nft list ruleset

ArchUsernameHere · 2025-01-31 21:31:31

Head_on_a_Stick wrote:

If you have a working nftables.conf why are you using ufw? That just adds another layer of stuff to go wrong.
Try
# systemctl enable --npw nftables
Then check
# nft list ruleset

From what I understood nftables is used as the backend according to the Arch Wiki here: https://wiki.archlinux.org/title/Uncomplicated_Firewall it says:

Note: It should be noted that UFW can use either iptables or nftables as the back-end firewall.

Here are the updates

❯ systemctl enable --now nftables
Created symlink '/etc/systemd/system/multi-user.target.wants/nftables.service' → '/usr/lib/systemd/system/nftables.service'.

❯ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority srcnat; policy drop;
                ct state invalid drop comment "early drop of invalid connections"
                ct state { established, related } accept comment "allow tracked connections"
                iif "lo" accept comment "allow from loopback"
                ip protocol icmp accept comment "allow icmp"
                meta l4proto ipv6-icmp accept comment "allow icmp v6"
                tcp dport 22 accept comment "allow sshd"
                meta nfproto ipv4 meta pkttype host limit rate 5/second burst 5 packets counter packets 0 bytes 0 reject with icmp admin-prohibited
                meta nfproto ipv6 meta pkttype host limit rate 5/second burst 5 packets counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
                counter packets 2 bytes 473
        }

        chain forward {
                type filter hook forward priority 100; policy drop;
        }

        chain output {
                type filter hook output priority 100; policy accept;
        }
}

~

systemctl status nftables

❯ sudo systemctl status nftables
○ nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: disabled)
     Active: inactive (dead) since Fri 2025-01-31 13:13:51 PST; 3min 30s ago
 Invocation: f15a9e0f8be74ca183f2f0d9e71e9398
       Docs: man:nft(8)
    Process: 3728637 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
   Main PID: 3728637 (code=exited, status=0/SUCCESS)
   Mem peak: 1.7M
        CPU: 8ms

Jan 31 13:13:51 arch systemd[1]: Starting Netfilter Tables...
Jan 31 13:13:51 arch systemd[1]: nftables.service: Deactivated successfully.
Jan 31 13:13:51 arch systemd[1]: Finished Netfilter Tables.

~

Thanks for the help! I'm still a little confused as far as what I'm doing incorrectly to get UFW/GUFW working, but how does what I've done look so far?

Head_on_a_Stick · 2025-01-31 22:06:19

You now have a working firewall configured by /etc/nftables.conf.

I've never actually used ufw but as I understand it was developed as a friendly front-end for the unfriendly iptables syntax. Nftables has a much simpler syntax that isn't that much more complicated than ufw so it seems to invalidate it, at least to some extent.

What do you actually need from your firewall? I find plain nftables suits my needs but my setup is very simple.

ArchUsernameHere · 2025-02-01 01:26:29

Head_on_a_Stick wrote:

You now have a working firewall configured by /etc/nftables.conf.
I've never actually used ufw but as I understand it was developed as a friendly front-end for the unfriendly iptables syntax. Nftables has a much simpler syntax that isn't that much more complicated than ufw so it seems to invalidate it, at least to some extent.
What do you actually need from your firewall? I find plain nftables suits my needs but my setup is very simple.

I'm using my firewall for my minipc which i do use on different networks from time to time. I will also be using it to allow access to my computer through a private network through tailscale using SSH.

Is there a GUI for nftables? If not, what would be needed to use UFW/GUFW with nftables?

Head_on_a_Stick · 2025-02-01 12:29:35

ArchUsernameHere wrote:

I will also be using it to allow access to my computer through a private network through tailscale using SSH.

Your firewall already has a hole punched for ssh:

                tcp dport 22 accept comment "allow sshd"

ArchUsernameHere wrote:

Is there a GUI for nftables?

Gufw can use nftables as a backend, apparently. But I don't think you can use /etc/nftables.conf with that, you will have to construct your own version with either the gufw GUI or the ufw command.

ArchUsernameHere · 2025-02-01 21:11:49

Head_on_a_Stick wrote:

ArchUsernameHere wrote:
I will also be using it to allow access to my computer through a private network through tailscale using SSH.
Your firewall already has a hole punched for ssh:
                tcp dport 22 accept comment "allow sshd"
ArchUsernameHere wrote:
Is there a GUI for nftables?
Gufw can use nftables as a backend, apparently. But I don't think you can use /etc/nftables.conf with that, you will have to construct your own version with either the gufw GUI or the ufw command.

I think what confuses me is where you said I can use nftables but not /etc/nftables.conf. So ufw/gufw will set its own rules but not at /etc/nftables.conf from what I understand.

I'm still basically a month into Arch/Linux and its been great learning and installing everything with the wiki, but for some reason the security side of things has been confusing for me.

How can I switch from nftables to gufw with nftables as the backend? If I can do that then I can learn how to secure my system with gufw and when I am more comfortable with command line I can move onto ufw or maybe back to nftables if needed.

Head_on_a_Stick · 2025-02-01 22:55:19

I think you have to disable & stop nftables.service then enable & start ufw.service and configure that to your liking.

GrimBandito · 2025-02-03 16:30:10

The procedure I use to install ufw with the nftables backend is as follows...

From a fresh install of Arch, which by default has Iptables installed, I do the following in order.

1. Install the nftables backend and remove iptables which is important so they do not conflict.

sudo pacman -S iptables-nft

2. Install and set up the firewall (to use nftables backend)

sudo pacman -S ufw

3. Configure the ufw systemd service to start at boot :-

sudo systemctl enable ufw.service

4. Set a 'deny all by default' policy

sudo ufw default deny

5. Optionally turn off logging

sudo ufw logging off

6. Start the firewall

sudo ufw enable

You should now have a nice functioning firewall with command line interface (ufw). If like me you are using KDE then you can further investigate your firewall by going into the system settings and looking under the network/firewall applet. Alternatively you could install a graphical ui such as gufw.

This is how I get a basic firewall working. Hope it helps others.

Last edited by GrimBandito (2025-02-04 11:11:13)

ArchUsernameHere · 2025-02-05 06:56:42

GrimBandito wrote:

The procedure I use to install ufw with the nftables backend is as follows...
From a fresh install of Arch, which by default has Iptables installed, I do the following in order.
1. Install the nftables backend and remove iptables which is important so they do not conflict.
sudo pacman -S iptables-nft
2. Install and set up the firewall (to use nftables backend)
sudo pacman -S ufw
3. Configure the ufw systemd service to start at boot :-
sudo systemctl enable ufw.service
4. Set a 'deny all by default' policy
sudo ufw default deny
5. Optionally turn off logging
sudo ufw logging off
6. Start the firewall
sudo ufw enable
You should now have a nice functioning firewall with command line interface (ufw). If like me you are using KDE then you can further investigate your firewall by going into the system settings and looking under the network/firewall applet. Alternatively you could install a graphical ui such as gufw.
This is how I get a basic firewall working. Hope it helps others.

Just to double check I did everything correctly and to make sure there's nothing left to setup, is the output for these 2 commands fine?

❯ sudo ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

~

---

❯ sudo systemctl status ufw.service
● ufw.service - CLI Netfilter Manager
     Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; preset: disabled)
     Active: active (exited) since Tue 2025-02-04 22:48:34 PST; 3min 22s ago
 Invocation: d1bdf11f021c430aade0e0be650f1612
    Process: 404 ExecStart=/usr/lib/ufw/ufw-init start (code=exited, status=0/SUCCESS)
   Main PID: 404 (code=exited, status=0/SUCCESS)
   Mem peak: 3.6M
        CPU: 80ms

Feb 04 22:48:34 arch systemd[1]: Starting CLI Netfilter Manager...
Feb 04 22:48:34 arch systemd[1]: Finished CLI Netfilter Manager.

GrimBandito · 2025-02-06 10:40:46

Yes that all looks good.

ArchUsernameHere · 2025-02-08 21:29:49

thank you to both of you for the help! seems to be running how i wanted

Last edited by ArchUsernameHere (2025-02-08 21:30:10)

Arch Linux

#1 2025-01-31 20:29:00