Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Linux Server Hardening

UFW vs nftables vs firewalld for Linux Servers

Layer diagram showing kernel netfilter and nftables underneath UFW, firewalld, and direct nftables administration.

UFW, firewalld, and nftables are not three independent security layers you should blindly stack. nftables is the modern packet-filtering framework in the Linux networking stack; UFW and firewalld are management tools that create firewall policy for you.

For a small Ubuntu or Debian VPS, UFW is usually the simplest safe starting point. For Fedora, RHEL, and NetworkManager-heavy systems, firewalld often fits better. Direct nftables is for operators who need exact control and are willing to own the ruleset.

What is nftables?

nftables is the Netfilter project’s replacement for the older iptables-family tools. The Netfilter project describes nftables as providing a new in-kernel packet classification framework and an nft userspace command-line tool.

Debian’s wiki says nftables is the default and recommended firewalling framework in Debian, replacing old iptables-related tools. It also notes that iptables may use an iptables-nft compatibility layer over the nf_tables kernel subsystem.

The practical translation: even if you type an iptables-shaped command, a modern distro may be using nftables underneath.

What is UFW?

UFW, the Uncomplicated Firewall, is a simpler firewall front end commonly used on Ubuntu servers. Its value is operational: most small VPS operators need a clear allow/deny policy for SSH, HTTP, HTTPS, and maybe a private service.

UFW is a good default when:

If you already follow a fresh Ubuntu UFW baseline, do not add firewalld or manual nftables rules just because they sound more advanced.

What is firewalld?

firewalld is a dynamic firewall manager often associated with Fedora, RHEL, CentOS Stream, and desktop/server environments that use zones. Debian’s nftables page also recommends considering a wrapper such as firewalld instead of hand-writing firewall scripts in some situations.

firewalld is a better fit when:

The point is not that firewalld is “more secure” than UFW. The point is that it may match the platform’s normal operating model.

Which should a small server use?

Use one primary firewall manager and document it. Mixing managers is how you end up with rules you cannot explain during an incident.

Situation Practical default
Small Ubuntu VPS with SSH and web traffic UFW
Debian server where you want simple policy UFW or direct nftables, depending on skill
Fedora/RHEL-style host firewalld
Complex router, gateway, or custom packet policy direct nftables
Docker-heavy host decide carefully; container networking can add rules outside your simple model
Proxmox or virtualization host follow platform firewall guidance before adding extra managers

The best firewall tool is the one your future self can audit without guessing.

Why mixing tools causes confusion

Firewall managers write state into the same underlying packet-filtering world. If UFW, firewalld, Docker, a VPN tool, and manual nftables rules all modify policy, the effective result may not match the one command you remember running.

This matters during exposure checks. A local listening service is not automatically public, and a firewall rule is not automatically enough if another layer publishes traffic. Pair firewall policy with an outside-in check and a local listener inventory.

Start with ss vs lsof vs nmap for exposure checks and the small VPS exposure audit before blaming the wrong layer.

FAQ

Is nftables better than iptables?

nftables is the modern replacement framework and is the default in Debian. But most small-server operators should choose the management interface they can operate safely.

Should I disable UFW and use nftables directly?

Only if you need direct nftables control and can maintain the ruleset. For a basic Ubuntu VPS, UFW is usually easier to audit.

Can I use UFW and firewalld together?

Avoid it unless you have a deliberate, documented reason. Use one primary manager to reduce surprises.

Sources