
UFW, firewalld, and nftables are not three independent security layers you should blindly stack. nftables is the modern packet-filtering framework in the Linux networking stack; UFW and firewalld are management tools that create firewall policy for you.
For a small Ubuntu or Debian VPS, UFW is usually the simplest safe starting point. For Fedora, RHEL, and NetworkManager-heavy systems, firewalld often fits better. Direct nftables is for operators who need exact control and are willing to own the ruleset.
What is nftables?
nftables is the Netfilter project’s replacement for the older iptables-family tools. The Netfilter project describes nftables as providing a new in-kernel packet classification framework and an nft userspace command-line tool.
Debian’s wiki says nftables is the default and recommended firewalling framework in Debian, replacing old iptables-related tools. It also notes that iptables may use an iptables-nft compatibility layer over the nf_tables kernel subsystem.
The practical translation: even if you type an iptables-shaped command, a modern distro may be using nftables underneath.
What is UFW?
UFW, the Uncomplicated Firewall, is a simpler firewall front end commonly used on Ubuntu servers. Its value is operational: most small VPS operators need a clear allow/deny policy for SSH, HTTP, HTTPS, and maybe a private service.
UFW is a good default when:
- you run Ubuntu or a Debian-family VPS;
- you want readable rules and low ceremony;
- you do not need complex zones;
- you can document a small number of allowed services;
- you want a lockout-safe firewall baseline before adding public apps.
If you already follow a fresh Ubuntu UFW baseline, do not add firewalld or manual nftables rules just because they sound more advanced.
What is firewalld?
firewalld is a dynamic firewall manager often associated with Fedora, RHEL, CentOS Stream, and desktop/server environments that use zones. Debian’s nftables page also recommends considering a wrapper such as firewalld instead of hand-writing firewall scripts in some situations.
firewalld is a better fit when:
- your distro defaults to it;
- zones match your network model;
- NetworkManager integration matters;
- libvirt, podman, or other services expect it;
- admins on the system already understand it.
The point is not that firewalld is “more secure” than UFW. The point is that it may match the platform’s normal operating model.
Which should a small server use?
Use one primary firewall manager and document it. Mixing managers is how you end up with rules you cannot explain during an incident.
| Situation | Practical default |
|---|---|
| Small Ubuntu VPS with SSH and web traffic | UFW |
| Debian server where you want simple policy | UFW or direct nftables, depending on skill |
| Fedora/RHEL-style host | firewalld |
| Complex router, gateway, or custom packet policy | direct nftables |
| Docker-heavy host | decide carefully; container networking can add rules outside your simple model |
| Proxmox or virtualization host | follow platform firewall guidance before adding extra managers |
The best firewall tool is the one your future self can audit without guessing.
Why mixing tools causes confusion
Firewall managers write state into the same underlying packet-filtering world. If UFW, firewalld, Docker, a VPN tool, and manual nftables rules all modify policy, the effective result may not match the one command you remember running.
This matters during exposure checks. A local listening service is not automatically public, and a firewall rule is not automatically enough if another layer publishes traffic. Pair firewall policy with an outside-in check and a local listener inventory.
Start with ss vs lsof vs nmap for exposure checks and the small VPS exposure audit before blaming the wrong layer.
FAQ
Is nftables better than iptables?
nftables is the modern replacement framework and is the default in Debian. But most small-server operators should choose the management interface they can operate safely.
Should I disable UFW and use nftables directly?
Only if you need direct nftables control and can maintain the ruleset. For a basic Ubuntu VPS, UFW is usually easier to audit.
Can I use UFW and firewalld together?
Avoid it unless you have a deliberate, documented reason. Use one primary manager to reduce surprises.
Sources
- Netfilter nftables project documentation
- Debian Wiki: nftables
- TheLinuxForum UFW and exposure-audit guides