NFTables and g(ufw)

Question

I am going to install Xubuntu 22.04 on one of my computers and i have a question about firewall.

As i understand Ubuntu use NFTables now.

I have noticed some information about Debian (which is base for Ubuntu) using NFTables now. And Debian wiki says

If you want to enable a default firewall in Debian, follow these steps... # aptitude install nftables # systemctl enable nftables.service

So i wonder now, should i at first install and enable ntfstables and only after that to enable (g)ufw? It seems logical, but i also have read in ArchWiki that

Start and enable ufw.service to make it available at boot. Note that this will not work if iptables.service is also enabled (and same for its ipv6 counterpart).

I guess that this rule can also be applied to Ubuntu and NFTables..? And on Arch Reddit we can read:

UFW, being a frontend wrapper, will require the nftables package to be installed and the service to be enabled/started. Simply, it will use IPTables or NFTables depending on which is configured and in use. Edit: Only UFW service need be enabled to avoid conflict

So, in short, i have the following questions:

1. should i install NFTables?

2. Should i enable it as a service (and configure)?

3. Or just using GUFW is enough? Because it somehow automatically uses NFTables?

Answer 1

Use whatever you used before. If you used (g)ufw then just use that tool again. gUFW and UFW are both wrappers around nftables and iptables, and in 22.04 with nftables being the default it just uses nftables.

If you are used to using iptables, well then look into using iptables-nft which is a compat layer that uses xtables and a few other tools to use nftables with iptables command compatibility (parses iptables commands and such to use nftables commands to populate the firewall).

Use whichever tool you're comfortable with.

Answer 2

After some research and discussion i have come to the following conclusion about nftables and (g)ufw. So, if you want to use (g)ufw:

should i install NFTables?

No, it is not needed. But the package itself probably won't lead to conflicts

Should i enable it as a service (and configure)?

No, it will lead to the conflict with g(ufw) serivce

Or just using GUFW is enough? Because it somehow automatically uses NFTables?

Yes, and yes.