Remove UFW dependency of nomad-firewall.

[azubieta]

UFW back-end contains a lot of legacy code from the former Kufw which currently is buggy and hard to maintain.

We will change to a more simpler approach in order to ease future maintenance without losing functionalities.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/58072256-remove-ufw-dependency-of-nomad-firewall?utm_campaign=plugin&utm_content=tracker%2F65184327&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F65184327&utm_medium=issues&utm_source=github).

[Conan-Kudo]

Are you considering interfacing with something like firewalld? It'd be awesome to have a nice KCM for it. :)

[azubieta]

Actually, we are going to communicate directly with iptables or nftables. We want to do something simpler. Both ufw and firewald are quite nice tools but for a basic user, they are still complex tools. This #22 is what are we trying to support, something dead simple that give to those users systems an extra layer of security.

Also, you should be thinking right now, there are a lot of functionalities that will not be supported. You are right. But we also think that if a user knows what a firewall is an how to set it up properly they should be able to open a CLI and type a few commands. What do you think?

But don't worry we do plan to allow defining custom rules and we will provide a list of presets based on the /etc/services listing.

@Conan-Kudo If you have experience with firewalls you can help us to improve the predefined profiles, go to issue #22 and feel free to drop your thoughts. The development is in the "new_implementation" branch.

[Conan-Kudo]

Both ufw and firewald are quite nice tools but for a basic user they are still complex tools.

I'm not sure that's strictly true. While it's been a while since I've used ufw, FirewallD has a "simple" mode interface, operating on the principle of services, zones, and modes. In a lot of cases, you can just ignore zones and modes if you don't care for them...

The chief advantage of FirewallD (aside from the fact that it's shipped in nearly every major distribution, and two major distribution families are using it by default now) is exactly that it offers a way to provide "basic" firewall management with a very easy way to go to more advanced layers when you need to. In addition, the main interface doesn't need to be privileged to manipulate the firewall, it can just talk to the daemon over D-Bus to adjust the firewall state.

Even the elementary OS guys intend to move from ufw to FirewallD for their firewall backend, for these reasons.