Why would you use that over iptables? It's simple and doesn't require installing a package.
> There is a lot of functionality built into these
> utilities, iptables being the most popular nowadays, but
> they require a decent effort on behalf of the user to
> learn and understand them.
It's just a nicer interface to iptables. Instead of changing my iptables config file you can do things like 'sudo ufw allow 22' or 'sudo ufw allow http' for example.
You should still understand iptables but you do not need to config everything manually.
Simple is being able to simply say "allow all outgoing traffic and incoming traffic should only be allowed for HTTP(S) and SSH" and being able to figure out how to do it by just invoking "ufw --help".
Maybe someday I'll learn about iptables, I'm sure it's going to be worth it, but for now ufw does the job for me.
Indeed, it is. Even if you want to cargo cult that without understanding it, you might get bitten because running those commands again will not do what you expect, since they're not idempotent.
You will now reply telling me how to deal with this situation, for example if I want to now listen on a different port, or how I get FTP (or some other protocol that needs "-m state" to work. The need to do this proves that using iptables is more complicated that your example.
I've not played with iptables much, but when I do, I'm always struck by how easy it is to read rules, yet hard to write from scratch. This being said, a simple config like this is trivially googleable.
