From time to time I need to install an Ubuntu LTS system, last time it was 22.04 LTS (jammy). The firewall default configuration uses the kernel message buffer for logging. Thus the output of dmesg is polluted from very early, especially in busy sytems exposed to internet.

It’s nice to have a closed firewall by default but not so polluting the precious kernel message buffer.

So let’s tell ufw to log to NFLOG and move on. No, not so fast. Claude and OpenAI failed miserably to that question.

Bug 1475676 - please add NFLOG support was reported on 2015-07-17 (10 years ago). A fix was merged on 2024-02-17 (1½ years ago). It’s included in the 0.37 version which is not yet released.

The latest published version is 0.36.2-9 and the patch applies cleanly on it.

So… How do I make ufw to log to NFLOG?

# Install latest published version
wget https://mirrors.kernel.org/ubuntu/pool/main/u/ufw/ufw_0.36.2-9_all.deb
dpkg -i ufw_0.36.2-9_all.deb

# Patch source code
apt install patchutils
curl -Ls https://code.launchpad.net/~ekacnetubuntu/ufw/+git/ufw/+merge/435890/+preview-diff/997747/+files/preview.diff \
    | filterdiff -i '*/src/*' /dev/stdin \
    | patch -b -p 2 -d /usr/lib/python3/dist-packages/ufw

# Enable logging to NFLOG
cat <<EOF >>/etc/default/ufw

# https://code.launchpad.net/~ekacnetubuntu/ufw/+git/ufw/+merge/435890
LOGGING_BACKEND=netfilter_log
EOF
ufw disable
ufw enable

Tested on 22.04.5 LTS (jammy).