I know HestiaCP uses iptables by default for its firewall management (integrated with fail2ban). I prefer using UFW to manage firewall rules and was wondering:
Is there a supported (or at least safe) way to use UFW alongside HestiaCP?
Could I, for example, install HestiaCP first and then reinstall UFW afterwards to take over firewall management? Would that break anything in Hestia?
Has anyone successfully replaced Hestia’s iptables setup with UFW, or is it better to leave Hestia’s defaults alone to avoid conflicts?
I’d appreciate any guidance from anyone who has tried this or knows about Hestia’s firewall integration in more detail.
You can install Hestia using the option --iptables no
Yes, install Hestia using --iptables no and during the installation, remove ufw, once the installation has finished reinstall ufw.
Break you won’t break anything but you won’t be able to manage firewall rules from Hestia and fail2ban won’t be installed so the Hestia rules for fail2ban won’t be used, you should install fail2ban manually and create your own rules to integrate the bans/unbans using ufw wrapper.
You can do what you want bu I see no benefit in using ufw.
I’ve been working with firewalls for years. I used iptables extensively in the past, but nowadays I prefer using UFW, not just for simplicity but in an advanced way. I often create custom rules directly using iptables syntax, and I use iptables actions with fail2ban instead of UFW’s built-in actions. I also tweak the before.rules file for specific use cases.
The main reason I stick to UFW is that it’s easy to manage and audit, but I still use iptables directly to inspect chains and monitor traffic.
For fail2ban, I tested Hestia with iptables and fail2ban enabled, and I’ve been able to replicate all of that functionality within UFW fairly easily. If it’s useful, I could even share my approach for integrating UFW with fail2ban and some custom strategies I use to block various types of attacks (including leveraging the recent module and smarter fail2ban tweaks using its internal variables).
One additional question:
If I install Hestia with --iptables no and set up UFW and fail2ban manually, would Hestia later override these configurations during updates? Or would it leave them alone since iptables/fail2ban were disabled at install time?
No, Hestia won’t override that configuration during updates.
If you disable iptables during the installation, fail2ban won’t be installed either, so you can install ufw and fail2ban manually afterward.
However, if you already have a Hestia server with iptables and fail2ban installed by Hestia, you can disable their usage as follows:
That’s great to know about Hestia not overriding the configuration during updates when iptables and fail2ban are disabled at install time. The additional steps for disabling hestia-iptables and cleaning up the systemd services on an existing server are very helpful too.
I’ll go ahead and prepare a write-up to share my approach for integrating UFW with fail2ban (including some of the custom strategies I use, like leveraging the recent module, smarter fail2ban actions, and tweaks for blocking different attack patterns). I think this could be useful for others who prefer UFW but still want to maintain a secure setup with Hestia.
Out of curiosity: are there any areas in Hestia’s firewall/fail2ban integration you’d consider open for contribution or enhancement (like optional UFW support in the future)?
Yes, that could be an option but I’m not entirely convinced. iptables works very well on its own without needing to add a wrapper like ufw, especially since Hestia already provides a Web UI to manage the firewall. Also, the issue with adding a new feature is that it then needs to be maintained, and unfortunately, Hestia doesn’t have enough developers right now to take on too many additional responsibilities.
Thanks, that makes perfect sense. I understand the concern about maintenance and agree that Hestia’s current iptables setup with the Web UI works very well.
I’ll prepare a concise write-up for users who prefer UFW, showing how to integrate it cleanly with fail2ban without interfering with Hestia’s core functions. Hopefully it can be a helpful resource for advanced users.
If UFW support ever becomes an option in the future, I’d be happy to contribute or maintain it.