that has nothing to do with any single of those tools, just the fact of trying to manage firewall by more than one tool at once.
Netplan technically could solve it but I have zero trust in Ubuntu not fucking it up or abandoning it in few years. And starting with YAML is already begging to fail
All mentioned items have side-channel borked firewall and route rules in the past. Some bugs intermittently silently block local daemon instances from (re)loading like magic (some bugs only happen when the system is brought up).
If your daily tasks include something less borked, than consider yourself very lucky you live without systemd. If I recall, ufw was intended for simple workstation rule sets.
Personally, for home stuff I tend to use a heavily customized rule-set that interoperates with fail2ban. And a very old repeatably stable approach to setting up the interfaces from a known default state...
I remember hating shorewall and similar ones because, well, I know iptables, and I know exactly what I want so using anything that tries to abstract it into it's own approach is torture as I need to take the rules I want and translate it to whatever mediocre paradigm shorewall (or ufw, or near-any other firewall manager in the wild) decided to put on top of iptables.
I ended up using ferm http://ferm.foo-projects.org/ which is basically a convenience layer over iptables, the keywords are named the same and the rules map nearly 1:1 and the changes of mapping are essentially macro and variable expansion. So it's basically iptables but a lot of tedium removed.
Our biggest one is around 1.5k rules and very manageable, using ferm with rule files generated via Puppet. Every entry gets a comment allowing us to track where it came from too.
> If your daily tasks include something less borked, than consider yourself very lucky you live without systemd. If I recall, ufw was intended for simple workstation rule sets.
Netplan technically could solve it but I have zero trust in Ubuntu not fucking it up or abandoning it in few years. And starting with YAML is already begging to fail