Switch default logging backend from kernel to netfilter #4
Description
Currently UFW's default logging configuration sends firewall events to the kernel log buffer. When a remote IP hits a blocked port, this L3 network event has no business being in kernel logs. Kernel logs should be reserved for actual kernel-level events - driver issues, module problems, hardware faults, memory errors, etc. The current default is architecturally wrong - it's like logging HTTP 404s to dmesg.
On busy production systems running for 1000+ days, the kernel buffer becomes polluted with thousands of network events. This makes it significantly harder to spot real kernel issues that need immediate attention. Finding a driver error in a sea of blocked port attempts is not just inconvenient - it's a reliability issue.
While UFW already has a netfilter backend fully implemented using NFLOG, it defaults to kernel logging. L3 network events don't belong in kernel logs - they should be in dedicated log facilities.
Proposed change:
diff --git a/conf/ufw.defaults b/conf/ufw.defaults
--- a/conf/ufw.defaults
+++ b/conf/ufw.defaults
@@ -20,7 +20,7 @@
# Set the logging backend to use. If you change this, you will need to reload
# the firewall for the changes to take effect.
# - kernel - use the traditional LOG logging target
# - netfilter - use the NFLOG logging target
-LOGGING_BACKEND="kernel"
+LOGGING_BACKEND="netfilter"