Why is the firewall disabled by default?

security firewall ufw gufw

64,780

Solution 1

Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.

Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server or peer devices. No need to worry as much now about who might be trying to connect to my laptop. Same goes for VNC, SSH, or a huge number of other useful services my laptop might be running, or trying to connect to.

Ubuntu takes a very on/off approach to certain elements of security, a philosophy I can't agree with. Security might be technically on or off, but by layering elements of security over one another, you end up with a better system. Sure, Ubuntu's security is good enough for a large number of use cases, but not all.

Bottom line, run ufw. Better safe than sorry.

Uncomplicated Firewall has a number of graphical front ends, but the simplest is Gufw.

sudo apt-get install gufw

Here, I'm allowing all traffic from specific server VLANs in my corporate environment and I've added a rule to allow the necessary ports for a reverse SSH session to bounce off this machine.

GUFW Screenshot

Solution 2

In contrast to Microsoft Windows, an Ubuntu desktop does not need a firewall to be safe on the Internet, since by default Ubuntu does not open ports that can introduce security issues.

In general a properly hardened Unix or Linux system will not need a firewall. Firewalls (except of certain security problems with Windows computers) make more sense to block internal networks to the Internet. In this case local computers can communicate with each other over open ports which are blocks towards the outside by the firewall. In this case, the computers are intentionally opened up for internal communications which should not be available outside the internal network.

The standard Ubuntu desktop would not require this, hence ufw is not enabled by default.

Solution 3

In Ubuntu or any other Linux the firewall is a part of the base system and is called iptables/netfilter. It is always enabled.

iptables consists of a set of rules on what to do and how to behave when a packet if going out of coming in. If you want to explicitly block incoming connections from a specific IP, you will need to add a rule. Actually you don't need to do so. Relax.

If you want good security from anything, remember don't install random softwares from anywhere. It might screw up your default security settings.Don't run as root ever. Always trust the official repos.

I think what you wanted to ask was that if the UI is installed or not?

Solution 4

Also, gufw can provide a GUI front-end. (It isn't really more intuitive than ufw on the command line, to me, but it does give you a more visual reminder of what is there.) I agree that the firewall is not advertised well at present. If I were to guess, I'd say this is to prevent new users from shooting themselves in the foot.

View more solutions

64,780

6205

Updated on September 17, 2022

Comments

6205 over 1 year

Why is ufw firewall included in Ubuntu, when it is not enabled and pre-configured by default? Most users don't even know it is there, because no GUI frontend is provided.
- Admin about 6 years
  
  I'm having the same question that's why I landed here, just a got a very wild guess that Linux users (in contrast with Windows users who are more likely to be normal desktop users) have a various uses of Linux: some for pentesting, some use ssh, some don't, a lot use it as a webserver, database or smtp server ... the Linux philosophy will let every user configure his firewall as he see fit.
- Admin almost 5 years
  
  This is an incredibly bad design decision. Just astonishingly bad!
papukaija over 13 years

Isn't (g)uwf just a frontend? I mean the real firewall is iptables, isn't it?
Scaine over 13 years

You make it sound like a firewall is "always enabled", which isn't the case. It might be integrated, but unless you turn it on with sudo ufw enable, the first piece of server software you install will open a port that the built-in iptables isn't going to do a thing about.
Scaine over 13 years

Even properly hardened systems will benefit from a firewall. For example, if you run Samba, you open various ports to everyone. With a firwall, you can restrict that to only your server or peers.
Manish Sinha over 13 years

Why are normal users going to install a piece of server software? I think only web servers open the socket which is accessible outside. An application binds itself to a port on a specific interface if I am not wrong. MySQL only listen to connections on localhost.
papukaija over 13 years

ufw just controls iptables - that's why it's not enabled by default. Advanced users are able to use iptables.
papukaija over 13 years

@Scaine: ufw doesn't do the work; it's done by iptables which is enabled by default.
Manish Sinha over 13 years

@Scaine: I concur with papukaija , the firewall runs all the time. gufw might be just a GUI frontend which I don't use. The default security level on a linux box is pretty robust (unless there is some misconfiguration)
Scaine over 13 years

Hi guys. UFW is a front end on iptables - I get it. However, by default, iptables does precisely NOTHING. It's not functioning. It's not a firewall. It's ready, but useless. You MUST run sudo ufw enable before a iptables is configured to do anything. Manish, your answer sounds like a firewall is running. You're saying "technically it is" and technically you're right. But it's not doing anything, so you're giving a massively false impression of security where none exists.
Scaine over 13 years

@manish, regarding "normal users installing server software". Many will install Samba, as per my example. Many others will use the built-in VNC server in preferences/remote desktop. This is fine in the home environment (probably), but take that laptop outside with those services enabled, you're potentially exposing yourself to malicious behaviour.
belacqua over 13 years

ssh, print-related and mail ports are also frequently opened for completely normal kinds of desktop or server operations. These can be locked down (by source IP for example) or closed completely with ufw or another flavor of firewall/ACL .
belacqua over 13 years

@papukaija -- advanced users of iptables are able to use iptables. An advanced user on a bsd system would use pf, but that doesn't make that user, coming to ubuntu, suddenly unsophisticated. Likewise with someone who is primarily a network engineer -- that person would know Cisco or Juniper ACL logic. It's not for everyone, but ufw can make configuration more accessible, and in my opinion this is a good thing.
belacqua over 13 years

@manish -- What @scaine is saying is correct -- iptables running in completely open mode is just an open ACL. Or like setting IPSec encryption to NULL, per RFC2410. In the busines world, that doesn't get you anything on a security audit, and it shouldn't.
papukaija over 13 years

@jgbelacqua: True but the scaine's answer gives an image that ufw is a firewall while it's just a frontend to iptables.
Manish Sinha over 13 years

@jgbelacqua I get this, but locking down so severely is a problem. Everytime I install ufw, it creates a low of problems. I always find the default settings good.
belacqua over 13 years

@manish -- no disagreement here on that. My answer about 'new users' shooting themselves in the foot shouldn't have excluded other user types -- I've certainly wasted my own time troubleshooting after locking down my system (e.g., can't connect to apache on my own network). So, yes, default (non-firewalled) security is fine in most cases, but I still maintain that iptables running 'open' isn't a functional part of that security.
Manish Sinha over 13 years

@jgbelacqua I agree on that. I feel that Linux's default security is pretty great. It strikes a fine balance between naked open systems and a strongly locked down systems where you cannot make out heads or tails why something is not working.
belacqua about 13 years

netfilter + iptables or netfilter + ufw (which includes iptables) provides the firewall. But if you have ufw, you will have firewall functionality.
nanofarad over 11 years

[citation needed]
sourcejedi almost 10 years

(Agressive pedant warning) I'd recommend users not allow random incoming UDP/53 packets on the basis of spoofable source address. They've been used in real-world attacks (DNS poison, DoS by amplified traffic). You would need to do this why?
Scaine over 9 years

Yep, probably true. That's a bad screenshot really, of an old PC where I just wanted the OpenDNS out of my logs. It's not good practice. If I get time, I'll try to update the screenshot, since GUFW looks pretty different these days anyway.
Daniel about 8 years

This is completely absurd. A firewall is used to protect in and out communications from unlegitimate use... This means that if you install a, lets say, music player that opens a port wrongly you would have an open connection to the internet. That's called preemptive security, you protect from the things that may happen. This answer gives people a false sense of security in linux environments.
HRJ over 7 years

Passwords sit at a much higher level of the stack. Systems can be attacked through simple buffer overruns at lower levels of the stack.
H2ONaCl over 7 years

Why the downvote?
H2ONaCl over 7 years

@HRJ, "systems can be attacked" doesn't refute that convenience matters. You have not addressed the correctness of what I wrote. I'm right. You're on a tangent.
Bill McCracken over 5 years

@Scaine question about your samba example ... I have samba (cifs mounting) installed, but the only apps that show up with ufw app list are CUPS and OpenSSH. So, is ufw really able to allow/deny samba? Maybe samba only shows up in the list if I'm actively and publicly sharing something.
Peter about 5 years

I just love how you pretend that there is no need for a firewall! Reminds me of the stance Apple took with antivirus software. its just ridiculous!!!
JustAMartin almost 4 years

Then does Windows, in contrast to Ubuntu, by default open ports that can introduce security issues? I'm not aware that a clean installation of Windows has some software running that has to be blocked by a firewall immediately by default.
Admin about 2 years

What do you mean by "does not open ports by default"? If no iptables rule are set, I would say all ports are open. It's just that noone is listening, which makes it safe. Maybe it's just me and I've got a wrong definition of an "open" port.
Admin about 2 years

At first, I thought that the (sort of) empty iptables meant that all ports are open. I didn't really understand why running a server like samba would open any port, since it wouldn't touch the iptables. But I've finally understood that by "not open" we mean that no program is actively listening, and since no one is listening, it's fine to allow any incoming packet and no harm can be done. Did I get it right? If so, could you add something in your answer to clarify it for other people who might make the same mistake as I did?