imo the ufw wiki page should be edited adding the command “sudo systemctl start ufw.service” with an explanation that this would enable it on startup.
as new comers as myself are confused on why after reboot the firewall is off,or “worse”;not bothering to check it’s status and not having an active firewall.
as to your suggestion;i don’t know what to think about it,
on one hand a firewall is a basic useful feature,on the other hand i like the non windows way of not doing things on my behalf and let me do the research and choose for myself if i want to enable it and what firewall(e.g)i want to use.
i just read that windows is removing torrent clients for all kind of “security reasons” from people installation.
that kind of behavior is one of the reasons i quit windows.
non of the distros i tried had ufw enabled by default.some had it installed but not enabled.
In it’ default configuration all incoming connections are blocked. So, yes, you’ll need to set rules for services that should be accessible from the outside.
That’s pretty much the reason for enabling by default.
Sometimes you install software where you don’t even know it’s listening on some ports on your network interface.
Just as an example: I remember some case where someone (on this forum it was even I guess) installed docker on his machine and the REST-API service was enabled (not sure if that was the default setting or not). Without firewall anyone in your network can connect to and do nasty things.
Of course software should not be vulnerable like this in the first place… Still the FW would have helped in this case as an additional security measure.
On the other hand it would probably also create more “confusion” having it enabled by default.
“Hey I’ve configured sshd on my machine but can’t connect from another PC”.
“I run an HTTP server on my Manjaro, but it does not load from my 2nd PC”.
Security vs. convenience.
Unfortunately nowadays the tendency is that there more and more “evil players in the game”.
Maybe not (yet) really relevant for the normal linux user though (if you don’t run MS exchange )
OK if default policy is to block incoming traffic then it could be good I guess.
//EDIT: and yes it will create situations where people will have issues. So it could be good as a default policy but I think it must be a user choice in setup, or maybe at first boot it should open a window explaining a firewall is enabled and it could require configuration to use some programs (from the GUI for UFW which is GUFW, but other options available now for example KDE has a built-in UFW GUI in its settings, other desktops may also have too).
IMHO, do not enable ufw by default. I do not like this firewall, i use firewalld which i find easier and more intuitive.
Now, you can add an option in Calamares where you can choose the firewall you want, and allow the user to enable it or not at startup.
Thus, if no firewall is enabled, you can show up some kind of notification or reminder to tell it to the user.
Having more options during installation though could be good, we could select an office suite last time I installed Manjaro, but we can’t select more important stuff. The installer could benefit from this in my opinion.
Yes, I kinda agree but at the same time it’s not true, Manjaro definitely takes decisions (like all other OS) about many things for its user and its OS. Each ISO is shipped with a bundle of apps the user didn’t chose and didn’t have any choice for. Manjaro selected these programs, their initial configuration and so on.
I recently did some testing with 21.2.1 XFCE and Gnome editions and noticed that UFW is installed by default but not enabled by default. Above forum thread also discusses this topic but has been closed. Here are my thoughts:
Why turn on a host firewall at all?
Manjaro is mainly used as a desktop operating system and many users are using it on laptops. Laptops often connect to public and foreign wireless networks, so it would be a good idea to minimize the attack surface from the network side.
Why enable UFW by default?
UFW is already installed by default, so someone already made the decision that UFW is the host firewall of choice for Manjaro. This decision makes sense because it is the Linux host firewall that is easiest to use, and with Manjaro being a UX focused distro it all makes sense this way.
What should be the settings of UFW by default?
When UFW is enabled, it usually comes up with a Default Rule that blocks all ingress traffic and another Default Rule that allows all egress traffic. These default settings will absolutely do the trick: Minimize attack surface from the network side while still allowing desktop apps to function properly.
What about users, who want to SSH into their Manjaro desktop?
I don’t have much insight into usage statistics for Manjaro, but would assume that most users don’t run any services on their Manjaro boxes that need to be accessible from the network.
However, the users that do, can use the already installed GUFW (someone made a good decision to install this package by default) and very easily open the ports needed to do what they need to do.
But we don’t want make decisions for our users, do we?
This argument was used in the referenced topic. I understand that Manjaro wants to be an easy to install and use Desktop OS - Making sure that the default install is reasonably secure, is something that should be added to the mission/goals of this project. IMHO