Enable ufw by default?

Hi,

Just a thought while having a look at the latest ISO’s:

ufw should be enabled by default.

Not too much of an issue for the regular Desktop user sinces those are running in a “trusted network” anyways (still I’d enable it though).

But for laptop users, frequently switching networks and connecting to “untrusted networks”, this is a must in my opinion.

Kind regards,
MO

1 Like

UFW enabled by default would be nice. Could possibly make things easier for new users.

I usually enable GUFW firewall before connecting my laptop to the Internet.

imo the ufw wiki page should be edited adding the command “sudo systemctl start ufw.service” with an explanation that this would enable it on startup.
as new comers as myself are confused on why after reboot the firewall is off,or “worse”;not bothering to check it’s status and not having an active firewall.
Edit:
as to your suggestion;i don’t know what to think about it,
on one hand a firewall is a basic useful feature,on the other hand i like the non windows way of not doing things on my behalf and let me do the research and choose for myself if i want to enable it and what firewall(e.g)i want to use.
i just read that windows is removing torrent clients for all kind of “security reasons” from people installation.
that kind of behavior is one of the reasons i quit windows.

Edit2
non of the distros i tried had ufw enabled by default.some had it installed but not enabled.

sudo systemctl enable --now ufw is better

Just a quick note if you were to enable ufw, from the wiki:

 Warning: Don't enable both iptables.service and ufw.service 

Pop!_OS does not enable it by default, but will remember it once you enable it. So you only enable it once and it’ll take care of the rest.

1 Like

What good having ufw enabled by default does? Even enabled you need to manually set rules in it right?

In it’ default configuration all incoming connections are blocked. So, yes, you’ll need to set rules for services that should be accessible from the outside.
That’s pretty much the reason for enabling by default.

Sometimes you install software where you don’t even know it’s listening on some ports on your network interface.

Just as an example: I remember some case where someone (on this forum it was even I guess) installed docker on his machine and the REST-API service was enabled (not sure if that was the default setting or not). Without firewall anyone in your network can connect to and do nasty things.

Of course software should not be vulnerable like this in the first place… Still the FW would have helped in this case as an additional security measure.

On the other hand it would probably also create more “confusion” having it enabled by default.
Things like:
“Hey I’ve configured sshd on my machine but can’t connect from another PC”.
“I run an HTTP server on my Manjaro, but it does not load from my 2nd PC”.

Security vs. convenience.
Unfortunately nowadays the tendency is that there more and more “evil players in the game”.
Maybe not (yet) really relevant for the normal linux user though (if you don’t run MS exchange :wink: )

1 Like

OK if default policy is to block incoming traffic then it could be good I guess.

//EDIT: and yes it will create situations where people will have issues. So it could be good as a default policy but I think it must be a user choice in setup, or maybe at first boot it should open a window explaining a firewall is enabled and it could require configuration to use some programs (from the GUI for UFW which is GUFW, but other options available now for example KDE has a built-in UFW GUI in its settings, other desktops may also have too).

2 Likes

i got confused for a moment,i thought i was responding to myself :smiley:
it’s the same in Mxlinux and imo it’s a good and easy set up choice.

IMHO, do not enable ufw by default. I do not like this firewall, i use firewalld which i find easier and more intuitive.
Now, you can add an option in Calamares where you can choose the firewall you want, and allow the user to enable it or not at startup.
Thus, if no firewall is enabled, you can show up some kind of notification or reminder to tell it to the user.

Enable both ufw & fstrim by default

This topic is about ufw, not fstrim. Open a new feature request if you see fit.

Either way, our job isn’t to make decisions for our users, they are perfectly capable of doing that themselves. Everyone has different use cases and different hardware.

Having more options during installation though could be good, we could select an office suite last time I installed Manjaro, but we can’t select more important stuff. The installer could benefit from this in my opinion.

Yes, I kinda agree but at the same time it’s not true, Manjaro definitely takes decisions (like all other OS) about many things for its user and its OS. Each ISO is shipped with a bundle of apps the user didn’t chose and didn’t have any choice for. Manjaro selected these programs, their initial configuration and so on.

2 Likes

Sry for this but another post for fstrim seemed overkill to me so I added this here :grimacing::grimacing::grimacing:

Yes with recent installs I didn’t have any option for office installation…used minimal iso though.

Some simple programs, everybody and their machine needs(ufw,fstrim), can be enabled by default…if the user wants, he/she can easily disable it…but again one can argue the opposite…so…

There is no arguing about it if it is an option during installation. At least from the user perspective. Now it is up to devs to decide what is good and what is bad decision from their point of view.

2 Likes