Enable ufw by default?


Just a thought while having a look at the latest ISO’s:

ufw should be enabled by default.

Not too much of an issue for the regular Desktop user sinces those are running in a “trusted network” anyways (still I’d enable it though).

But for laptop users, frequently switching networks and connecting to “untrusted networks”, this is a must in my opinion.

Kind regards,


UFW enabled by default would be nice. Could possibly make things easier for new users.

I usually enable GUFW firewall before connecting my laptop to the Internet.

imo the ufw wiki page should be edited adding the command “sudo systemctl start ufw.service” with an explanation that this would enable it on startup.
as new comers as myself are confused on why after reboot the firewall is off,or “worse”;not bothering to check it’s status and not having an active firewall.
as to your suggestion;i don’t know what to think about it,
on one hand a firewall is a basic useful feature,on the other hand i like the non windows way of not doing things on my behalf and let me do the research and choose for myself if i want to enable it and what firewall(e.g)i want to use.
i just read that windows is removing torrent clients for all kind of “security reasons” from people installation.
that kind of behavior is one of the reasons i quit windows.

non of the distros i tried had ufw enabled by default.some had it installed but not enabled.

1 Like

sudo systemctl enable --now ufw is better

Just a quick note if you were to enable ufw, from the wiki:

 Warning: Don't enable both iptables.service and ufw.service 

Pop!_OS does not enable it by default, but will remember it once you enable it. So you only enable it once and it’ll take care of the rest.

1 Like

What good having ufw enabled by default does? Even enabled you need to manually set rules in it right?

In it’ default configuration all incoming connections are blocked. So, yes, you’ll need to set rules for services that should be accessible from the outside.
That’s pretty much the reason for enabling by default.

Sometimes you install software where you don’t even know it’s listening on some ports on your network interface.

Just as an example: I remember some case where someone (on this forum it was even I guess) installed docker on his machine and the REST-API service was enabled (not sure if that was the default setting or not). Without firewall anyone in your network can connect to and do nasty things.

Of course software should not be vulnerable like this in the first place… Still the FW would have helped in this case as an additional security measure.

On the other hand it would probably also create more “confusion” having it enabled by default.
Things like:
“Hey I’ve configured sshd on my machine but can’t connect from another PC”.
“I run an HTTP server on my Manjaro, but it does not load from my 2nd PC”.

Security vs. convenience.
Unfortunately nowadays the tendency is that there more and more “evil players in the game”.
Maybe not (yet) really relevant for the normal linux user though (if you don’t run MS exchange :wink: )


OK if default policy is to block incoming traffic then it could be good I guess.

//EDIT: and yes it will create situations where people will have issues. So it could be good as a default policy but I think it must be a user choice in setup, or maybe at first boot it should open a window explaining a firewall is enabled and it could require configuration to use some programs (from the GUI for UFW which is GUFW, but other options available now for example KDE has a built-in UFW GUI in its settings, other desktops may also have too).


i got confused for a moment,i thought i was responding to myself :smiley:
it’s the same in Mxlinux and imo it’s a good and easy set up choice.

IMHO, do not enable ufw by default. I do not like this firewall, i use firewalld which i find easier and more intuitive.
Now, you can add an option in Calamares where you can choose the firewall you want, and allow the user to enable it or not at startup.
Thus, if no firewall is enabled, you can show up some kind of notification or reminder to tell it to the user.

Enable both ufw & fstrim by default

This topic is about ufw, not fstrim. Open a new feature request if you see fit.

Either way, our job isn’t to make decisions for our users, they are perfectly capable of doing that themselves. Everyone has different use cases and different hardware.

Having more options during installation though could be good, we could select an office suite last time I installed Manjaro, but we can’t select more important stuff. The installer could benefit from this in my opinion.

Yes, I kinda agree but at the same time it’s not true, Manjaro definitely takes decisions (like all other OS) about many things for its user and its OS. Each ISO is shipped with a bundle of apps the user didn’t chose and didn’t have any choice for. Manjaro selected these programs, their initial configuration and so on.


Sry for this but another post for fstrim seemed overkill to me so I added this here :grimacing::grimacing::grimacing:

Yes with recent installs I didn’t have any option for office installation…used minimal iso though.

Some simple programs, everybody and their machine needs(ufw,fstrim), can be enabled by default…if the user wants, he/she can easily disable it…but again one can argue the opposite…so…

There is no arguing about it if it is an option during installation. At least from the user perspective. Now it is up to devs to decide what is good and what is bad decision from their point of view.


Yeah, would be very welcome to have the option during the OS installation to install the firewall and also to enable it or not by default.

1 Like

Continuing the discussion from Enable ufw by default?:

I recently did some testing with 21.2.1 XFCE and Gnome editions and noticed that UFW is installed by default but not enabled by default. Above forum thread also discusses this topic but has been closed. Here are my thoughts:

Why turn on a host firewall at all?
Manjaro is mainly used as a desktop operating system and many users are using it on laptops. Laptops often connect to public and foreign wireless networks, so it would be a good idea to minimize the attack surface from the network side.

Why enable UFW by default?
UFW is already installed by default, so someone already made the decision that UFW is the host firewall of choice for Manjaro. This decision makes sense because it is the Linux host firewall that is easiest to use, and with Manjaro being a UX focused distro it all makes sense this way.

What should be the settings of UFW by default?
When UFW is enabled, it usually comes up with a Default Rule that blocks all ingress traffic and another Default Rule that allows all egress traffic. These default settings will absolutely do the trick: Minimize attack surface from the network side while still allowing desktop apps to function properly.

What about users, who want to SSH into their Manjaro desktop?
I don’t have much insight into usage statistics for Manjaro, but would assume that most users don’t run any services on their Manjaro boxes that need to be accessible from the network.
However, the users that do, can use the already installed GUFW (someone made a good decision to install this package by default) and very easily open the ports needed to do what they need to do.

But we don’t want make decisions for our users, do we?
This argument was used in the referenced topic. I understand that Manjaro wants to be an easy to install and use Desktop OS - Making sure that the default install is reasonably secure, is something that should be added to the mission/goals of this project. IMHO