Well, that’s what I mean. It allows outgoing traffic, but disallows incoming traffic by default. Unless ports are opened, but that has to be a conscious descision then.
I just port-scanned my own machine with UFW disabled and it absolutely has an open port from the Dropbox client it has installed.
1 port.
From a client you installed. So you allowed it.
Again, it’s 1 port. Of 65535 ports. By custom software, not Manjaro.
But I see what you mean…
2 Likes
It is a misconception that LInux is as vulnerable as Windows - yes you can hack a Linux - but most hacks requries either physical access or a vulnerable service.
Unless you consider the mere network connection as security risk then unlike Windows - which has various Windows services enabled by default - Manjaro OS has no applications providing external network services which is enabled.
Then the question is - with no enabled services - why enable firewall?
You actually answered your own question - this is exactly why the firewall is installed but not enabled. Powerusers will know when they enable a service - and they will enable the firewall - without having to install it beforehand.
Even if samba is installed - it is usually not enabled - but if you enable the samba file sharing service then you should consider enabling a firewall.
An enabled bluetooth connection is more likely to be targeted than your wireless network card.
If by any chance someone is scanning the traffic on a café hotspot then it is your traffic which is captured and unless you are very interesting - that is having millions of £$€ - or being a 
and that would be available anyway - you cannot protect your traffic with a firewall.
If you are using the dominant operating system Microsoft Windows then you should always protect the system using a firewall.
If you enable a firewall just to feel secure then you are not secure at all.
A false sense of security is worse than feeling insecure - feeling insecure keeps you on the toes but a false sense of security lets you take your guard down - and that is the worse because you won’t see what hit you.
6 Likes
It does not take a Power User to install Dropbox client or some other desktop application that will arbitrarily open a network port.
This is besides the point. We are not talking about securing network traffic. We are talking about enabling the host firewall to protect the system from being fingerprinted and poked at by other systems on the same network.
Well, I feel insecure when connecting my Manjaro laptop to public/foreign wifi with the host firewall turned off.
If you have no services then there is nothing to poke and the traffic is rejected - this is standard behavior of the network stack.
If you feel better when a firewall service is doing the reject - I am fine with that.
sudo firewall-cmd --set-default-zone=drop
Informed decisions is always good and you appear to have made the informed choice that your system should use a firewall in public places - and it is a good choice - you should keep up being vigilant.
I cannot imagine that Manjaro would make it a goal to become the next computer babysitter.
Microsoft had to do it - the baby sitting - as their Windows was not born network aware - Linux was. The Linux network stack is probably the most audited and secure piece of the kernel.
In any case - feel free to continue with your good habits - keep the guards up.
And by the way if you want a Manjaro system with firewall enabled you can use the unofficial LXQt.
i have uninstalled ufw completely ,all routers have firewall embedded, so just enabled it to have household wide firewall at the “source”
In my opinion, network-traffic-monitoring is better than hard static firewall, because network-traffic-monitoring notifies you automatically when new unknown connection of any app/service comes, and ask you to decide blocking or allowing the connection or app.
What do you have in mind? Something like opensnitch?
Yes, that’s an example. However, I do not use it 
I can trust open source apps and few certain closed source apps very long, no need firewall and opensnitch.
@all Trying to understand this discussion, but to me - so far - it is not clear, what is the harm or risk(s) to keep ufw enabled in desktop ? Possibility to loose a few milliseconds here and there are not any problem. What other more seroius problems enabled ufw might create, if any ?
1 Like
@pelka
If it is enabled by default
then new and unsuspecting and most of all totally unexperienced users
would soon flock to the forum
asking why this or that app doesn’t work, why they can’t connect from here to there and how to punch the needed holes into the firewall configuration …
It adds complexity and subsequent work for all involved for little to no benefit
as a default option.
IMO
I think the problem with UFW is where it is located.
In ideal the firewall should
- protect from harm
- be no burden
When a firewall is on the pc, it will
- protect the pc, but not the home network.
- be a burden to access my home network from my pc, and to access my pc from my home network
If the firewall is on the router
- it will protect the pc and the home network from harm
- it will be no hinderance to acces my pc from my network and to acces my network from my pc
Think about:
- cups, printing
- mediaplayers
- smb, ssh
- …
Everything would need to have extra firewall-rules
P.S. I do have UFW installed and running, but i am no newbie and use linux since more then 20 years, and i did work in professional helpdesk for over 20 years. So i know what the result would be in automatically enabling it.
ufw without rules or empty rules but it is like nothing, then new/unexperienced users would not flock to the forum.
because they wouldn’t know it’s even there - but then: why have it?
Hi there. Most users are behind a router with strong rules and a good security setup. Nevertheless, I have read somewhere (sorry, no source in my mind) that UFW enabled may add an extra. On the other hand this is not really necessary with all the other security features running in the background, i. e. and just to mention it: the kernel itself and all the linux security by default. UFW added may cause some trouble while setting up other devices, in theory.
To sum it up: It may be a proper choice to have a look at the router and to enable all possible security options (you can use a stealth mode for example), update your system and to use a good browser plus firejail.
(Did I mention that Manjaro is a great and secure OS for power users, office work, university stuff, research, production? 
)
IMHO this is the biggest misconception of all. While the Linux kernel has some security features built-in (for example hooks for app sandboxing), it is not any more secure than other OS kernels by default. One needs to make use of the available security features and enable them to actually improve the security posture of a system.
Also, most systems get compromised through weak passwords, weak configurations, or vulnerabilities in the software running on the system. There is way more software on a Linux system than just the kernel and most of it does not have the same amount of security rigor applied like the linux kernel does.
There is a good amount of desktop applications that listens in arbitrary network ports to enable the features that involve peer2peer network communication.
IMO most users will not think about turning on the host firewall after installing Dropbox client (as an example) - Most users likely don’t even know that the Dropbox client starts a listener on a network port.
Regarding routers and network firewalls: Absolutely agree. Every “admin” of a home network should enable the network firewall on their router. However, we are talking about Manjaro laptops connecting to networks that are “administered/maintained” by someone else.
Regarding increase of forum posts with app issues that arise from an enabled host firewall: The default settings of UFW are pretty sane and will allow most desktop apps to still function without issues. And the few issues that will arise, will be a good opportunity for the user to learn about a security feature of Manjaro. Isn’t that one of the reasons we all run a Linux OS - To learn…?
… most …
the reality is:
nothing inbound will work
even in a local network
just like @andreas85 said
this is about weighing the (marginal) gains vs the huge losses due to work involved and explaining to do … which, in a context of new/inexperienced and not interested in technical detail users means:
frustration on that side
and the same on the other
only offset by
a lot of more work
to, in the end, achieve … marginal, if any, user gain
IMO 
and most of them actually do want just that to just work
They all kinda know about the implications.
… maybe not all, but most …
But they would still prefer that things that they are already unfamiliar with will just work once they managed to get that far.
Instead of then there being another arcane obstacle in the way … for their own good … which they then certainly do not know how to deal with.
(stereotype, I know …)
I have probably already said it - and others, too:
it adds unnecessary complexity on multiple levels
I guess it lays in the eye of the beholder which side of the equation is marginal. (I might be a bit jaded after 10+ years of responding to cybersecurity incidents.)
For everyone who thinks that enabling
UFW will create a lot of issues, I suggest to turn it on for a bit and see what stops working.
It will probably not be creating issues for most.
I say probably - but I have no data to actually justify saying that.
It’s much more likely that it will …
even if one thing stopped working
do you want to be the one who is explaining to users why it didn’t/doesn’t work
and then get into explaining the workings of the firewall to enable them to understand why and what they have to do
to make it work?
… it would have worked without the firewall active …
… home network, behind a router, is the most likely use case
the firewall would not just be not useful there
it would make things unnecessarily difficult …