I completely understand wanting to make the default as secure as possible.
However, from what I’ve read here, on the forums, as well as having some experience in servers, albeit Ubuntu, with the way the Linux kernel handles network connections, that would be completely unneccessary. For two reasons I can think of quickly:
- Linux disallows all incoming traffic by default, on all ports;
- Because it would be unneccessary, it would cause unneccessary overhead on the CPU having to inspect and sort every packet. Eventually making for a less responsive, snappy system. Especially unneccesary if you consider the previous point.
As things are now, I don’t have a firewall on my PC. And in Linux, I’m quite happy with that.
I used Shorewall on my Ubuntu servers, but that was mostly to make it easier to route traffic between them.
I may misunderstand what you said, but what do you mean? I’m pretty sure that’s not the case at all.
You must mean something else, your statement is not true.
Well, that’s what I mean. It allows outgoing traffic, but disallows incoming traffic by default. Unless ports are opened, but that has to be a conscious descision then.
I just port-scanned my own machine with UFW disabled and it absolutely has an open port from the Dropbox client it has installed.
From a client you installed. So you allowed it.
Again, it’s 1 port. Of 65535 ports. By custom software, not Manjaro.
But I see what you mean…
It is a misconception that LInux is as vulnerable as Windows - yes you can hack a Linux - but most hacks requries either physical access or a vulnerable service.
Unless you consider the mere network connection as security risk then unlike Windows - which has various Windows services enabled by default - Manjaro OS has no applications providing external network services which is enabled.
Then the question is - with no enabled services - why enable firewall?
You actually answered your own question - this is exactly why the firewall is installed but not enabled. Powerusers will know when they enable a service - and they will enable the firewall - without having to install it beforehand.
Even if samba is installed - it is usually not enabled - but if you enable the samba file sharing service then you should consider enabling a firewall.
An enabled bluetooth connection is more likely to be targeted than your wireless network card.
If by any chance someone is scanning the traffic on a café hotspot then it is your traffic which is captured and unless you are very interesting - that is having millions of £$€ - or being a and that would be available anyway - you cannot protect your traffic with a firewall.
If you are using the dominant operating system Microsoft Windows then you should always protect the system using a firewall.
If you enable a firewall just to feel secure then you are not secure at all.
A false sense of security is worse than feeling insecure - feeling insecure keeps you on the toes but a false sense of security lets you take your guard down - and that is the worse because you won’t see what hit you.
It does not take a Power User to install Dropbox client or some other desktop application that will arbitrarily open a network port.
This is besides the point. We are not talking about securing network traffic. We are talking about enabling the host firewall to protect the system from being fingerprinted and poked at by other systems on the same network.
Well, I feel insecure when connecting my Manjaro laptop to public/foreign wifi with the host firewall turned off.
If you have no services then there is nothing to poke and the traffic is rejected - this is standard behavior of the network stack.
If you feel better when a firewall service is doing the reject - I am fine with that.
sudo firewall-cmd --set-default-zone=drop
Informed decisions is always good and you appear to have made the informed choice that your system should use a firewall in public places - and it is a good choice - you should keep up being vigilant.
I cannot imagine that Manjaro would make it a goal to become the next computer babysitter.
Microsoft had to do it - the baby sitting - as their Windows was not born network aware - Linux was. The Linux network stack is probably the most audited and secure piece of the kernel.
In any case - feel free to continue with your good habits - keep the guards up.
And by the way if you want a Manjaro system with firewall enabled you can use the unofficial LXQt.
i have uninstalled ufw completely ,all routers have firewall embedded, so just enabled it to have household wide firewall at the “source”
In my opinion, network-traffic-monitoring is better than hard static firewall, because network-traffic-monitoring notifies you automatically when new unknown connection of any app/service comes, and ask you to decide blocking or allowing the connection or app.
What do you have in mind? Something like opensnitch?
Yes, that’s an example. However, I do not use it I can trust open source apps and few certain closed source apps very long, no need firewall and opensnitch.
@all Trying to understand this discussion, but to me - so far - it is not clear, what is the harm or risk(s) to keep ufw enabled in desktop ? Possibility to loose a few milliseconds here and there are not any problem. What other more seroius problems enabled ufw might create, if any ?
If it is enabled by default
then new and unsuspecting and most of all totally unexperienced users
would soon flock to the forum
asking why this or that app doesn’t work, why they can’t connect from here to there and how to punch the needed holes into the firewall configuration …
It adds complexity and subsequent work for all involved for little to no benefit
as a default option.
I think the problem with UFW is where it is located.
In ideal the firewall should
- protect from harm
- be no burden
When a firewall is on the pc, it will
- protect the pc, but not the home network.
- be a burden to access my home network from my pc, and to access my pc from my home network
If the firewall is on the router
- it will protect the pc and the home network from harm
- it will be no hinderance to acces my pc from my network and to acces my network from my pc
- cups, printing
- smb, ssh
Everything would need to have extra firewall-rules
P.S. I do have UFW installed and running, but i am no newbie and use linux since more then 20 years, and i did work in professional helpdesk for over 20 years. So i know what the result would be in automatically enabling it.
ufw without rules or empty rules but it is like nothing, then new/unexperienced users would not flock to the forum.
because they wouldn’t know it’s even there - but then: why have it?
Hi there. Most users are behind a router with strong rules and a good security setup. Nevertheless, I have read somewhere (sorry, no source in my mind) that UFW enabled may add an extra. On the other hand this is not really necessary with all the other security features running in the background, i. e. and just to mention it: the kernel itself and all the linux security by default. UFW added may cause some trouble while setting up other devices, in theory.
To sum it up: It may be a proper choice to have a look at the router and to enable all possible security options (you can use a stealth mode for example), update your system and to use a good browser plus firejail.
(Did I mention that Manjaro is a great and secure OS for power users, office work, university stuff, research, production? )
IMHO this is the biggest misconception of all. While the Linux kernel has some security features built-in (for example hooks for app sandboxing), it is not any more secure than other OS kernels by default. One needs to make use of the available security features and enable them to actually improve the security posture of a system.
Also, most systems get compromised through weak passwords, weak configurations, or vulnerabilities in the software running on the system. There is way more software on a Linux system than just the kernel and most of it does not have the same amount of security rigor applied like the linux kernel does.
There is a good amount of desktop applications that listens in arbitrary network ports to enable the features that involve peer2peer network communication.
IMO most users will not think about turning on the host firewall after installing Dropbox client (as an example) - Most users likely don’t even know that the Dropbox client starts a listener on a network port.
Regarding routers and network firewalls: Absolutely agree. Every “admin” of a home network should enable the network firewall on their router. However, we are talking about Manjaro laptops connecting to networks that are “administered/maintained” by someone else.
Regarding increase of forum posts with app issues that arise from an enabled host firewall: The default settings of UFW are pretty sane and will allow most desktop apps to still function without issues. And the few issues that will arise, will be a good opportunity for the user to learn about a security feature of Manjaro. Isn’t that one of the reasons we all run a Linux OS - To learn…?