Enable ufw by default?

… most …
the reality is:
nothing inbound will work
even in a local network
just like @andreas85 said

this is about weighing the (marginal) gains vs the huge losses due to work involved and explaining to do … which, in a context of new/inexperienced and not interested in technical detail users means:
frustration on that side
and the same on the other
only offset by
a lot of more work
to, in the end, achieve … marginal, if any, user gain

IMO :wink:

and most of them actually do want just that to just work

They all kinda know about the implications.
… maybe not all, but most …
But they would still prefer that things that they are already unfamiliar with will just work once they managed to get that far.
Instead of then there being another arcane obstacle in the way … for their own good … which they then certainly do not know how to deal with.
(stereotype, I know …)

I have probably already said it - and others, too:
it adds unnecessary complexity on multiple levels

I guess it lays in the eye of the beholder which side of the equation is marginal. (I might be a bit jaded after 10+ years of responding to cybersecurity incidents.)

For everyone who thinks that enabling
UFW will create a lot of issues, I suggest to turn it on for a bit and see what stops working.

It will probably not be creating issues for most.
I say probably - but I have no data to actually justify saying that. :wink:

It’s much more likely that it will …

even if one thing stopped working

do you want to be the one who is explaining to users why it didn’t/doesn’t work
and then get into explaining the workings of the firewall to enable them to understand why and what they have to do
to make it work?
… it would have worked without the firewall active …

… home network, behind a router, is the most likely use case
the firewall would not just be not useful there
it would make things unnecessarily difficult …

All these positions can be easily turned around: Do you want to be the one to explain to a user with a compromised system why Manjaro would install a host firewall that is easy to use and not turn it on? :wink:

Good post. :+1:

But I have to mention that apps doing what they do does not mean that these apps create security holes and it is easy to compromise any system behind a router.
I have had much trouble with flatpak apps and snap apps to work properly. The sandboxing feature seems to be a must go.

Of course, as always there is more than just one way to look at things.
I’m very sure that my workload as that person would be but a tiny fraction of the workload of the support persons in the other case :wink:

3 Likes

@nachlese @Zesko I’m sorry for my not clear wording ‘’ … to keep ufw enabled in dekstop.’’ I should have written in more clear way, i.e.: What is the harm or risk(s) to download ufw, turn it on and keep it enabled in desktop.’’ I do not mean ufw should be enabled by default in Manjaro installation package. So far during over 10 years with different Linux desktop OS’s I’ve not encountered any problems from ufw.

If no firewall rule or empty rule is defined initially after installing and enabling ufw without third-party-app/GUI, then it is like neutral and does not block all. You let it run in system, no harm.

Risk:
If you use third party app e.g. gufw for ufw, it could define wrong rules by your mistake and blocks apps connections, what you need. You may not know why apps do not work and would ask here in forum.


In my past, I turned on third-party-app for ufw, then kdeconnect did not work. I turned off ufw, kdeconnect works.


Simple tip:
If you want to block which IP and port for sure, you should define it in the firewall rule. That is Okay.
Did you know bad IP and port from your area? if no, then ufw is useless. (it has no AI “artificial intelligence”)

@Zesko Thank you for you reply and excelent examples ! It is just what I mean that ufw is just one of applications, it doeas not harm to have installed and enable it with firewall rule(s) when you need to, just like other apps.

Normally I keep ufw with only these settings:

Profile: Home
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)

If/when I want to use some ufw rules I’ve at first denied both incoming and outgoing and and then I’ve used this instruction for setting rules: [ubuntu] Creating a Firewall for Your Ubuntu Desktop. Email imap and smtp ports must be checked separately case by case; in my case they not those indicated in this instruction, but are 993 and 465.

1 Like

That is baby sitting and not a task for a Linux distribution.

I couldn’t care less if a user download malicious scripts and executed them - or surfed questionable sites and get infected - or running a samba server on a public network or run ssh on a public network.

That is outright stupid and there is no cure for that.

The topic is not about how or when to use a firewall - the topic is whether or not to enable it by default.

There is enough evidence to support it should not be enabled by default as doing so - no matter the intention - is intrusion and Manjaro is not intrusive in any way.

8 Likes

deny (incoming)

Are you sure? I think it is your mistake. This profile means, no one is allowed to access your computer at your home and in your own local network. Example: Your own scanner (at your home) is not allowed to send PDF to your computer via FTP/SFTP.

“Incomping” should be allowed at your home, if you trust your home.

“Incomping” should be rejected in public network e.g. internetcafe, airport, business… if you do not let others access or track your laptop in network.

That’s usually adjusted with a rule like sudo ufw allow from 192.168.0.0/24 for home.

I think this thread has gone on long enough. See the marked solution.