Why is the firewall disabled by default?

Why is ufw firewall included in Ubuntu, when it is not enabled and pre-configured by default? Most users don't even know it is there, because no GUI frontend is provided.


Solution 1:

Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.

Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server or peer devices. No need to worry as much now about who might be trying to connect to my laptop. Same goes for VNC, SSH, or a huge number of other useful services my laptop might be running, or trying to connect to.

Ubuntu takes a very on/off approach to certain elements of security, a philosophy I can't agree with. Security might be technically on or off, but by layering elements of security over one another, you end up with a better system. Sure, Ubuntu's security is good enough for a large number of use cases, but not all.

Bottom line, run ufw. Better safe than sorry.

Uncomplicated Firewall has a number of graphical front ends, but the simplest is Gufw.

GUFW Logo

sudo apt-get install gufw

Here, I'm allowing all traffic from specific server VLANs in my corporate environment and I've added a rule to allow the necessary ports for a reverse SSH session to bounce off this machine.

GUFW Screenshot

Solution 2:

In contrast to Microsoft Windows, an Ubuntu desktop does not need a firewall to be safe on the Internet, since by default Ubuntu does not open ports that can introduce security issues.

In general a properly hardened Unix or Linux system will not need a firewall. Firewalls (except of certain security problems with Windows computers) make more sense to block internal networks to the Internet. In this case local computers can communicate with each other over open ports which are blocks towards the outside by the firewall. In this case, the computers are intentionally opened up for internal communications which should not be available outside the internal network.

The standard Ubuntu desktop would not require this, hence ufw is not enabled by default.