79

Why is ufw firewall included in Ubuntu, when it is not enabled and pre-configured by default? Most users don't even know it is there, because no GUI frontend is provided.

Yi Jiang
  • 1,206
6205
  • 911
  • 10
    I was shocked when I accidentally found out that a firewall is installed but disabled! The arguments mentioned here are pretty weak. – HRJ Sep 12 '11 at 19:58
  • 1
    I'm having the same question that's why I landed here, just a got a very wild guess that Linux users (in contrast with Windows users who are more likely to be normal desktop users) have a various uses of Linux: some for pentesting, some use ssh, some don't, a lot use it as a webserver, database or smtp server ... the Linux philosophy will let every user configure his firewall as he see fit. – user10089632 Feb 21 '18 at 11:07
  • 1
    This is an incredibly bad design decision. Just astonishingly bad! – iono Jul 21 '19 at 12:05

5 Answers5

44

Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.

Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server or peer devices. No need to worry as much now about who might be trying to connect to my laptop. Same goes for VNC, SSH, or a huge number of other useful services my laptop might be running, or trying to connect to.

Ubuntu takes a very on/off approach to certain elements of security, a philosophy I can't agree with. Security might be technically on or off, but by layering elements of security over one another, you end up with a better system. Sure, Ubuntu's security is good enough for a large number of use cases, but not all.

Bottom line, run ufw. Better safe than sorry.

Uncomplicated Firewall has a number of graphical front ends, but the simplest is Gufw.

GUFW Logo

sudo apt-get install gufw

Here, I'm allowing all traffic from specific server VLANs in my corporate environment and I've added a rule to allow the necessary ports for a reverse SSH session to bounce off this machine.

GUFW Screenshot

Scaine
  • 11,139
  • 2
    ufw just controls iptables - that's why it's not enabled by default. Advanced users are able to use iptables. – papukaija Jan 23 '11 at 16:37
  • 7
    @papukaija -- advanced users of iptables are able to use iptables. An advanced user on a bsd system would use pf, but that doesn't make that user, coming to ubuntu, suddenly unsophisticated. Likewise with someone who is primarily a network engineer -- that person would know Cisco or Juniper ACL logic. It's not for everyone, but ufw can make configuration more accessible, and in my opinion this is a good thing. – belacqua Jan 27 '11 at 20:53
  • 2
    @jgbelacqua: True but the scaine's answer gives an image that ufw is a firewall while it's just a frontend to iptables. – papukaija Jan 28 '11 at 01:44
  • 2
    (Agressive pedant warning) I'd recommend users not allow random incoming UDP/53 packets on the basis of spoofable source address. They've been used in real-world attacks (DNS poison, DoS by amplified traffic). You would need to do this why? – sourcejedi Jul 27 '14 at 21:16
  • Yep, probably true. That's a bad screenshot really, of an old PC where I just wanted the OpenDNS out of my logs. It's not good practice. If I get time, I'll try to update the screenshot, since GUFW looks pretty different these days anyway. – Scaine Aug 19 '14 at 15:00
  • @Scaine question about your samba example ... I have samba (cifs mounting) installed, but the only apps that show up with ufw app list are CUPS and OpenSSH. So, is ufw really able to allow/deny samba? Maybe samba only shows up in the list if I'm actively and publicly sharing something. – cxrodgers Jan 09 '19 at 18:37
  • At first, I thought that the (sort of) empty iptables meant that all ports are open. I didn't really understand why running a server like samba would open any port, since it wouldn't touch the iptables. But I've finally understood that by "not open" we mean that no program is actively listening, and since no one is listening, it's fine to allow any incoming packet and no harm can be done. Did I get it right? If so, could you add something in your answer to clarify it for other people who might make the same mistake as I did? – Jonas Daverio May 04 '22 at 00:30
31

In contrast to Microsoft Windows, an Ubuntu desktop does not need a firewall to be safe on the Internet, since by default Ubuntu does not open ports that can introduce security issues.

In general a properly hardened Unix or Linux system will not need a firewall. Firewalls (except of certain security problems with Windows computers) make more sense to block internal networks to the Internet. In this case local computers can communicate with each other over open ports which are blocks towards the outside by the firewall. In this case, the computers are intentionally opened up for internal communications which should not be available outside the internal network.

The standard Ubuntu desktop would not require this, hence ufw is not enabled by default.

txwikinger
  • 28,462
  • Isn't (g)uwf just a frontend? I mean the real firewall is iptables, isn't it? – papukaija Jan 22 '11 at 00:01
  • 12
    Even properly hardened systems will benefit from a firewall. For example, if you run Samba, you open various ports to everyone. With a firwall, you can restrict that to only your server or peers. – Scaine Jan 22 '11 at 11:32
  • netfilter + iptables or netfilter + ufw (which includes iptables) provides the firewall. But if you have ufw, you will have firewall functionality. – belacqua Mar 04 '11 at 00:41
  • 4
    [citation needed] – nanofarad Nov 20 '12 at 00:53
  • The UFW is disabled by default even on Ubuntu Server not just desktop. – Maziyar Oct 03 '15 at 17:02
  • 12
    This is completely absurd. A firewall is used to protect in and out communications from unlegitimate use... This means that if you install a, lets say, music player that opens a port wrongly you would have an open connection to the internet. That's called preemptive security, you protect from the things that may happen. This answer gives people a false sense of security in linux environments. – Daniel Apr 21 '16 at 11:54
  • 1
    I just love how you pretend that there is no need for a firewall! Reminds me of the stance Apple took with antivirus software. its just ridiculous!!! – Peter Mar 18 '19 at 08:41
  • Then does Windows, in contrast to Ubuntu, by default open ports that can introduce security issues? I'm not aware that a clean installation of Windows has some software running that has to be blocked by a firewall immediately by default. – JustAMartin May 14 '20 at 08:51
  • What do you mean by "does not open ports by default"? If no iptables rule are set, I would say all ports are open. It's just that noone is listening, which makes it safe. Maybe it's just me and I've got a wrong definition of an "open" port. – Jonas Daverio May 04 '22 at 00:09
7

In Ubuntu or any other Linux the firewall is a part of the base system and is called iptables/netfilter. It is always enabled.

iptables consists of a set of rules on what to do and how to behave when a packet if going out of coming in. If you want to explicitly block incoming connections from a specific IP, you will need to add a rule. Actually you don't need to do so. Relax.

If you want good security from anything, remember don't install random softwares from anywhere. It might screw up your default security settings.Don't run as root ever. Always trust the official repos.

I think what you wanted to ask was that if the UI is installed or not?

Manish Sinha
  • 11,565
  • 10
    You make it sound like a firewall is "always enabled", which isn't the case. It might be integrated, but unless you turn it on with sudo ufw enable, the first piece of server software you install will open a port that the built-in iptables isn't going to do a thing about. – Scaine Jan 22 '11 at 11:10
  • Why are normal users going to install a piece of server software? I think only web servers open the socket which is accessible outside. An application binds itself to a port on a specific interface if I am not wrong. MySQL only listen to connections on localhost. – Manish Sinha Jan 22 '11 at 16:53
  • 5
    @Scaine: ufw doesn't do the work; it's done by iptables which is enabled by default. – papukaija Jan 23 '11 at 16:39
  • @Scaine: I concur with papukaija , the firewall runs all the time. gufw might be just a GUI frontend which I don't use. The default security level on a linux box is pretty robust (unless there is some misconfiguration) – Manish Sinha Jan 24 '11 at 11:53
  • 11
    Hi guys. UFW is a front end on iptables - I get it. However, by default, iptables does precisely NOTHING. It's not functioning. It's not a firewall. It's ready, but useless. You MUST run sudo ufw enable before a iptables is configured to do anything. Manish, your answer sounds like a firewall is running. You're saying "technically it is" and technically you're right. But it's not doing anything, so you're giving a massively false impression of security where none exists. – Scaine Jan 24 '11 at 14:57
  • 5
    @manish, regarding "normal users installing server software". Many will install Samba, as per my example. Many others will use the built-in VNC server in preferences/remote desktop. This is fine in the home environment (probably), but take that laptop outside with those services enabled, you're potentially exposing yourself to malicious behaviour. – Scaine Jan 24 '11 at 14:59
  • 2
    ssh, print-related and mail ports are also frequently opened for completely normal kinds of desktop or server operations. These can be locked down (by source IP for example) or closed completely with ufw or another flavor of firewall/ACL . – belacqua Jan 27 '11 at 20:45
  • 1
    @manish -- What @scaine is saying is correct -- iptables running in completely open mode is just an open ACL. Or like setting IPSec encryption to NULL, per RFC2410. In the busines world, that doesn't get you anything on a security audit, and it shouldn't. – belacqua Jan 27 '11 at 21:22
  • @jgbelacqua I get this, but locking down so severely is a problem. Everytime I install ufw, it creates a low of problems. I always find the default settings good. – Manish Sinha Jan 28 '11 at 12:04
  • @manish -- no disagreement here on that. My answer about 'new users' shooting themselves in the foot shouldn't have excluded other user types -- I've certainly wasted my own time troubleshooting after locking down my system (e.g., can't connect to apache on my own network). So, yes, default (non-firewalled) security is fine in most cases, but I still maintain that iptables running 'open' isn't a functional part of that security. – belacqua Jan 28 '11 at 18:31
  • 1
    @jgbelacqua I agree on that. I feel that Linux's default security is pretty great. It strikes a fine balance between naked open systems and a strongly locked down systems where you cannot make out heads or tails why something is not working. – Manish Sinha Jan 28 '11 at 21:45
4

Also, gufw can provide a GUI front-end. (It isn't really more intuitive than ufw on the command line, to me, but it does give you a more visual reminder of what is there.) I agree that the firewall is not advertised well at present. If I were to guess, I'd say this is to prevent new users from shooting themselves in the foot.

belacqua
  • 23,120
-3

Because: passwords or crypto-keys.

This is IMO the correct answer, and thus far, quite a different answer than the others. ufw is disabled by default for the convenience of the majority of Ubuntu users who know that passwords are an important form of protection to provide privacy and restricted control. The majority of Ubuntu users will "vet" software by installing from Ubuntu-approved repositories and be careful about other sources, in order to minimize risks in general, not just risk related to ports. By doing so they go a long way to minimizing the port-related risk which was already small because they use "normal" passwords and very small if they use hard-to-brute passwords or crypto-keys.

Some of the risks cited such as Samba file server, Apache HTTP server, SSH, VNC on a Starbucks (public) WiFi would typically be eliminated by hard-to-brute passwords on the host.

ufw "breaks" software, as a firewall should, which is the reason why it is disabled by default. To test this on a fresh install of Ubuntu, server A, install ssh and login from another machine, client B, on the same local network and you will see it works immediately. Logout. Then go back to server A and sudo ufw enable. Go back to client B and you will fail to ssh to server A.

H2ONaCl
  • 9,693
  • 2
    Passwords sit at a much higher level of the stack. Systems can be attacked through simple buffer overruns at lower levels of the stack. – HRJ Jan 26 '17 at 06:42
  • Why the downvote? – H2ONaCl Jan 26 '17 at 08:33
  • @HRJ, "systems can be attacked" doesn't refute that convenience matters. You have not addressed the correctness of what I wrote. I'm right. You're on a tangent. – H2ONaCl Jan 27 '17 at 00:18