May 18

Why Ubuntu has no firewall, or why UFW is disabled by default

Category: Linux,Ubuntu   — Published by goeszen on May 18, 2014 at 3:45 pm

When you set up Ubuntu, and when you're coming from a Windows world, your first move is probably to install a firewall. Well, wrong. No need to.

Ubuntu, and Debian, on which Ubuntu is based, comes with iptables, a very low-level, very strict and very secure "firewall" - actually it's a front-end for the internal rules ("tables") of the internal kernel-firewall. And by default, an Ubuntu or bare-bone Debian system, comes with no or nearly no ports open. By default. So unlike Windows which you have to lock down with a firewall, Linux is mostly bullet-proof out of the box. So Ubuntu has a firewall, built in. A user on Linux has to open up ports, or does so indirectly by adding/installing/starting services which as part of their installation/ default configuration do open ports and begin listening on them. For example, after installing Apache, usually port 80 is opened and Apache starts listening for incoming connections.

That's where ufw might come in handy. ufw is a front-end as well, accompanied by gufw, the GUI app with the blue/white shield pretty common on Ubuntu. Note that ufw is yet another front-end for the low-level iptables, with some simplifications for easier configuration. So it's not something that's running daemonized on your system.

Fire ufw up and it will greet you with the slider in the disabled state. Probably even after authorizing the app for admin work. What might be scary at first means that the additional ufw rules are not active, while the standard iptables rules are in effect! Maybe not the best move to communicate that...
Anyway. Why would you want to use ufw? Well, let's assume you run a local development webserver on your machine. With that setup you probably begin opening a port to the outside world. Now, with ufw you can add another layer of security around your system, as ufw by default locks everything in, even when a local service opened a port on the system as part of its config. So when ufw is enabled, you need to again open a port when you want to have other machines, from the local subnet or even the world, talking to your now twice secured system.

Long story short:
In its vanilla state, Ubuntu is save without ufw, and has a firewall in effect. There's just no separate firewall application.
When you install more advanced services, having ufw to fine-tune firewall rules in a more convenient way might be helpful.

Leave a Reply