Why is the firewall disabled by default?



I recently upgraded from Mint 7 to Mint 9 and when I went through all the programs that shipped with this release I found gufw, the firewall application. Maybe it was there in Helena as well, but this is the first time I've noticed it. However, when I opened it up it was disabled by default, which made no sense to me, why include a firewall and then disable it, so I enabled it and set it to deny incoming traffic (except from deluge).

When I started to educate myself in the matter and realized that maybe one don't even need a firewall when running Linux, since the kernel itself is a firewall (iptables) or something down that road. I'm a little confused though, so I would like to ask you guys you help me put things together.

As far as I have understood, gufw, is the GUI for ufw, which is the same thing as, or a simplified version of, iptables. Iptables is included in the Linux kernel and hence provides a much more secure firewall setup than what you could...

0 0

Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.

Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server or peer devices. No need to worry as much now about who might be trying to connect to my laptop. Same goes for VNC, SSH, or a huge number of other useful services my laptop might...

0 0

Originally Posted by


also now i got the point, firewall is mainly for web-servers

Not only for web servers. Any application that listen to a port is a server, that includes web servers, ssh servers, samba servers and BitTorrent clients.

Most of the time a firewall is also not necessary when running servers. Why? Because if you are running a server, you probably want to let other machines to connect to it (BitTorrent for example), so blocking the port will prevent other user to accessing the service provided by the server.

A firewall is useful if you are running a server but want to limit who can access it. For example you might want to run a ssh or vnc server to access your home desktop form your office computer, but also prevent other machines on the Internet to reach it. Then you can create a firewall rule that will allow only incoming traffic from the IP of your office computer. So, you will still be able to connect to your machine remotely, but...

0 0

Quoting from elsewhere on the 'net...

Short story:

If you do a clean install to a blank or erased disk, Snow Leopard will set the firewall to OFF by default, just as Leopard did.

In the Security pane of System Preferences, click the Advanced button in the Snow Leopard Firewall tab to get to the rest of the options found in the Leopard Firewall tab.

Long story:

When Leopard arrived, Apple changed the interface to the Mac OS X firewall and caught a fair amount of flak as a result for the confusing way the options were offered. (It also made things worse by deciding to turn the firewall off by default.) In Snow Leopard, it has retained the application-based part of firewall services but has tried to simplify the presentation. The tab now opens with a note of whether the firewall is on or off, a Start/Stop button, and at the bottom, an Advanced button

The Advanced button opens a sheet that present basically the same options as...

0 0

I just got a new MacBook Pro. It’s the fifth one I’ve had since 2005, and as usual the hardware is gorgeous, and migrating from the old laptop was a breeze.

But there’s one thing that boggles my mind about the default system configuration…

…the firewall is off by default. It was off by default on my previous MacBook Pro too. (I have a short file describing the steps I took when migrating to the old laptop, and “Security & Privacy: turn on firewall(!)” was one.)

My wife bought a MacBook Air a couple of months and I just checked and the firewall is disabled on it, too.

I admit I am not a world-class expert on matters of network security. Is this totally insane and negligent, or is there something I’m...

0 0

Many users are interested in either enabling or disabling their Windows Firewall for various reasons. Some users want to utilize a different firewall, and some may have turned theirs off by accident. To proceed, select your version of Windows from the list below and follow the instructions.

Windows 8 and 10

Tip: Microsoft Windows 8 and 10 both come with pre-installed firewall utility, although it may be disabled by default. Below are steps that can be followed to enable or disable this feature in these versions of Windows. If you are looking for information about disabling a firewall other than that which comes with Windows, see our page on disabling a firewall program installed on a computer.

Enabling Windows 8 or 10 firewall

Caution: Only one software firewall should be enabled at a time. If you have an antivirus or other security program installed with its own firewall, make sure it is disabled first.

Open the Control Panel Click on System and...
0 0

On Thu, May 26, 2016 at 4:16 PM, Ben Nemec

[hidden email]

> wrote:

> Pretty much what the subject says. I've recently gotten several

> questions from the field about why their deployments had no firewall

> enabled, and discovered that although we have support built-in to enable

> the firewall, we turn it off by default. This seems like a bad default

> to me, but I wanted to send something out in case there was a good

> historical reason we chose to do this.


> I'm also wondering about the upgrade implications of changing defaults

> in Heat templates. If we did this, would it cause the firewall to be

> enabled on existing deployments when they upgraded to the new version?

> That seems like a significant concern since it's quite possible users

> are managing their own firewall rules (especially because we don't by

> default), and they may have customizations that they won't want...

0 0

When you set up Ubuntu, and when you're coming from a Windows world, your first move is probably to install a firewall. Well, wrong. No need to.

Ubuntu, and Debian, on which Ubuntu is based, comes with iptables, a very low-level, very strict and very secure "firewall" - actually it's a front-end for the internal rules ("tables") of the internal kernel-firewall. And by default, an Ubuntu or bare-bone Debian system, comes with no or nearly no ports open. By default. So unlike Windows which you have to lock down with a firewall, Linux is mostly bullet-proof out of the box. So Ubuntu has a firewall, built in. A user on Linux has to open up ports, or does so indirectly by adding/installing/starting services which as part of their installation/ default configuration do open ports and begin listening on them. For example, after installing Apache, usually port 80 is opened and Apache starts listening for incoming connections.

That's where ufw might come in handy. ufw is a...

0 0

Why is ufw firewall included in Ubuntu, when it is not enabled and pre-configured by default? Most users don't even know it is there, because no GUI frontend is provided.

Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.

Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server...

0 0

Hi all,

I recently bought a c6300 cable modem/router. I am using it for my home network. My ISP is Comcast. The firmware is current.

My question is:

Why is the ipv6 firewall disabled by default? Should I enable it. I did at one point but kept getting No Ranging Response received - T3 messages (I'm not sure if I had enabled it before this happened, or if it was after). So many that my event log took forever to load. I actually had to log in a few times to clear the log (it was so big it would freeze my browser). I'm on my Android phone. No computer at this time in my home. So I'm stuck with using my phone to connect to my modem.

If anyone can give me an answer on this I would really appreciate it.

Thank you,

0 0

I just manually reinstalled CIS due to problems with Win10 AU.

In doing so, I reviewed all the settings and noticed that I had to tweak quite a few of them as the default settings were not what I wanted.

For instance, I believe I am fully on IPv6 from Comcast yet by default, the option "Filter IPv6 traffic" is not enabled.

From the help "Enable IPv6 filtering - Enabling this options means CIS will filter IPv6 network traffic in addition to IPv4 traffic. (Default = Disabled)" does not explain WHY this option is default disabled or what the impact of it being disabled IF you are running on IPv6 is.

Is this a security exposure if the filtering is NOT enabled?

Why can't Comodo tell if you are running IPv6 and enable this setting as...

0 0

Is your Leopard firewall switched on?


"A test of Leopard revealed that installing it led to the firewall on a Mac being turned off and its default setting changed to leave it disabled.... ....

He also found that even when the firewall was re-activated it did not let users know about all the potentially vulnerable processes running on that machine. .....

Mikko Hypponen, chief research officer at F-Secure, said: "Year after year, Macs continue to have these potential security problems.

"However, in practice they just don't seem to become real-world problems," he added. "The old wisdom still stands: if you want to avoid viruses and worms, get a Mac." "

Just thought it might be of interest, personally I'd want my firewall switched on and fully functioning on my mac. That way you can stop anything that is legitimately on your computer accessing the internet. I get most programs to ask permission...

0 0

Microsoft undertook a large-scale project to bolster security in Windows Server 2003 Service Pack 2, including a full-featured endpoint firewall (Windows Firewall). This resulted in what was known at the time as the Vista reset, putting a temporary freeze on development of Microsoft’s next operating system.

Despite that Server 2003 and XP had only been released a couple of years before the arrival of SP2, the security landscape had changed dramatically, with Windows XP on the client side becoming increasingly vulnerable to attack.

While Windows had previously included the Internet Connection Firewall (ICF), it was turned off by default and offered limited functionality, so a complete endpoint firewall solution was something new for Windows administrators.

It was common practice to turn off Firewall in Windows as part of the build for PCs and servers on the corporate intranet. This was largely because it was considered that the network edge firewall provided...

0 0
(and worse yet some threads have been closed entirely to silence the concerns of myself and other customers)

No, I have never (and never will) close threads to silence concerns or anything. I'm more than happy to let people discuss PIA's flaws: we're not perfect, nobody is, and every opinion is valuable even if it's negative.

The reason I have closed the other threads a while ago was neither because of you, nor because I wanted to silence anything. I closed them down because it had turned into a mess of insults and the vote to close those was unanimous within the team. And so was the vote to ban jbis.

We have issues, there's no denial of that. We're well aware of most of them. That's no excuse to continuously shit on the developer's heads (and I'm saying that as someone that has pissed off the developers a few times). Why do you even bother staying here if you use such a better competitor anyway?

In general we're tired of the constant negativity...

0 0


I have changed the default configuration of Webroot's firewall to "Warn if any new, untrusted process connects to the Internet."

Why doesn't the Webroot firewall block everything that connects to the internet automatically instead of allowing it after a 60 second warning?


Webroot learned some useful things from the 2011 version of our firewall. One of the most frequent customer support issues was people unwittingly blocking themselves from getting online altogether or blocking other important processes by using the firewall.

Having the firewall automatically block everything the user doesn't allow creates the problem that the burden of responsibility is then on the user to know exactly what every process is and does. Most users don't know what something like "svchost" is for instance, but if you block it (which many people did on the 2011 version), you end up being unable to get online. Any file with a relatively cryptic naming...

0 0

Why is it even necessary to convince anybody that they need a firewall enabled on their Internet-facing computer – desktop or server? You would think that the role of a firewall should be obvious to any computer user. However, some of the comments that I have come across on this subject tell me that is not necessarily true.

Take for example this comment on the Chakra forum:

I’m also against firewall (how many people surf with a usb modem on linux, or disable router firewall??), but MAC to me is lame. What kind of porn site or what kind of script you should visit/run to get malware on linux? and since perhaps three guys in a thousand usually download and run script without reading it, should I have my computer bloated with these pieces of software? Seriously: how many time you ran amarok, or vlc and find an exploit blowing up your pc?

Or these from PCLinuxOS fanboys:

Just about all distros include a firewall but it is disabled by default. I don’t...

0 0

I suspect you're seeing the effects of a hijackware infection

which either cannot be detected by your security apps or which has disabled

them completely.

Unexplained computer behavior may be caused by deceptive software

Chances are you will need to seek expert assistance in

MS PCSafety provides home users (only) with no-charge support in dealing
with malware infections such as viruses, spyware (including unwanted
software), and adware.

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local,...

0 0

Believe it or not, there are valid reasons why you might want to disable the firewall service on a Suse Linux Enterprise Server (SLES). For instance, avoiding NCP time-outs on client connections for an OES/SLES server. If you just want to know how to disable the firewall in most modern incarnations of SLES, read on…

The examples given here are assuming you are remote to the server. Of course, you could do all of this locally on the console, or adapt my instructions to the gui “Yast2”, but I’m going non-gui here for simplicity.

First, shell into the box, and su to root.

Method 1:

Launch the Yast non-gui firewall module:
yast firewall

To change to startup setting to “Manually”:
“Alt + m”

Optionally, to stop the service right now if running:
“Alt + t”

To complete the change:
“Alt + n”

To accept and finish:
“Alt + a”

Method 2:

To disable the service at next startup:

0 0