Beware: Ubuntu’s firewall is disabled by default!

Microsoft has gotten a lot of grief for not including a functional firewall until XP SP2, but Ubuntu’s is turned off by default!

Here are three easy steps that will turn it on and protect your PC on public networks.

Security through…ignorance?

This may not seem like a big deal; Ubuntu doesn’t have any real services running by default so there’s simply nothing to connect to at first. Don’t fall into this foolish mentality though, since you don’t know what you will one day install that will accept incoming connections.

If you so much as install BitTorrent Sync and don’t have a firewall up, any stranger at a public hotspot can simply type your IP address into Firefox at port 8888 and grant themselves access to your shares.

The same goes for services like Apache; if you do any web development working from your local Starbucks, your computer may be serving web pages along with the coffee, so you’d better hope the server version you’re running is not exploitable.

Don’t neglect your host-based firewall.

There’s a reason distros like BSD lock everything down by default until you enable specified services. Windows now does this too (networks are categorized as public by default, until you say otherwise). And I don’t care for Apple products, but even they have a firewall enabled by default.

The crazy thing is the massive push by Linux advocates over the last decade to move everybody from corporations to Grandma, away from Windows and onto Ubuntu, with security being an oft-cited reason. If “security” is touted as one of the biggest reasons to move away from Windows, I wonder how many ports those evangelists have open.

Don’t trust the “community experts.”

A new Ubuntu user asks how to disable Ubuntu’s built-in firewall. The top-rated answers are kinda sorta technically correct, in very specific circumstances. As in, they would be correct…if he happened to enable it in the first place, using this particular method.

But in the asker’s case, it is blatantly wrong advice. The top-rated answer is (rightfully) smacked down in the comments, but that’s only something one would know if a visiting user read that far and understood the point the commenters were trying to raise.

Then there’s this gem:

There isn’t a firewall by default (one is not needed) so you will have to specify if you set one up, and if you know how to do that, you should know how to undo it.

So, based on the thread, does Ubuntu have a firewall or not? Do I need one? How is it configured? Is it on or off? What’s this about “iptables -F”? I thought it was “UFW?”

It’s a sorry state of affairs if there is this much confusion over something as simple as making sure Ubuntu has an operational firewall.

There is no ambiguity with Windows or OSX. You know if it’s on, or off. And it’s on by default.

How to enable the firewall.

It’s shamefully easy to enable the firewall on Ubuntu. With three commands, I can enable the firewall with logging, permit SSH traffic, and deny everything else:

sudo ufw allow 22/tcp
sudo ufw logging on
sudo ufw enable

That’s all there is to it! It’s not part of the default install, and it’s not like anybody’s going to remind you to do it. Instead, they’ll tell you:

The purpose of a firewall is to block access to insecure services, so you only need one if you are running insecure services, and for some reason, can’t or won’t disable or secure such services. The perception they are “needed” in Windows is because it ships with several insecure services installed by default. Ubuntu does not do such foolishness.

So conventional wisdom by community charlatans holds that you don’t need a firewallsince no insecure services have ever been found on Linux. Ubuntu is also bulletproof and never has any security issues.

You also don’t need to get vaccinated, eat your vegetables or wear a seatbelt. And you’re totally fine to drive.

Testing your configuration.

Run a port scan using something like NetScan for Android and make sure nothing else is visible that shouldn’t be exposed. Only port 22 should show, unless you enabled additional services.

Leave a Reply