ufw should be enabled by default

Bug #382938 reported by Jamie Strandboge on 2009-06-02
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Declined for Dapper by Jamie Strandboge
Declined for Hardy by Jamie Strandboge
Declined for Intrepid by Jamie Strandboge
Declined for Jaunty by Jamie Strandboge
Declined for Karmic by Jamie Strandboge
Declined for Lucid by Jamie Strandboge

Bug Description

Binary package hint: ufw

ufw should be enabled by default in Ubuntu.

Changed in ufw (Ubuntu):
importance: Undecided → Wishlist
Changed in ufw (Ubuntu):
status: New → Triaged
security vulnerability: no → yes
Changed in ufw (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in ufw:
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Jamie Strandboge (jdstrand) wrote :

This is a wishlist bug that was already triaged. It is not a security vulnerability. Please do not assign and manipulate bugs without following the regular bug triage practices.

Jamie Strandboge (jdstrand) wrote :

ufw can't be enabled by default in the upstream version. marking Invalid.

Changed in ufw:
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → Invalid
Changed in ufw (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
security vulnerability: yes → no
Fred (eldmannen+launchpad) wrote :

Windows comes with firewall enabled by default.
Does Mac OS X?
Perhaps Linux should too?

Terry (wearenotamused) wrote :

I don't have a strong opinion one way or the other about whether ufw should enable itself upon installation, but what other operating systems do is a very poor basis upon which to make that decision.

Terry (wearenotamused) wrote :

Sorry for the separate comment. Thoughts occurred to me just after posting.

A good firewall (i.e. one that offers security without interfering with your intended activity) requires configuration and some decisions on the part of the user. There's ultimately no way of getting around that.

If a firewall like ufw enabled itself upon installation, it would allow no window for configuration before its default one potentially shut down ongoing intended traffic on that system. (This may not be a big deal for home users, but keep in mind the number of critical systems around the world that run on Linux. You wouldn't want to make your package a pain to get going smoothly for admins of such systems.) If you made the default configuration fairly permissive to try to mitigate that, you run the very real risk of giving a false sense of security to those home users---sys admins would presumably know better than to just blindly trust the default. This is particularly true for (relative) linux noobs like myself who are not at all eager to trudge through configuration files. If a firewall enabled itself out of the box, many people would leave it at the default.

Given that I think the best course is to leave an opportunity for configuration before it gets enabled, but also make it very clear during installation that it is being left disabled.

Jamie Strandboge (jdstrand) wrote :

This can't be enabled until there is a graphical tool in the default desktop installation. Once that is done and there is proper integration with the desktop, it can be reconsidered. At present ufw can be preseeded in all Ubuntu installations to be enabled on first boot.

See also: Feature Request: Allow / Deny incoming connections, outbound detection dialog #689818

What is the point in adding ufw to a distribution if it's disabled by default? Surely those users who know how to enable it are also able to also disable, install and uninstall it as well. Ordinary desktop users using computers as tools have no idea what a firewall is and why it's needed.

Here is a patch for this bug and #1795370 set default LOGLEVEL=off

The attachment "Fix default values to enable ufw and set logging off, and start the firewall for fresh installs" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Jeremy Bicha (jbicha) wrote :

Santeri, see comment #6. There still is no graphical tool in Ubuntu's default desktop to enable and disable ufw. Therefore, we won't be able to accept your patch.

I am unsubscribing ubuntu-sponsors. Please re-subscribe ubuntu-sponsors if you have something else that needs sponsoring.


I believe that without a graphical tool it is even more critical to have ufw enabled and running by default. Anyway, no worries about my patch and bug reports. I forked and patched ufw and have the package available in my PAA at https://launchpad.net/~santerikannisto/+archive/ubuntu/desktop

At this point I don't see any point or need in implementing a GUI config tool for ufw by myself nor participating in such effort. For my needs it's enough that ufw is enabled and running out-of-the-box blocking by default all incoming traffic with logging switched off.



Raymond Wan (rwan) wrote :

Sorry to bring up a 4 month old topic, but I wouldn't want to see ufw enabled by default without a proper discussion.

I've previously managed servers (both real and virtual) remotely and if installing ufw meant that the firewall suddenly went up, I might lose my remote connection to the servers. For me, that would be a disaster...

And, I'm not sure if separating ufw into a desktop version and a server version is worthwhile.

Comment #3 from 2010 about having it enabled by default may be one OS' way of taking the marketshare. I'm not convinced it's done for the user's sake. On a Windows machine, I purchased another program to manage my firewall, but I still get reminders about not having the Microsoft firewall brought up. If it was for my protection, then the existence of a firewall by another vendor should remove the Microsoft firewall (and its reminders) completely...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers