Comment 5 for bug 382938

Sorry for the separate comment. Thoughts occurred to me just after posting.

A good firewall (i.e. one that offers security without interfering with your intended activity) requires configuration and some decisions on the part of the user. There's ultimately no way of getting around that.

If a firewall like ufw enabled itself upon installation, it would allow no window for configuration before its default one potentially shut down ongoing intended traffic on that system. (This may not be a big deal for home users, but keep in mind the number of critical systems around the world that run on Linux. You wouldn't want to make your package a pain to get going smoothly for admins of such systems.) If you made the default configuration fairly permissive to try to mitigate that, you run the very real risk of giving a false sense of security to those home users---sys admins would presumably know better than to just blindly trust the default. This is particularly true for (relative) linux noobs like myself who are not at all eager to trudge through configuration files. If a firewall enabled itself out of the box, many people would leave it at the default.

Given that I think the best course is to leave an opportunity for configuration before it gets enabled, but also make it very clear during installation that it is being left disabled.