As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?...












8















Let's assume:




  • I have little or no knowledge of the inner workings of the Ubuntu/Linux OS. All I know is from my experience of Windows, is that I have to have a firewall configured and running before I connect to the Internet, otherwise my system would be about as secure as going on holiday and leaving my house with all the doors and windows open.

  • I have just migrated to Ubuntu desktop 18.04 LTS and have just logged in for the first time. I want to secure my system before I connect my pc to the Internet.


(NB: Note the emphasis on the word desktop, so any references to server will not be pertinent to the question and therefore irrelevant)



and after some research on this subject I understand this much:



a. Is ufw the default firewall "configuration tool" for Ubuntu? (note it says configuration tool and not the actual firewall) and ufw is installed, but it is not running and is not configured at all, so it has no default rules set out of the box.



b. Gufw is a UI to ufw, but it's not installed by default, or at least that is the case with Ubuntu Desktop 18.04 LTS.



c. iptables is the actual firewall which is built-in to the kernel as a module.



At this point know I can configure ufw as it's easy as abc, hence its name and to use it, as a starting point, you need to set deny (incoming), allow (outgoing) and start it, I also understand I could use Gufw to do this too. So I could just leave it there and do just that.



However, after all my research, I find many articles, questions and blogs on the subject with many views and opinions, many of them stating that you dont need a firewall, there are no open ports, but I am thinking, surely some ports must open when I connect to the internet? which means I am connecting my device to a network and opening up a two way traffic connection, but all the information I have read only serves to make this unclear and ambigous, so I digest all that information and try to make sense of it then reduce it down to a single statement and so a nutshell I summise:




Ubuntu desktop users don't need ufw since it's merely a configuration tool for iptables which is the actual firewall under the hood.




So say I take the above statement literally, then is the following statement true?:




iptables is the built in firewall for Ubuntu Desktop and is fully configured and up and running out of the box with default rules that are sufficiently secure for the average desktop user.




Because if the above is true, then what would be the point in ufw except to provide an uncomplicated interface to iptables, which by all accounts is complicated and furthermore the experts advise you to avoid configuring iptables directly since if you don't know exactly what you are doing, you could easily render your system insecure or unusable, if it is misconfigured?



Here is an nmap scan of my system along with my firewall config, showing the open ports on my system:
enter image description here



Please could someone provide a concise, relevant and non-opinion, fact based answer :)










share|improve this question















closed as primarily opinion-based by mikewhatever, Pilot6, Emmet, Charles Green, Eric Carvalho Mar 19 at 20:27


Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • Easiest to install gufw to assist setting this up.

    – heynnema
    Mar 16 at 16:21











  • What is unclear in this? askubuntu.com/questions/178616/…

    – Pilot6
    Mar 16 at 19:05











  • You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

    – Pilot6
    Mar 16 at 19:09






  • 1





    I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

    – user68186
    Mar 17 at 0:03











  • I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

    – user927685
    Mar 19 at 21:38
















8















Let's assume:




  • I have little or no knowledge of the inner workings of the Ubuntu/Linux OS. All I know is from my experience of Windows, is that I have to have a firewall configured and running before I connect to the Internet, otherwise my system would be about as secure as going on holiday and leaving my house with all the doors and windows open.

  • I have just migrated to Ubuntu desktop 18.04 LTS and have just logged in for the first time. I want to secure my system before I connect my pc to the Internet.


(NB: Note the emphasis on the word desktop, so any references to server will not be pertinent to the question and therefore irrelevant)



and after some research on this subject I understand this much:



a. Is ufw the default firewall "configuration tool" for Ubuntu? (note it says configuration tool and not the actual firewall) and ufw is installed, but it is not running and is not configured at all, so it has no default rules set out of the box.



b. Gufw is a UI to ufw, but it's not installed by default, or at least that is the case with Ubuntu Desktop 18.04 LTS.



c. iptables is the actual firewall which is built-in to the kernel as a module.



At this point know I can configure ufw as it's easy as abc, hence its name and to use it, as a starting point, you need to set deny (incoming), allow (outgoing) and start it, I also understand I could use Gufw to do this too. So I could just leave it there and do just that.



However, after all my research, I find many articles, questions and blogs on the subject with many views and opinions, many of them stating that you dont need a firewall, there are no open ports, but I am thinking, surely some ports must open when I connect to the internet? which means I am connecting my device to a network and opening up a two way traffic connection, but all the information I have read only serves to make this unclear and ambigous, so I digest all that information and try to make sense of it then reduce it down to a single statement and so a nutshell I summise:




Ubuntu desktop users don't need ufw since it's merely a configuration tool for iptables which is the actual firewall under the hood.




So say I take the above statement literally, then is the following statement true?:




iptables is the built in firewall for Ubuntu Desktop and is fully configured and up and running out of the box with default rules that are sufficiently secure for the average desktop user.




Because if the above is true, then what would be the point in ufw except to provide an uncomplicated interface to iptables, which by all accounts is complicated and furthermore the experts advise you to avoid configuring iptables directly since if you don't know exactly what you are doing, you could easily render your system insecure or unusable, if it is misconfigured?



Here is an nmap scan of my system along with my firewall config, showing the open ports on my system:
enter image description here



Please could someone provide a concise, relevant and non-opinion, fact based answer :)










share|improve this question















closed as primarily opinion-based by mikewhatever, Pilot6, Emmet, Charles Green, Eric Carvalho Mar 19 at 20:27


Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • Easiest to install gufw to assist setting this up.

    – heynnema
    Mar 16 at 16:21











  • What is unclear in this? askubuntu.com/questions/178616/…

    – Pilot6
    Mar 16 at 19:05











  • You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

    – Pilot6
    Mar 16 at 19:09






  • 1





    I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

    – user68186
    Mar 17 at 0:03











  • I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

    – user927685
    Mar 19 at 21:38














8












8








8


0






Let's assume:




  • I have little or no knowledge of the inner workings of the Ubuntu/Linux OS. All I know is from my experience of Windows, is that I have to have a firewall configured and running before I connect to the Internet, otherwise my system would be about as secure as going on holiday and leaving my house with all the doors and windows open.

  • I have just migrated to Ubuntu desktop 18.04 LTS and have just logged in for the first time. I want to secure my system before I connect my pc to the Internet.


(NB: Note the emphasis on the word desktop, so any references to server will not be pertinent to the question and therefore irrelevant)



and after some research on this subject I understand this much:



a. Is ufw the default firewall "configuration tool" for Ubuntu? (note it says configuration tool and not the actual firewall) and ufw is installed, but it is not running and is not configured at all, so it has no default rules set out of the box.



b. Gufw is a UI to ufw, but it's not installed by default, or at least that is the case with Ubuntu Desktop 18.04 LTS.



c. iptables is the actual firewall which is built-in to the kernel as a module.



At this point know I can configure ufw as it's easy as abc, hence its name and to use it, as a starting point, you need to set deny (incoming), allow (outgoing) and start it, I also understand I could use Gufw to do this too. So I could just leave it there and do just that.



However, after all my research, I find many articles, questions and blogs on the subject with many views and opinions, many of them stating that you dont need a firewall, there are no open ports, but I am thinking, surely some ports must open when I connect to the internet? which means I am connecting my device to a network and opening up a two way traffic connection, but all the information I have read only serves to make this unclear and ambigous, so I digest all that information and try to make sense of it then reduce it down to a single statement and so a nutshell I summise:




Ubuntu desktop users don't need ufw since it's merely a configuration tool for iptables which is the actual firewall under the hood.




So say I take the above statement literally, then is the following statement true?:




iptables is the built in firewall for Ubuntu Desktop and is fully configured and up and running out of the box with default rules that are sufficiently secure for the average desktop user.




Because if the above is true, then what would be the point in ufw except to provide an uncomplicated interface to iptables, which by all accounts is complicated and furthermore the experts advise you to avoid configuring iptables directly since if you don't know exactly what you are doing, you could easily render your system insecure or unusable, if it is misconfigured?



Here is an nmap scan of my system along with my firewall config, showing the open ports on my system:
enter image description here



Please could someone provide a concise, relevant and non-opinion, fact based answer :)










share|improve this question
















Let's assume:




  • I have little or no knowledge of the inner workings of the Ubuntu/Linux OS. All I know is from my experience of Windows, is that I have to have a firewall configured and running before I connect to the Internet, otherwise my system would be about as secure as going on holiday and leaving my house with all the doors and windows open.

  • I have just migrated to Ubuntu desktop 18.04 LTS and have just logged in for the first time. I want to secure my system before I connect my pc to the Internet.


(NB: Note the emphasis on the word desktop, so any references to server will not be pertinent to the question and therefore irrelevant)



and after some research on this subject I understand this much:



a. Is ufw the default firewall "configuration tool" for Ubuntu? (note it says configuration tool and not the actual firewall) and ufw is installed, but it is not running and is not configured at all, so it has no default rules set out of the box.



b. Gufw is a UI to ufw, but it's not installed by default, or at least that is the case with Ubuntu Desktop 18.04 LTS.



c. iptables is the actual firewall which is built-in to the kernel as a module.



At this point know I can configure ufw as it's easy as abc, hence its name and to use it, as a starting point, you need to set deny (incoming), allow (outgoing) and start it, I also understand I could use Gufw to do this too. So I could just leave it there and do just that.



However, after all my research, I find many articles, questions and blogs on the subject with many views and opinions, many of them stating that you dont need a firewall, there are no open ports, but I am thinking, surely some ports must open when I connect to the internet? which means I am connecting my device to a network and opening up a two way traffic connection, but all the information I have read only serves to make this unclear and ambigous, so I digest all that information and try to make sense of it then reduce it down to a single statement and so a nutshell I summise:




Ubuntu desktop users don't need ufw since it's merely a configuration tool for iptables which is the actual firewall under the hood.




So say I take the above statement literally, then is the following statement true?:




iptables is the built in firewall for Ubuntu Desktop and is fully configured and up and running out of the box with default rules that are sufficiently secure for the average desktop user.




Because if the above is true, then what would be the point in ufw except to provide an uncomplicated interface to iptables, which by all accounts is complicated and furthermore the experts advise you to avoid configuring iptables directly since if you don't know exactly what you are doing, you could easily render your system insecure or unusable, if it is misconfigured?



Here is an nmap scan of my system along with my firewall config, showing the open ports on my system:
enter image description here



Please could someone provide a concise, relevant and non-opinion, fact based answer :)







iptables firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 20 at 17:53









Fabby

27.1k1360161




27.1k1360161










asked Mar 16 at 16:11







user927685











closed as primarily opinion-based by mikewhatever, Pilot6, Emmet, Charles Green, Eric Carvalho Mar 19 at 20:27


Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.









closed as primarily opinion-based by mikewhatever, Pilot6, Emmet, Charles Green, Eric Carvalho Mar 19 at 20:27


Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.















  • Easiest to install gufw to assist setting this up.

    – heynnema
    Mar 16 at 16:21











  • What is unclear in this? askubuntu.com/questions/178616/…

    – Pilot6
    Mar 16 at 19:05











  • You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

    – Pilot6
    Mar 16 at 19:09






  • 1





    I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

    – user68186
    Mar 17 at 0:03











  • I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

    – user927685
    Mar 19 at 21:38



















  • Easiest to install gufw to assist setting this up.

    – heynnema
    Mar 16 at 16:21











  • What is unclear in this? askubuntu.com/questions/178616/…

    – Pilot6
    Mar 16 at 19:05











  • You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

    – Pilot6
    Mar 16 at 19:09






  • 1





    I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

    – user68186
    Mar 17 at 0:03











  • I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

    – user927685
    Mar 19 at 21:38

















Easiest to install gufw to assist setting this up.

– heynnema
Mar 16 at 16:21





Easiest to install gufw to assist setting this up.

– heynnema
Mar 16 at 16:21













What is unclear in this? askubuntu.com/questions/178616/…

– Pilot6
Mar 16 at 19:05





What is unclear in this? askubuntu.com/questions/178616/…

– Pilot6
Mar 16 at 19:05













You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

– Pilot6
Mar 16 at 19:09





You don't need ANY firewall if you don't have network services running. So it doesn't matter how and what is configured.

– Pilot6
Mar 16 at 19:09




1




1





I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

– user68186
Mar 17 at 0:03





I have added to my answer. At this point I have to remind you, that this is a question answer site, not a discussion forum. Please don't add new components to the question as I answer old ones. If you keep doing this, the question may be closed as too broad. Ask a new follow up question and refer to this question if you need.

– user68186
Mar 17 at 0:03













I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

– user927685
Mar 19 at 21:38





I am disappointed to see that this question has been put on hold on based on the presumption that "answers to this question will tend to be almost entirely based on opinions, rather than fact", well isn't thats just another opinion? Thats the reason why I stated when I asked the question to provide a non-opinion fact based answer, so what you're saying is there isnt a definitive answer based on facts out there? I guess the answer from the official ubuntu documentation is not based on facts either? This question has had 630 views so obviously there are lot of people interested in the answer!

– user927685
Mar 19 at 21:38










3 Answers
3






active

oldest

votes


















12














The question changed considerably



New Answer



The TITLE Question




As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a
firewall or is iptables sufficient?




Most home Ubuntu users don't need to or use ufw. Both ufw and iptables are installed by default and are configured to do nothing. Why there is no need, is explained in more detail below.



The Other Question 1:




So say I take the above statement literally, then is the following
statement true?:



iptables is the built in firewall for Ubuntu Desktop and is fully
configured and up and running out of the box with default rules that
are sufficiently secure for the average desktop user namely deny
(incoming), allow (outgoing).




The statement is false



The statement is actually two statements joined by and. So if just one part of the whole statement is false, then the whole statement is false. Let's break it down:




iptables is the built in firewall for Ubuntu Desktop




The above part is true.



Now let's look at the other part:




iptables is fully
configured and up and running out of the box with default rules that
are sufficiently secure for the average desktop user namely deny
(incoming), allow (outgoing).




The above part is false.



Default Ubuntu desktop installation has no ports open, and no servers running. Therefore, even though iptables come installed by default in desktop Ubuntu it is not configured to do anything. That is, the default firewall has not rules set.



Thus, iptable is configured to do nothing when you install Ubuntu.



The Other Question 2:



Explanations for nmap and gufw image (I think this is what you want)



Your nmap shows the only two open ports are open to 127.0.0.1. This is a special IP address that refers to the computer itself. That is, the computer itself can talk to itself using these two open ports.



The gufw screenshot shows that there is no firewall rules setup. However, since you installed gufw and clicked on it, ufw is also installed (gufw uses ufw) and ufw is active. The default ufw configuration you mentioned above, deny (incoming) and allow (outgoing) is working. However, these rules don't apply to the computer itself, that is 127.0.0.1. This is (not necessary but) sufficient for a home user.



Original Answer ==>



Average home users don't need a firewall



Default Ubuntu desktop installation has no ports open, and no servers running. Therefore if you don't run any server daemon, such as ssh server, you don't need any firewall. Thus, iptable is configured to do nothing when you install Ubuntu. See Do I need to activate the firewall? I only use Ubuntu for a home desktop use? for details.



If you run servers you need a firewall



If you are not an average home user, and want to do some advanced things, such as remotely access your desktop by ssh or run some other services, then you need a firewall. Your configuration of the firewall will depend on which server daemons you plan to run.



Even if you don't plan to run a server you may want a firewall with the default configuration of deny all incoming connections from all ports. This is to be doubly safe, in case, one day you want to install and run a server without realizing what you are doing. Without changing the default firewall configuration the server won't work as expected. You will scratch your head for hours before remembering that you activated the firewall. Then you may want to uninstall the server software, as it may not be worth the risk. Or you may want to configure the firewall to let the server work.




gufw is the easiest



gufw is a GUI interface for ufw, which in turn configures the iptables. Since you have been using Linux since 1990s, you may be comfortable with the command line or you may prefer the visual cues of a GUI. If you like a GUI, then use gufw. It is easy to understand and configure even for a novice.




ufw is easy



If you like the command line, ufw is easy enough.




iptables is not so easy



The reason we don't want anyone to fiddle directly with the iptables, and use ufw or gufw is because, it is very easy to mess up iptables and once you do, the system can break so badly that it may be unusable. The iptables-apply command has some built-in safeguards to protect the users from their mistakes.



Hope this helps






share|improve this answer


























  • OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

    – user927685
    Mar 16 at 17:28













  • Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

    – user927685
    Mar 16 at 23:30






  • 1





    Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

    – jchook
    Mar 17 at 0:19






  • 1





    @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

    – user68186
    Mar 17 at 0:22





















1














iptables is part of the TCP/IP networking stack. If you have *Nix you have IPTABLES. If you are on a IP network, firewall enabled or disabled, you are using iptables, regardless.



ufw is a *Nix application on top of (meaning using iptables). It is shell console based but is not so difficult to use. It can be turned on/off. You can't disable iptables as there have to be default routes for the Internet (0.0.0.0), local loopback (127.0.0.0), localhost (192.168.0.0) and auto-addressing (169.254.0.0). As you can see, iptables is baked into the networking stack. You can't avoid it even if you wanted to.



ufw can modify iptables entries in the matrix from the comfort of the shell console. It is possible to edit the iptables IP routes by hand but I won't recommend it as that is error-prone at best. Think of ufw as the tool for editing the IP route tables.



Comfortable as I may be with the shell console, I still recommend the simplicity of gufw which is the graphical "wrapper" for ufw which sits atop iptables.



I love its simplicity especially adding applications' firewall profiles such as media servers or bittorrent apps. Whatever makes my life easier earns my kudos.



So to answer your modified question, IPTABLES will not protect your network if left alone by itself. It is not designed to block, filter, disable or allow certain ports that traverses the IP route tables. Use ufw + gufw if you want to only allow/block certain ports or range of ports which in turn dynamically edit the ip route table.






share|improve this answer


























  • Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

    – Fabby
    Mar 20 at 18:00











  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

    – Mitch
    Mar 21 at 19:00



















0














I am providing this answer myself, since I was not convinced by people who are insisting you dont need a firewall, you have no open ports...
and I wont mark it accepted although I accept it myself, I'll leave it to the community to vote on whether this should be the answer.



All I would say to anyone using Ubuntu Desktop who comes across this question, if you are not sure about a firewall, because like me, you have seen for yourself are so many conflicting views on this subject, then my advice is just go ahead and use a firewall, I recommend ufw and if you want a UI then use Gufw, because when all is said and done, even if all it does is give you piece of mind, you can do no harm in using it.



I eventually turned to the official Ubuntu documentation for clarification and found the following article and after my experience trying to find answers, I would recommend you read this article because it makes a lot of sense and it answers my question and sub questions and I think I am going to be OK now ;)



https://help.ubuntu.com/community/DoINeedAFirewall



Here is an exerpt from the above article:



I have no open ports, so I don't need a firewall, right?



Well, not really. This is a common misconception. First, let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.






share|improve this answer































    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    12














    The question changed considerably



    New Answer



    The TITLE Question




    As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a
    firewall or is iptables sufficient?




    Most home Ubuntu users don't need to or use ufw. Both ufw and iptables are installed by default and are configured to do nothing. Why there is no need, is explained in more detail below.



    The Other Question 1:




    So say I take the above statement literally, then is the following
    statement true?:



    iptables is the built in firewall for Ubuntu Desktop and is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The statement is false



    The statement is actually two statements joined by and. So if just one part of the whole statement is false, then the whole statement is false. Let's break it down:




    iptables is the built in firewall for Ubuntu Desktop




    The above part is true.



    Now let's look at the other part:




    iptables is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The above part is false.



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore, even though iptables come installed by default in desktop Ubuntu it is not configured to do anything. That is, the default firewall has not rules set.



    Thus, iptable is configured to do nothing when you install Ubuntu.



    The Other Question 2:



    Explanations for nmap and gufw image (I think this is what you want)



    Your nmap shows the only two open ports are open to 127.0.0.1. This is a special IP address that refers to the computer itself. That is, the computer itself can talk to itself using these two open ports.



    The gufw screenshot shows that there is no firewall rules setup. However, since you installed gufw and clicked on it, ufw is also installed (gufw uses ufw) and ufw is active. The default ufw configuration you mentioned above, deny (incoming) and allow (outgoing) is working. However, these rules don't apply to the computer itself, that is 127.0.0.1. This is (not necessary but) sufficient for a home user.



    Original Answer ==>



    Average home users don't need a firewall



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore if you don't run any server daemon, such as ssh server, you don't need any firewall. Thus, iptable is configured to do nothing when you install Ubuntu. See Do I need to activate the firewall? I only use Ubuntu for a home desktop use? for details.



    If you run servers you need a firewall



    If you are not an average home user, and want to do some advanced things, such as remotely access your desktop by ssh or run some other services, then you need a firewall. Your configuration of the firewall will depend on which server daemons you plan to run.



    Even if you don't plan to run a server you may want a firewall with the default configuration of deny all incoming connections from all ports. This is to be doubly safe, in case, one day you want to install and run a server without realizing what you are doing. Without changing the default firewall configuration the server won't work as expected. You will scratch your head for hours before remembering that you activated the firewall. Then you may want to uninstall the server software, as it may not be worth the risk. Or you may want to configure the firewall to let the server work.




    gufw is the easiest



    gufw is a GUI interface for ufw, which in turn configures the iptables. Since you have been using Linux since 1990s, you may be comfortable with the command line or you may prefer the visual cues of a GUI. If you like a GUI, then use gufw. It is easy to understand and configure even for a novice.




    ufw is easy



    If you like the command line, ufw is easy enough.




    iptables is not so easy



    The reason we don't want anyone to fiddle directly with the iptables, and use ufw or gufw is because, it is very easy to mess up iptables and once you do, the system can break so badly that it may be unusable. The iptables-apply command has some built-in safeguards to protect the users from their mistakes.



    Hope this helps






    share|improve this answer


























    • OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

      – user927685
      Mar 16 at 17:28













    • Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

      – user927685
      Mar 16 at 23:30






    • 1





      Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

      – jchook
      Mar 17 at 0:19






    • 1





      @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

      – user68186
      Mar 17 at 0:22


















    12














    The question changed considerably



    New Answer



    The TITLE Question




    As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a
    firewall or is iptables sufficient?




    Most home Ubuntu users don't need to or use ufw. Both ufw and iptables are installed by default and are configured to do nothing. Why there is no need, is explained in more detail below.



    The Other Question 1:




    So say I take the above statement literally, then is the following
    statement true?:



    iptables is the built in firewall for Ubuntu Desktop and is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The statement is false



    The statement is actually two statements joined by and. So if just one part of the whole statement is false, then the whole statement is false. Let's break it down:




    iptables is the built in firewall for Ubuntu Desktop




    The above part is true.



    Now let's look at the other part:




    iptables is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The above part is false.



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore, even though iptables come installed by default in desktop Ubuntu it is not configured to do anything. That is, the default firewall has not rules set.



    Thus, iptable is configured to do nothing when you install Ubuntu.



    The Other Question 2:



    Explanations for nmap and gufw image (I think this is what you want)



    Your nmap shows the only two open ports are open to 127.0.0.1. This is a special IP address that refers to the computer itself. That is, the computer itself can talk to itself using these two open ports.



    The gufw screenshot shows that there is no firewall rules setup. However, since you installed gufw and clicked on it, ufw is also installed (gufw uses ufw) and ufw is active. The default ufw configuration you mentioned above, deny (incoming) and allow (outgoing) is working. However, these rules don't apply to the computer itself, that is 127.0.0.1. This is (not necessary but) sufficient for a home user.



    Original Answer ==>



    Average home users don't need a firewall



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore if you don't run any server daemon, such as ssh server, you don't need any firewall. Thus, iptable is configured to do nothing when you install Ubuntu. See Do I need to activate the firewall? I only use Ubuntu for a home desktop use? for details.



    If you run servers you need a firewall



    If you are not an average home user, and want to do some advanced things, such as remotely access your desktop by ssh or run some other services, then you need a firewall. Your configuration of the firewall will depend on which server daemons you plan to run.



    Even if you don't plan to run a server you may want a firewall with the default configuration of deny all incoming connections from all ports. This is to be doubly safe, in case, one day you want to install and run a server without realizing what you are doing. Without changing the default firewall configuration the server won't work as expected. You will scratch your head for hours before remembering that you activated the firewall. Then you may want to uninstall the server software, as it may not be worth the risk. Or you may want to configure the firewall to let the server work.




    gufw is the easiest



    gufw is a GUI interface for ufw, which in turn configures the iptables. Since you have been using Linux since 1990s, you may be comfortable with the command line or you may prefer the visual cues of a GUI. If you like a GUI, then use gufw. It is easy to understand and configure even for a novice.




    ufw is easy



    If you like the command line, ufw is easy enough.




    iptables is not so easy



    The reason we don't want anyone to fiddle directly with the iptables, and use ufw or gufw is because, it is very easy to mess up iptables and once you do, the system can break so badly that it may be unusable. The iptables-apply command has some built-in safeguards to protect the users from their mistakes.



    Hope this helps






    share|improve this answer


























    • OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

      – user927685
      Mar 16 at 17:28













    • Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

      – user927685
      Mar 16 at 23:30






    • 1





      Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

      – jchook
      Mar 17 at 0:19






    • 1





      @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

      – user68186
      Mar 17 at 0:22
















    12












    12








    12







    The question changed considerably



    New Answer



    The TITLE Question




    As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a
    firewall or is iptables sufficient?




    Most home Ubuntu users don't need to or use ufw. Both ufw and iptables are installed by default and are configured to do nothing. Why there is no need, is explained in more detail below.



    The Other Question 1:




    So say I take the above statement literally, then is the following
    statement true?:



    iptables is the built in firewall for Ubuntu Desktop and is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The statement is false



    The statement is actually two statements joined by and. So if just one part of the whole statement is false, then the whole statement is false. Let's break it down:




    iptables is the built in firewall for Ubuntu Desktop




    The above part is true.



    Now let's look at the other part:




    iptables is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The above part is false.



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore, even though iptables come installed by default in desktop Ubuntu it is not configured to do anything. That is, the default firewall has not rules set.



    Thus, iptable is configured to do nothing when you install Ubuntu.



    The Other Question 2:



    Explanations for nmap and gufw image (I think this is what you want)



    Your nmap shows the only two open ports are open to 127.0.0.1. This is a special IP address that refers to the computer itself. That is, the computer itself can talk to itself using these two open ports.



    The gufw screenshot shows that there is no firewall rules setup. However, since you installed gufw and clicked on it, ufw is also installed (gufw uses ufw) and ufw is active. The default ufw configuration you mentioned above, deny (incoming) and allow (outgoing) is working. However, these rules don't apply to the computer itself, that is 127.0.0.1. This is (not necessary but) sufficient for a home user.



    Original Answer ==>



    Average home users don't need a firewall



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore if you don't run any server daemon, such as ssh server, you don't need any firewall. Thus, iptable is configured to do nothing when you install Ubuntu. See Do I need to activate the firewall? I only use Ubuntu for a home desktop use? for details.



    If you run servers you need a firewall



    If you are not an average home user, and want to do some advanced things, such as remotely access your desktop by ssh or run some other services, then you need a firewall. Your configuration of the firewall will depend on which server daemons you plan to run.



    Even if you don't plan to run a server you may want a firewall with the default configuration of deny all incoming connections from all ports. This is to be doubly safe, in case, one day you want to install and run a server without realizing what you are doing. Without changing the default firewall configuration the server won't work as expected. You will scratch your head for hours before remembering that you activated the firewall. Then you may want to uninstall the server software, as it may not be worth the risk. Or you may want to configure the firewall to let the server work.




    gufw is the easiest



    gufw is a GUI interface for ufw, which in turn configures the iptables. Since you have been using Linux since 1990s, you may be comfortable with the command line or you may prefer the visual cues of a GUI. If you like a GUI, then use gufw. It is easy to understand and configure even for a novice.




    ufw is easy



    If you like the command line, ufw is easy enough.




    iptables is not so easy



    The reason we don't want anyone to fiddle directly with the iptables, and use ufw or gufw is because, it is very easy to mess up iptables and once you do, the system can break so badly that it may be unusable. The iptables-apply command has some built-in safeguards to protect the users from their mistakes.



    Hope this helps






    share|improve this answer















    The question changed considerably



    New Answer



    The TITLE Question




    As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a
    firewall or is iptables sufficient?




    Most home Ubuntu users don't need to or use ufw. Both ufw and iptables are installed by default and are configured to do nothing. Why there is no need, is explained in more detail below.



    The Other Question 1:




    So say I take the above statement literally, then is the following
    statement true?:



    iptables is the built in firewall for Ubuntu Desktop and is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The statement is false



    The statement is actually two statements joined by and. So if just one part of the whole statement is false, then the whole statement is false. Let's break it down:




    iptables is the built in firewall for Ubuntu Desktop




    The above part is true.



    Now let's look at the other part:




    iptables is fully
    configured and up and running out of the box with default rules that
    are sufficiently secure for the average desktop user namely deny
    (incoming), allow (outgoing).




    The above part is false.



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore, even though iptables come installed by default in desktop Ubuntu it is not configured to do anything. That is, the default firewall has not rules set.



    Thus, iptable is configured to do nothing when you install Ubuntu.



    The Other Question 2:



    Explanations for nmap and gufw image (I think this is what you want)



    Your nmap shows the only two open ports are open to 127.0.0.1. This is a special IP address that refers to the computer itself. That is, the computer itself can talk to itself using these two open ports.



    The gufw screenshot shows that there is no firewall rules setup. However, since you installed gufw and clicked on it, ufw is also installed (gufw uses ufw) and ufw is active. The default ufw configuration you mentioned above, deny (incoming) and allow (outgoing) is working. However, these rules don't apply to the computer itself, that is 127.0.0.1. This is (not necessary but) sufficient for a home user.



    Original Answer ==>



    Average home users don't need a firewall



    Default Ubuntu desktop installation has no ports open, and no servers running. Therefore if you don't run any server daemon, such as ssh server, you don't need any firewall. Thus, iptable is configured to do nothing when you install Ubuntu. See Do I need to activate the firewall? I only use Ubuntu for a home desktop use? for details.



    If you run servers you need a firewall



    If you are not an average home user, and want to do some advanced things, such as remotely access your desktop by ssh or run some other services, then you need a firewall. Your configuration of the firewall will depend on which server daemons you plan to run.



    Even if you don't plan to run a server you may want a firewall with the default configuration of deny all incoming connections from all ports. This is to be doubly safe, in case, one day you want to install and run a server without realizing what you are doing. Without changing the default firewall configuration the server won't work as expected. You will scratch your head for hours before remembering that you activated the firewall. Then you may want to uninstall the server software, as it may not be worth the risk. Or you may want to configure the firewall to let the server work.




    gufw is the easiest



    gufw is a GUI interface for ufw, which in turn configures the iptables. Since you have been using Linux since 1990s, you may be comfortable with the command line or you may prefer the visual cues of a GUI. If you like a GUI, then use gufw. It is easy to understand and configure even for a novice.




    ufw is easy



    If you like the command line, ufw is easy enough.




    iptables is not so easy



    The reason we don't want anyone to fiddle directly with the iptables, and use ufw or gufw is because, it is very easy to mess up iptables and once you do, the system can break so badly that it may be unusable. The iptables-apply command has some built-in safeguards to protect the users from their mistakes.



    Hope this helps







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Mar 19 at 15:34

























    answered Mar 16 at 16:54









    user68186user68186

    16.6k84970




    16.6k84970













    • OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

      – user927685
      Mar 16 at 17:28













    • Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

      – user927685
      Mar 16 at 23:30






    • 1





      Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

      – jchook
      Mar 17 at 0:19






    • 1





      @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

      – user68186
      Mar 17 at 0:22





















    • OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

      – user927685
      Mar 16 at 17:28













    • Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

      – user927685
      Mar 16 at 23:30






    • 1





      Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

      – jchook
      Mar 17 at 0:19






    • 1





      @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

      – user68186
      Mar 17 at 0:22



















    OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

    – user927685
    Mar 16 at 17:28







    OK thanks for you answer and your time, apologies for any inconvenience but it appears I am going to have to rewrite my question to clarify and simplify the question and details

    – user927685
    Mar 16 at 17:28















    Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

    – user927685
    Mar 16 at 23:30





    Thanks for your revised answer and again apologies since I have made further edits as I have been looking into all the comments and links to other questions, for some time and I wantted to try to include all the points I needed to make regarding why the other answers for one reason or another dont sufficiently answer my question and that is my final edit.

    – user927685
    Mar 16 at 23:30




    1




    1





    Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

    – jchook
    Mar 17 at 0:19





    Just want to point out that iptables has a mechanism to prevent the lockout situation you described. You use the built-in iptables-apply - a safer way to update iptables remotely

    – jchook
    Mar 17 at 0:19




    1




    1





    @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

    – user68186
    Mar 17 at 0:22







    @jchook Thanks for mentioning this. The more people read and comment on my answer, I get to learn more new things. :D

    – user68186
    Mar 17 at 0:22















    1














    iptables is part of the TCP/IP networking stack. If you have *Nix you have IPTABLES. If you are on a IP network, firewall enabled or disabled, you are using iptables, regardless.



    ufw is a *Nix application on top of (meaning using iptables). It is shell console based but is not so difficult to use. It can be turned on/off. You can't disable iptables as there have to be default routes for the Internet (0.0.0.0), local loopback (127.0.0.0), localhost (192.168.0.0) and auto-addressing (169.254.0.0). As you can see, iptables is baked into the networking stack. You can't avoid it even if you wanted to.



    ufw can modify iptables entries in the matrix from the comfort of the shell console. It is possible to edit the iptables IP routes by hand but I won't recommend it as that is error-prone at best. Think of ufw as the tool for editing the IP route tables.



    Comfortable as I may be with the shell console, I still recommend the simplicity of gufw which is the graphical "wrapper" for ufw which sits atop iptables.



    I love its simplicity especially adding applications' firewall profiles such as media servers or bittorrent apps. Whatever makes my life easier earns my kudos.



    So to answer your modified question, IPTABLES will not protect your network if left alone by itself. It is not designed to block, filter, disable or allow certain ports that traverses the IP route tables. Use ufw + gufw if you want to only allow/block certain ports or range of ports which in turn dynamically edit the ip route table.






    share|improve this answer


























    • Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

      – Fabby
      Mar 20 at 18:00











    • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

      – Mitch
      Mar 21 at 19:00
















    1














    iptables is part of the TCP/IP networking stack. If you have *Nix you have IPTABLES. If you are on a IP network, firewall enabled or disabled, you are using iptables, regardless.



    ufw is a *Nix application on top of (meaning using iptables). It is shell console based but is not so difficult to use. It can be turned on/off. You can't disable iptables as there have to be default routes for the Internet (0.0.0.0), local loopback (127.0.0.0), localhost (192.168.0.0) and auto-addressing (169.254.0.0). As you can see, iptables is baked into the networking stack. You can't avoid it even if you wanted to.



    ufw can modify iptables entries in the matrix from the comfort of the shell console. It is possible to edit the iptables IP routes by hand but I won't recommend it as that is error-prone at best. Think of ufw as the tool for editing the IP route tables.



    Comfortable as I may be with the shell console, I still recommend the simplicity of gufw which is the graphical "wrapper" for ufw which sits atop iptables.



    I love its simplicity especially adding applications' firewall profiles such as media servers or bittorrent apps. Whatever makes my life easier earns my kudos.



    So to answer your modified question, IPTABLES will not protect your network if left alone by itself. It is not designed to block, filter, disable or allow certain ports that traverses the IP route tables. Use ufw + gufw if you want to only allow/block certain ports or range of ports which in turn dynamically edit the ip route table.






    share|improve this answer


























    • Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

      – Fabby
      Mar 20 at 18:00











    • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

      – Mitch
      Mar 21 at 19:00














    1












    1








    1







    iptables is part of the TCP/IP networking stack. If you have *Nix you have IPTABLES. If you are on a IP network, firewall enabled or disabled, you are using iptables, regardless.



    ufw is a *Nix application on top of (meaning using iptables). It is shell console based but is not so difficult to use. It can be turned on/off. You can't disable iptables as there have to be default routes for the Internet (0.0.0.0), local loopback (127.0.0.0), localhost (192.168.0.0) and auto-addressing (169.254.0.0). As you can see, iptables is baked into the networking stack. You can't avoid it even if you wanted to.



    ufw can modify iptables entries in the matrix from the comfort of the shell console. It is possible to edit the iptables IP routes by hand but I won't recommend it as that is error-prone at best. Think of ufw as the tool for editing the IP route tables.



    Comfortable as I may be with the shell console, I still recommend the simplicity of gufw which is the graphical "wrapper" for ufw which sits atop iptables.



    I love its simplicity especially adding applications' firewall profiles such as media servers or bittorrent apps. Whatever makes my life easier earns my kudos.



    So to answer your modified question, IPTABLES will not protect your network if left alone by itself. It is not designed to block, filter, disable or allow certain ports that traverses the IP route tables. Use ufw + gufw if you want to only allow/block certain ports or range of ports which in turn dynamically edit the ip route table.






    share|improve this answer















    iptables is part of the TCP/IP networking stack. If you have *Nix you have IPTABLES. If you are on a IP network, firewall enabled or disabled, you are using iptables, regardless.



    ufw is a *Nix application on top of (meaning using iptables). It is shell console based but is not so difficult to use. It can be turned on/off. You can't disable iptables as there have to be default routes for the Internet (0.0.0.0), local loopback (127.0.0.0), localhost (192.168.0.0) and auto-addressing (169.254.0.0). As you can see, iptables is baked into the networking stack. You can't avoid it even if you wanted to.



    ufw can modify iptables entries in the matrix from the comfort of the shell console. It is possible to edit the iptables IP routes by hand but I won't recommend it as that is error-prone at best. Think of ufw as the tool for editing the IP route tables.



    Comfortable as I may be with the shell console, I still recommend the simplicity of gufw which is the graphical "wrapper" for ufw which sits atop iptables.



    I love its simplicity especially adding applications' firewall profiles such as media servers or bittorrent apps. Whatever makes my life easier earns my kudos.



    So to answer your modified question, IPTABLES will not protect your network if left alone by itself. It is not designed to block, filter, disable or allow certain ports that traverses the IP route tables. Use ufw + gufw if you want to only allow/block certain ports or range of ports which in turn dynamically edit the ip route table.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Mar 20 at 23:07

























    answered Mar 16 at 22:41









    quantanglementquantanglement

    113




    113













    • Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

      – Fabby
      Mar 20 at 18:00











    • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

      – Mitch
      Mar 21 at 19:00



















    • Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

      – Fabby
      Mar 20 at 18:00











    • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

      – Mitch
      Mar 21 at 19:00

















    Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

    – Fabby
    Mar 20 at 18:00





    Welcome to Ask Ubuntu! ;-) Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, merged into another one or the main site just disappears... :-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site! ;-) You can always leave the link in at the bottom of your answer as a source for your material...

    – Fabby
    Mar 20 at 18:00













    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

    – Mitch
    Mar 21 at 19:00





    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.

    – Mitch
    Mar 21 at 19:00











    0














    I am providing this answer myself, since I was not convinced by people who are insisting you dont need a firewall, you have no open ports...
    and I wont mark it accepted although I accept it myself, I'll leave it to the community to vote on whether this should be the answer.



    All I would say to anyone using Ubuntu Desktop who comes across this question, if you are not sure about a firewall, because like me, you have seen for yourself are so many conflicting views on this subject, then my advice is just go ahead and use a firewall, I recommend ufw and if you want a UI then use Gufw, because when all is said and done, even if all it does is give you piece of mind, you can do no harm in using it.



    I eventually turned to the official Ubuntu documentation for clarification and found the following article and after my experience trying to find answers, I would recommend you read this article because it makes a lot of sense and it answers my question and sub questions and I think I am going to be OK now ;)



    https://help.ubuntu.com/community/DoINeedAFirewall



    Here is an exerpt from the above article:



    I have no open ports, so I don't need a firewall, right?



    Well, not really. This is a common misconception. First, let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.






    share|improve this answer






























      0














      I am providing this answer myself, since I was not convinced by people who are insisting you dont need a firewall, you have no open ports...
      and I wont mark it accepted although I accept it myself, I'll leave it to the community to vote on whether this should be the answer.



      All I would say to anyone using Ubuntu Desktop who comes across this question, if you are not sure about a firewall, because like me, you have seen for yourself are so many conflicting views on this subject, then my advice is just go ahead and use a firewall, I recommend ufw and if you want a UI then use Gufw, because when all is said and done, even if all it does is give you piece of mind, you can do no harm in using it.



      I eventually turned to the official Ubuntu documentation for clarification and found the following article and after my experience trying to find answers, I would recommend you read this article because it makes a lot of sense and it answers my question and sub questions and I think I am going to be OK now ;)



      https://help.ubuntu.com/community/DoINeedAFirewall



      Here is an exerpt from the above article:



      I have no open ports, so I don't need a firewall, right?



      Well, not really. This is a common misconception. First, let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.






      share|improve this answer




























        0












        0








        0







        I am providing this answer myself, since I was not convinced by people who are insisting you dont need a firewall, you have no open ports...
        and I wont mark it accepted although I accept it myself, I'll leave it to the community to vote on whether this should be the answer.



        All I would say to anyone using Ubuntu Desktop who comes across this question, if you are not sure about a firewall, because like me, you have seen for yourself are so many conflicting views on this subject, then my advice is just go ahead and use a firewall, I recommend ufw and if you want a UI then use Gufw, because when all is said and done, even if all it does is give you piece of mind, you can do no harm in using it.



        I eventually turned to the official Ubuntu documentation for clarification and found the following article and after my experience trying to find answers, I would recommend you read this article because it makes a lot of sense and it answers my question and sub questions and I think I am going to be OK now ;)



        https://help.ubuntu.com/community/DoINeedAFirewall



        Here is an exerpt from the above article:



        I have no open ports, so I don't need a firewall, right?



        Well, not really. This is a common misconception. First, let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.






        share|improve this answer















        I am providing this answer myself, since I was not convinced by people who are insisting you dont need a firewall, you have no open ports...
        and I wont mark it accepted although I accept it myself, I'll leave it to the community to vote on whether this should be the answer.



        All I would say to anyone using Ubuntu Desktop who comes across this question, if you are not sure about a firewall, because like me, you have seen for yourself are so many conflicting views on this subject, then my advice is just go ahead and use a firewall, I recommend ufw and if you want a UI then use Gufw, because when all is said and done, even if all it does is give you piece of mind, you can do no harm in using it.



        I eventually turned to the official Ubuntu documentation for clarification and found the following article and after my experience trying to find answers, I would recommend you read this article because it makes a lot of sense and it answers my question and sub questions and I think I am going to be OK now ;)



        https://help.ubuntu.com/community/DoINeedAFirewall



        Here is an exerpt from the above article:



        I have no open ports, so I don't need a firewall, right?



        Well, not really. This is a common misconception. First, let us understand what an open port actually is. An open port is a port that has a service (like SSH) bound and listening to it. When the SSH client tries to communicate with the SSH server it will send a TCP SYN packet to the SSH port (22 by default), and the server will ACKnowledge it, thus creating a new connection. The misconception in how a firewall can help you begins here. Some users assume that since you are running no services, a connection can not be made. So you do not need a firewall. If these were the only things you needed to think about, this would be perfectly acceptable. However, this is only part of the picture. There are two additional factors that come into play there. One, if you do not utilize a firewall on the basis that you have no open ports, you are crippling your own security because if an application that you do have is exploited and code execution occurs a new socket can be created and bound to an arbitrary port. The other important factor here is that if you are not utilizing a firewall you also have no outbound traffic control whatsoever. In the wake of an exploited application, instead of a new socket being created and a port being bound, another alternative an attacker can utilize is to create a reverse connection back to a malicious machine. Without any firewall rules in place this connection will go through unhindered.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 18 at 0:38

























        answered Mar 17 at 23:54







        user927685






















            Popular posts from this blog

            How to change which sound is reproduced for terminal bell?

            Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

            Can I use Tabulator js library in my java Spring + Thymeleaf project?