Because when we create a new ISO, we select which packages to install. Starting with the Atlantis release, we started including pipewire-pulse by default.
However, there are two things to point out about that:
One more question. If that’s the case why didn’t the EndeavourOS team make NFTABLES the default like they did in case of pipewire ?
The reason I am asking this is coz Ubuntu from 20.10 is shipping with NFTABLES by default.
We don’t ship a firewall by default so there is no meaning to “make nftables/iptables the default”.
You mean EOS ships with IPTABLES but its not enabled by default correct ?
Many years ago I asked on ubuntuforums why is the firewall not enabled by default & I was told that because there are no listening services by default but its a good idea to set ufw to default deny in for added security.
So the same story with EOS ?
The packages iptables and nftables are just the userspace controls for the iptables and nftables support in the kernel. Installing them doesn’t make one the other the “default”. Nor does it provide your system any protection. It just gives you the ability to use them if you choose to do so.
The reason that the iptables package is installed is because it is getting pulled in as a dependency.
e.g. for Systemd
What’s the reason behind this decision ? Why not make the system secure by default ?
Fedora which ships with Firewalld by default enables it out of the box but allows ssh which I disable every time I install Fedora
And which one-size-fits-all set of rules as default?
Why not set up and enable bluetooth by default?
Why not install GUI package manager by default.
In my opinion this would be against KISS.
It’s up to you if you want to set up a firewall on your system.
IMHO Deny all in and allow all out
I never used a Linux firewall in my life. And I am not convinced that I need one.
But it took just 2 minutes reading and 4 lines in the terminal to set up
Deny all in and allow all out
I just don’t see the benefit for the majority of users to set it up on a desktop system by default.
Then you are not considering the reality and scope of attacks in the current world.
That was the case 5-10 years ago but not any more. A local firewall is just as important if not more important than a network firewall.
It is only non-important if all of the following are true:
For everyone else, it is quite important.
The firewall at the edge of the network protects you against attacks from outside your network. The firewall on your PC protects you from attacks on the inside of your network. These days both are big threats. Most of us have devices inside our network that make calls to the outside of our network that can be compromised. Thermostats, health tracking wearables, TVs, streaming devices, smart washers/dryers, exercise equipment, virtually everything amazon/google/facebook makes, etc, etc, etc. Even if you don’t have any of those devices, many people have other people on their network who may not be as careful or knowledgeable as they are.
Security is a more real risk today than it ever has been in the past. People who are still holding on to old security paradigms may already be compromised somewhere.
I too am worried about my desktop’s security. Paranoid may be more applicable here than worried. I have not only blocked all in but I have set ufw to block all out then I have opened only specific outgoing ports like 80, 443, 53, etc which are needed for daily activities like web browsing. Some people have told me that blocking outgoing ports in a home networks serves no purpose and it makes life difficult coz you need to then open outgoing ports that are required by various apps like IRC client for example but I have still done it.
1 yes
2 First part no second yes
3 smart devices can’t access home network (guest network)
4 see 3
5 yes i have, but I live in the delusion not to be easy prey
That is about you. Everyone has a different personal risk profile.
My response wasn’t directed at you specifically it was about “most users”. I would say that most users couldn’t answer those questions the same way you did. The fact that you have network segregation alone separates you from the average user.
I think what seperates me even more is that I changed the admin password for my router 
Maybe this topic might be something for the wiki.
Maybe you can help me? I have never run a local firewall on my Linux desktop. I have yet to have it explained how on a system with no services actively listening on any ports, my system is at risk. I appreciate that the few distros I use (Debian and Arch) ship with with no firewall enabled by default. That is the way it should be. The user should be the only person making that choice.
I do have cups running for printing and I realize opening a browser opens ports for data both ways.
If you have nothing listening on any ports(and you verify this on a regular basis), there isn’t much risk.
However, most people have no idea which ports are or aren’t open and virtually anything can open an unprivileged port.
I didn’t claim, “Everyone must run a local firewall”. You need to evaluate you own risk profile. I simply believe that most users should run a local firewall unless there is a strong reason not to.
Let me ask you a question in return. What is the downside in running a local firewall even if you don’t have any open ports? It uses very little resources, should take no maintenance since you have no open ports and provides an additional layer of protection should any ports be inadvertently opened.
Again, I would argue that these answers are not typical for most users.
Seeing as how I use cupsd and web browsers as my only ports open on a regular basis, setting up a firewall always seemed redundant and unnecessary. If I do anything remotely “risky” I do it inside a virtual machine running a live ISO.
Redundant isn’t always bad.
@dalto
I am eager to know your opinion about blocking outgoing ports. Do you block outgoing ports on your machine(s) ?