UFW Rules is it safe to add this?

sudo ufw limit 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Did you install ufw and remove firewalld? We use firewalld by default.

As for the rules themselves, you are allowing access to port 80/443 which is generally not a great idea on a desktop OS. Especially if it is a laptop that connects to other networks. Are you running a web server that you want other devices to have access to?

I’ve installed EOS without a firewall, and then I installed UFW. No, I’m not using a web server. If I install EOS with a firewalld I don’t need to do anything; it will work automatically ?

Yes. The default configuration blocks all incoming traffic and allows all outgoing traffic. Although, you don’t have to reinstall to make that happen. You can just uninstall ufw, install firewalld and and start and enable the firewalld service.

Of course, if you would prefer to use ufw, that is fine too. But you don’t need all those rules. Those allow things you don’t need.

So it is better to install EOS with included firewalld and it is (firealld) enabled by defalut and I don’t need to do anything

You could do that if you wanted to. Although, this would achieve the same outcome:

sudo pacman -Rc ufw
sudo pacman -Syu firewalld
sudo systemctl enable --now firewalld

[marcin@marcin-81de ~]$ sudo systemctl status firewalld
[sudo] hasło użytkownika marcin:
â—Ź firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: disabled)
Active: active (running) since Sat 2023-12-02 18:39:52 CET; 27min ago
Docs: man:firewalld(1)
Main PID: 541 (firewalld)
Tasks: 2 (limit: 4551)
Memory: 42.4M
CPU: 1.055s
CGroup: /system.slice/firewalld.service
└─541 /usr/bin/python /usr/bin/firewalld --nofork --nopid

gru 02 18:39:51 marcin-81de systemd[1]: Starting firewalld - dynamic firewall daemon…
gru 02 18:39:52 marcin-81de systemd[1]: Started firewalld - dynamic firewall daemon.
gru 02 19:01:53 marcin-81de systemd[1]: Started firewalld - dynamic firewall daemon.
gru 02 19:02:05 marcin-81de systemd[1]: Started firewalld - dynamic firewall daemon.
[marcin@marcin-81de ~]$
is it this ok ?

Looks good to me.

So I don’t have to change to home zone ?

You can if you want to. That will make the firewall less restrictive.(It will allow more things)

Ok so I understand that public zone is more safe ?

Yes, correct. The public zone allows nothing incoming by default.

marcin@marcin-81de ~]$ firewall-cmd --get-default-zone

Ok it is public so everything is ok :wink: Thank you Dalto

1 Like

firewalld also includes a GUI if you prefer to interact with it that way.

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

this is my ufw. delete all the rules you have in the default–that’s way too open for my taste. I don’t like firewalld because it leaves stuff open and I have to hunt down all these zones and close them up.
editorial: I uninstalled firewalld and just used ufw when I discovered Endeavour and was happy as snot…but I fubared something and reinstalled and kept firewalld. Apparently I’m lazy.

That isn’t really how it works.

You shouldn’t lock down all the zones. The point of the zones is that you pick the zone or zones you want to use and set those to your liking. You can ignore the others.

By default it ships with the public zone enabled which blocks all incoming traffic. So, if you do nothing at all, it works exactly as your ufw is configured.

The biggest challenge people have with firewalld is that they try to use it the same way they would use ufw. However, while it can be used that way, that isn’t the way it is intended to be used.

your last sentence: SPOT ON. I admit I have not spent enough time trying to learn how to contriol firewalld to my liking because, to me, it’s a large intimidating program…and as you say, when I just had the simple ufw config life was easier.
Without digressing anymore I do need to make time to find a “firewalld for dummies” article instead of complaining–I can admit that. I can’t understand man pages without some context, so reading for another day.