Set up firewalls - kdaisho/Blog GitHub Wiki

If you're planning to join a conference such as DEFCON, it's a good idea to enable firewall on your machine. They are disabled by default even for distributed OS such as Athena.

  1. Check the status:
sudo ufw status
  1. Enable the firewall:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
  1. Print the detailed status:
sudo ufw status verbose
  1. Make sure the status survive reboot!

I noticed that ufw was disabled even setting enabled a few weeks ago. So make sure to run this at the end:

sudo systemctl enable ufw

This ensures your firewall rules are applied at startup without you having to manually enable them again.

So - is ufw enable not enough?

  • In many setups, sudo ufw enable also enables the service for auto-start.
  • But in some distributions (or depending on versions), you still need to run sudo systemctl enable ufw to guarantee persistence across reboots. Especially on Arch-based systems like Athena, it's safer to run both:
sudo ufw enable
sudo systemctl enable ufw

How to check if ufw is enabled at boot:

systemctl is-enabled ufw
  • If it returns enabled, you're all set for auto-start.

What these rules do:

  • deny incoming: Blocks all unsolicited inbound connections (e.g., port scans, remote shell attempts)
  • allow outgoing: Allows your device to make outbound connections (e.g., to websites, VPNs, email servers)

Why enable a firewall even if you're not running services?

  1. Defense in depth You might think you're not running any services--but some apps, daemons, or system components may be quietly listening on a port (e.g., Bluetooth services, DBus, Avahi, etc.).

A firewall makes sure nothing can talk to those ports unless you explicitly allow it. Think of it as a safety net in case something gets enabled or installed without your knowledge.

How firewalls tells an incoming packet is unsolicited or not?

Good point. The idea of unsolicited is context-dependent. Here's how firewalls like UFW determine this in a concrete, rule-based way:

How the firewall determines

Firewalls don't decide based on intent - they look at connection state.

Specifically, UFW uses connection traking via iptables (or nftable under the hood), which monitors the state of each network packet.

States it tracks:
  • NEW: A brand-new connection attempt
  • ESTABLISHED: Part of an already-approved connection
  • RELATED: Related to an existing connection (e.g., FTP data after login)
  • INVALID: Doesn't match anything and may be malformed

So, when you use this:

sudo ufw default deny incoming

It doesn't block all incoming traffic. It blocks:

  • Incoming connections marked NEW (i.e., unsolicited)
  • It allows packets marked ESTABLISHED or RELATED

Example: Your browser talking to a website

  1. You open Firefox and connect to example.com
  2. Your laptop sends a NEW outbound request
  3. The server replies -> it's an incoming packet, but:
  • It's part of an ESTABLISHED connection, so UFW allows it

If some random machine on the network tries to ping or scan you:

  • That's a NEW inbound packet not tied to anything you asked for
  • So the firewall blocks it

Question: So, if I start something, it's evaluated NEW then I'll get trouble?

No, you'll only run into trouble if you're starting a new incoming connection -- meaning something external is trying to reach you. That's what the firewall blocks.

Again:

When you initiate something (like browsing, email, VPN, software updates), it's evaluated as:

  • NEW outbound connection -> allowed (because we set allow outgoing)
  • Responses from the server are ESTABLISHED inbound -> also allowed