Out of the box, Ubuntu ships with no TCP or UDP ports open, hence the belief that there's no reason to run Uncomplicated Firewall (ufw) by default. I agree, though, that having ufw disabled is a strange decision. My reasoning being that inexperienced users are feasibly going to install things like Samba, Apache and such like as they experiment with the system put before them. If they don't understand the implications of this, they will expose themselves to malicious bevaviour on the internet.
Example - I've got my laptop configured with Samba which is fine in my home network protected with WPA2. But if I take my laptop to a Starbucks, I might not think anything of it, but that laptop is now advertising my shares to all and sundry. With a firewall, I can restrict my samba ports to only my home server or peer devices. No need to worry as much now about who might be trying to connect to my laptop. Same goes for VNC, SSH, or a huge number of other useful services my laptop might be running, or trying to connect to.
Ubuntu takes a very on/off approach to certain elements of security, a philosophy I can't agree with. Security might be technically on or off, but by layering elements of security over one another, you end up with a better system. Sure, Ubuntu's security is good enough for a large number of use cases, but not all.
Bottom line, run ufw. Better safe than sorry.
Uncomplicated Firewall has a number of graphical front ends, but the simplest is Gufw.
sudo apt-get install gufw
Here, I'm allowing all traffic from specific server VLANs in my corporate environment and I've added a rule to allow the necessary ports for a reverse SSH session to bounce off this machine.
Best Answer
Yes Ubuntu has a firewall installed by default.
The Firewall in Ubuntu is iptables . It also comes with an easy to use command line frontend called UFW (Uncomplicated Firewall).
If you want to change any settings, you can use the graphical front end to that command line front end, GUFW
As for your other question, getting a warning when an application connects to the internet:
I don't know of any programs that do this*, but I have written one. Now, this isn't great quality software - it's a quick hack in fact -but it works all right. You'll notice I haven't packaged it in any way, because I don't have any use for it and I don't think its tested well enough to be deployed on Anything That Matters™
It doesn't even have a name, here's how it looks:
(ignore the German captions, they will be in your local language)
And here's how to use it:
Install Python 3
download it and save it as a file on your computer
Via the file properties, mark it as executable
The program will issue a warning for every application that tries to access the internet. It will not prevent it from doing so, but it'll let you know. You then have the option of putting it on a "White List" of trusted applications, which causes it to not warn you again about this particular program.
If you start it from a terminal, you'll get a few useful messages about what it's doing.
Again I have to stress, even though it works, I haven't tested it properly (i.e. with many users trying it out).
For the purposes of support, you may send me email about it, I don't mind
* It seems UFW is able to do it!
This section is really better suited for someone managing servers than for desktop users:
UFW comes with an Application Filter. It's configuration is a simple text file at
/etc/ufw/applications.d
.To get a list of all the application filters, type
Which should look like this:
To get more details on any one application, type - for example:
More details are available in the relevant Ubuntu help wiki page
As for the question of default configuration: By default, Ubuntu ships with no open ports on public interfaces
Source