Why use ufw if the ports are closed by default

Aviv Lo asked:

My question is why use a firewall like ufw if most of the ports are closed by default and the open ones are mean to be accessed.

My answer:

Maybe the open ports are not meant to be accessed.

On Debian derived distributions, installing a software package generally also causes any associated service to be started. For instance, if you install Apache then the web server will be started at installation time. (I personally think this is a really bad idea, but the Debian maintainers have been doing this for a long time and probably won’t ever stop.)

The problem with this is that at installation time, it’s unlikely that you have already configured the server to operate in the manner you wish. Without a firewall, the service is then open to the world to access in its default configuration, whatever that might be.

By having a host firewall, such a service would not be accessible until you explicitly allowed the ports in the firewall. You would do this only after configuring the service.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.