[Discuss] Port Scanning

[richard.pieri at gmail.com (Rich Pieri)]

On Sat, 17 Aug 2024 11:05:40 -0700
Kent Borg <kentborg at borg.org> wrote:

> I seem to remember someone saying that firewalls don't fail "off", or 
> something like that.
> 
> Well, on a Linode machine I have, running very standard Debian, with
> no real customizations, I noticed today the firewall was off:

That was me; and the context was border firewalls, not host or
"personal" firewalls. Border firewalls do indeed fail off: if a
firewall node faults, or if it is powered off or disconnected, all
traffic routed through it stops.

how-EV-ver...

UFW is not a firewall. The firewall is the kernel Netfilter packet
filter system. UFW is a simplified front end to Netfilter, replacing
the iptables command for basic host firewall management. Netfilter is
always "on" while the kernel is running even when no rules are applied,
and therefore it cannot fail or fault per se.

UFW is disabled by default on Ubuntu; YMMV with other distros which use
it. This is not a failure/fault state of Netfilter: it is on; but it
has not been configured with any rules. It is the operator's
responsibility to enable the UFW or other firewall rules service, if
desired, and to configure and test firewall rules.

If you were to configure a Linux box as a border firewall then it would
behave the same as any other border firewall system: if the machine
fails or faults, or if the firewall rules service is not started, then
no traffic will pass through.

Note: on systemd-based systems, the enable keyword does not start the
service immediately. You need the --now switch or two commands:

  systemctl enable --now ufw.service

or

  systemctl enable ufw.service
  systemctl start  ufw.service

-- 
\m/ (--) \m/