What are the default settings/config/setup after a fresh install of Fedora 37 WS? Which ports are open by default?
I never touched firewall after fresh install of Fed 37 WS.
firewall-cmd --list-ports --zone=FedoraWorkstation
This means most relevant ports UDP and TCP 1025-65535 are open. Shouldn’t they be closed by default?
I installed ufw (ufw - program for managing a netfilter firewall) to have it less complicated.
sudo ufw status
Is ufw a front-end to iptables similar to firewall-cmd? Or something different?
Is iptables a different technique to netfilter?
This is a known issue:
You can solve it by changing the default zone:
sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --reload
The higher ports are open because users expect to install any software that uses those ports and have it work. Everything including instant messengers, VOIP, games, file sharing, databases. Regardless if it’s in Fedora repos and configured with proper policies, or if it’s a random binary they downloaded—if it doesn’t work, it’s Fedora’s fault.
If you want to close them, you can either edit the FedoraWorkstation zone, or change the default zone (for the correct interfaces) to whatever is appropriate (e.g. public or home).
See here for some prior discussion.
Firewalld is slightly different conceptually but not difficult to use. I suggest reading Using firewalld :: Fedora Docs and installing
ufw and firewalld are both iptables-based. Arch wiki has a decent overview of firewall types.
iptables (older) and nftables (newer) both use the netfilter framework in Linux kernel.
Frankly, the firewall included with Fedora is very … lackluster, to avoid using stronger words. It is confusing, unclear, weird, and just doesn’t do the job well. Ufw is FAR, FAR better. Just
sudo ufw deny incoming and voila – you got yourself a firewall that blocks incoming requests. Use ufw.