Firewall default settings/config after fresh install Fedora 37 WS

What are the default settings/config/setup after a fresh install of Fedora 37 WS? Which ports are open by default?

I never touched firewall after fresh install of Fed 37 WS.

firewall-cmd --get-active-zones
FedoraWorkstation
interfaces: enpxxxxxxxx

firewall-cmd --list-ports --zone=FedoraWorkstation
1025-65535/tcp 1025-65535/udp

This means most relevant ports UDP and TCP 1025-65535 are open. Shouldn’t they be closed by default?

I installed ufw (ufw - program for managing a netfilter firewall) to have it less complicated.

sudo ufw status
Status: inactive

Is ufw a front-end to iptables similar to firewall-cmd? Or something different?

Is iptables a different technique to netfilter?

1 Like

This is a known issue:
https://pagure.io/fesco/issue/1372

You can solve it by changing the default zone:

sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --reload
2 Likes

The higher ports are open because users expect to install any software that uses those ports and have it work. Everything including instant messengers, VOIP, games, file sharing, databases. Regardless if it’s in Fedora repos and configured with proper policies, or if it’s a random binary they downloaded—if it doesn’t work, it’s Fedora’s fault.

If you want to close them, you can either edit the FedoraWorkstation zone, or change the default zone (for the correct interfaces) to whatever is appropriate (e.g. public or home).

See here for some prior discussion.


Firewalld is slightly different conceptually but not difficult to use. I suggest reading Using firewalld :: Fedora Docs and installing firewall-config GUI.

ufw and firewalld are both iptables-based. Arch wiki has a decent overview of firewall types.

iptables (older) and nftables (newer) both use the netfilter framework in Linux kernel.

1 Like
1 Like

Frankly, the firewall included with Fedora is very … lackluster, to avoid using stronger words. It is confusing, unclear, weird, and just doesn’t do the job well. Ufw is FAR, FAR better. Just sudo ufw deny incoming and voila – you got yourself a firewall that blocks incoming requests. Use ufw.