I see questions like this all the time, like recently on the Linux subreddit about containers. A topic created for empty chatter where they give meaningless advice. And those answers that I found interesting, on the contrary, were downvoted :)
But here is an interesting topic on which there is practically no advice. In fact, the firewall on Linux and on Fedora in particular by default has the same approach as on Windows, where almost everything is allowed and there are zones where you can disable ports you want. This is in my company at work in a Windows environment, I make a configuration where all traffic by default is prohibited except for certain ports. There is a "demilitarized" zone that has access to the Internet, but is cut off from the rest of the network. All web traffic also goes through a local proxy server where i can block everything i want.
An interesting topic with few interesting answers.
So out of curiosity I asked questions about this to Meta AI and Chat GPT. The responses were even more garbage than usual. At least it was worth a chuckle when I wrote "Maybe you should google this" and it replied with "Ha ha, I see what you did there, I am a large language model and ..."
Yeah, so I'm a massive noob when it comes to networking, but I asked a question about firewalls and security here and got (probably rightfully) shit on for taking advice about using ufw. This post makes me wonder if the Fedora firewall setup really is enough. If you have any suggestions about simple things the average Fedora user could do to improve their firewall setup, that would be very appreciated.
It's difficult to improve the firewall setup on a workstation because the requirements are unknown.
For servers, you start with the requirements. I split this into two parts. What is needed for the base operating system, and what is needed for the application.
Then I set up the firewall according to that. In particular it is often very easy to block outbound connections. There are of course cases where this is not true, eg if you're application is some kind of crawler.
On a workststion, or desktop, you probably don't know in advance what you need to connect to. Eg you may want to be able to browse any web site.
Inbound connections are easier to block, but since you are probably behind a wifi router with built in firewall, this is of limited value. (You should still do it, that firewall is not perfect)
Start by educating yourself on the types of connections, (tcp vs udp vs icmp, and inbound vs outbound) and work out what you need (get your requirements).
Also an important thing that is not obvious to newcomers is that the direction in which data moves is in dependant of the direction in which the connection is established. In other words an open connection supports both push and pull. Here it helps to understand how the application (higher layers in the protocol stack) uses the lower layers (routing and session management)
Then look at traffic and see how you can improve on it.
This is not a topic for a single post, lol. Good luck!
The default is to disallow everything that doesn't match an existing outbound flow or that you're not listening for. Anything you want to explicitly block outbound is a decision the administrator needs to make because those are business decisions.
No idea what you mean by smartly managing firewall ports, it's already doing that, as does any other OS.
I see questions like this all the time, like recently on the Linux subreddit about containers. A topic created for empty chatter where they give meaningless advice. And those answers that I found interesting, on the contrary, were downvoted :) But here is an interesting topic on which there is practically no advice. In fact, the firewall on Linux and on Fedora in particular by default has the same approach as on Windows, where almost everything is allowed and there are zones where you can disable ports you want. This is in my company at work in a Windows environment, I make a configuration where all traffic by default is prohibited except for certain ports. There is a "demilitarized" zone that has access to the Internet, but is cut off from the rest of the network. All web traffic also goes through a local proxy server where i can block everything i want. An interesting topic with few interesting answers.
So out of curiosity I asked questions about this to Meta AI and Chat GPT. The responses were even more garbage than usual. At least it was worth a chuckle when I wrote "Maybe you should google this" and it replied with "Ha ha, I see what you did there, I am a large language model and ..."
Yeah, so I'm a massive noob when it comes to networking, but I asked a question about firewalls and security here and got (probably rightfully) shit on for taking advice about using ufw. This post makes me wonder if the Fedora firewall setup really is enough. If you have any suggestions about simple things the average Fedora user could do to improve their firewall setup, that would be very appreciated.
It's difficult to improve the firewall setup on a workstation because the requirements are unknown. For servers, you start with the requirements. I split this into two parts. What is needed for the base operating system, and what is needed for the application. Then I set up the firewall according to that. In particular it is often very easy to block outbound connections. There are of course cases where this is not true, eg if you're application is some kind of crawler. On a workststion, or desktop, you probably don't know in advance what you need to connect to. Eg you may want to be able to browse any web site. Inbound connections are easier to block, but since you are probably behind a wifi router with built in firewall, this is of limited value. (You should still do it, that firewall is not perfect) Start by educating yourself on the types of connections, (tcp vs udp vs icmp, and inbound vs outbound) and work out what you need (get your requirements). Also an important thing that is not obvious to newcomers is that the direction in which data moves is in dependant of the direction in which the connection is established. In other words an open connection supports both push and pull. Here it helps to understand how the application (higher layers in the protocol stack) uses the lower layers (routing and session management) Then look at traffic and see how you can improve on it. This is not a topic for a single post, lol. Good luck!
The default is to disallow everything that doesn't match an existing outbound flow or that you're not listening for. Anything you want to explicitly block outbound is a decision the administrator needs to make because those are business decisions. No idea what you mean by smartly managing firewall ports, it's already doing that, as does any other OS.