firewalld as default firewall

Feature requests should be specific, realistic, and actionable.

I have been thinking about this for a while now, that, firewalld should be installed and enabled by calamares, with firewalld default interface zone as drop.

perhaps if you made a calamares module that allows the user to select no firewall, firewalld, ufw etc. however, when you select one of the two firewalls, make sure the safest settings are set to start on each boot

Make sure you say what benefit the feature would have.

this would enhance the usabilty of Manjaro by settings all the basics upon install, so the user doesn't need to install or configure firewalld or ufw. they can even choose to not have a firewall

I would agree for the Plasma desktop, as it has support built in.
But does any of the other desktop environments, and/or editions, besides Gnome?

Note: Yes, I know firewalld comes with it's own, more advanced and granular, configuration GUI (GTK3), and sni/appindicator (systemtray applet (python-pyqt5)), but it's nice having these kinds of things baked in.

Thanks for the replies. I am aware that in network manager that zones are configurable, however, firewalld itself is not installed during default install

That depends on the edition chosen :slight_smile:

No matter how one choose to approach such decision there will always be someone with another opinion.

It is always the users responsibility - to act responsible and not to depend on others - persons or entities - to make decision on their behalf.

Installing an operating system - and what features enabled and setup as default - will always be a matter of choice.


If ufw is present disable it

sudo systemctl disable --now ufw

Install firewalld, enable

sudo pacman -Syu firewalld
sudo systemctl enable --now firewalld

The default zone in firewalld is public which is a sane default


For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

<?xml version="1.0" encoding="utf-8"?>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>


If you want your system to be invisible then change the default zone to drop

sudo firewall-cmd --set-default-zone=drop


<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>


1 Like

I agree with the OP, for our official editions, firewalld would be a better solution.
Gnome (nm-connection-editor) and KDE (plasma-nm) support it out of the gate.

However, I'm a bit biased as I never really cared for UFW in the first place, but I also at this point in time, consider it as old, and quite antiquated.

1 Like

For UFW we at least have Gufw, where common set of rules can be configured (Samba, for example). With firewalld, it should be set up with cli. Not a big deal for those who knows how to do it. But the majority of users would be frustrated with %someservice% "not working" for some reason.
There are so many useful programs that can potentially suffer due to stock unconfigured rules of ufw or firewalld. TeamViewer, Unified Remote, Samba, etc.

firewalld has a gui included.. it's maybe not the most intuitive but it exist.

I just made a fresh install of Manjaro XFCE Edition and if UFW is installed by default, it is not enabled by default and user need to enable it (via GUFW or command line) to get an active firewall.

It actually is not that bad, you use choose one of the preexisting zone settings and apply them to the desired connections. Besides, Plasma 5 (KDE) and Gnome both already have support for changing the zone settings built right into their native network management applications/applets.

Not only does Firewalld come with it's own gui (firewall-config), it also comes with a sni/appindicator systemtray applet (firewall-applet):

I did not say it was bad.. just not really intiutive. like as the applet about the "shileds up/down zone"
I see the "shield up" tick option in applet.. but not the "shield down"

I wasn't saying that you said that the app was bad, I was saying that intuitively speaking, it wasn't that bad.

OK, Well, at least to me:
Ticked = it's up
Not ticked = it's down.
I'm not exactly sure how that's not intuitive, but I guess I'll will give you that one. :wink:

as it's up and down.. for me that mean 3 mode.. (down, default, up) it seems I'm wrong..
and it's seems there is a bug then.. as I defined the default zone for my connection to "home" and in the up and down there was block and public. and at boot it's on "home" and yes.. after tick it it's "blocked" and unticked it goes to "public". but at boot it was "home" and unticked.. so...

That's interesting, all my systems defaulted to public after install/reboot.
I had to switch my home connection to home myself. Now McDonalds, The Hospital, my Dr's office, etc. on my laptop I'd rather them be sett to public.

I acually changed the setting of my Ethernet connection to "home" in the firewall-settings. but did not change the up/down settings of the applet.

That is because there is a running config which is the one you change and is applied in /etc/firewalld/firewalld.conf.

For a configuration to survive a rebooty you need to set the default zone using firewall-cmd


sudo firewall-cmd --set-default-zone=drop

To control the shields up/down - add a file ~/.config/firewall/applet.conf with content

1 Like

Yea, I'm still not sure what that sheild up setting is.
It's says it's a zone in the appplets manpage, but I can find no other reference for that setting anywhare else in the firewalld's documentation.

Setting this to home in plasma-nm, and/or the nm-connection-editor, per connection, also survives reboot. Why would you want to change the default setting, this is meant for new connections?
(In other words, when I connect to say McDonalds wifi with my laptop.)

Because the default public profile is used when no profile is defined.

The public profile allows ssh and ipv6-client and reject other.

The drop profile - is a blackhole - nothing answers.

Yes, but when I connect to say McDonals wifi, or My Dr's office, or any other network, especially for the first time, with my laptop, then I would want it to default to public.

We all have different preferences.

When I connect to an unknown network - I would like my system to be a black hole - invisible to others - exposing nothing - still allowing me use the network.

Forum kindly sponsored by