Please explain how enabling a firewall (following the example you gave
sudo ufw enable
) without configuring it (and then configuring it how?) does anything at all.
I am not against firewalls on workstations, but if you use one you have to open outgoing http, https, ntp, dhcp, smtp submission, imap, this, that, foo, bar, qux.
So if someone r00ts your box they can call upload your data / control your b0x via 443. smooth.
Why the firewall then?
On qubes-OS the firewall makes sense, as you have one VM for "email" and that email VM can talk to mail.gmail.com 465 and 993 and thats it. If someone r00ts that VM the attacker can still send out data by just sending mails with his own gmail. But if they try another port, you can log that. Its much more likely that they will try 443 first, so you could script sth to just stop the network in this case so you can investigate.
Why do we even need firewalls, on servers as well?
Lets say I install a new debian on a server. Then I
apt install apache2 mariadb-server php-fpm
and setup wordpress.
By default mariadb (for whatever dumb reason) listens on 0.0.0.0. If I don't notice that, THATS what a firewall is for.
Other than that you can filter outgoing traffic, and hope that the r00tkit tries to go out via IPs / ports that you blocked. In this case this will show up in the logs IF you configured your firewall to log rejected packets. Then you can feed that to a SIEM.
Anyone doing that on Mint?
Imho firewalls on workstations are total nonsense unless you run qubes, because iptables/nftables can't firewall based on processes (as in let thunderbird only talk to gmail.com 465 993.
So firewall on Mint is kinda. meh.
Just portscan your own box every now and then. Helps more in my opinion.
On the other hand if you play around a lot and install mariadb-server on your workstation, and then forget to configure it to listen on 127.0.01, ok, then maybe install a firewall. Set it up to block everything incoming. That doesnt hurt, granted. If you hang out in untrusted networks a lot I mean. For regular browsing from your apartment where you live with your gf, not to much gain.
Had to rant a bit when I read "firewall" in a workstation security thread
I think oftentimes people misunderstand what firewalls are actually for. If traffic is incoming, but there are no open ports to the world, you don't need a firewall. If you filter outgoing, its kinda nonsense as on your workstation you DO allow outgoing 22, 443 and all of the other stuff, so exfiltration and c&c (command and control server communication) is not a problem, with or without firewalls.