You've got it backwards. A firewall blocks everything, then you open up the ports you want to use. A standard config would allow everything going out, and block everything coming in (unless you initiated that connection, then it is allowed).

So the question you should be asking, is what services do you think you're going to be running on your desktop that you plan to allow anyone on the internet to get to?

If you really need one take white list approach. Block everything you don't need and only open what you need. Have fun finding out what you need.

By default it should be configured to allow all outgoing, and block all incoming. That's perfectly fine for a desktop/laptop and you don't need to mess with it.

You can't really do that much outgoing filtering with a firewall that will be useful, because basically everything operates on port 80/443, and often connects to the same CDNs or datacenter IPs for multiple services.

Instead DNS blocking is a much more effective way to handle it, plus uBlock Origin in your browser.

Lots of good answers here but I'll toss in my own "figure out what you need" experience from my first firewall funtime. (Disclaimer: I used nftables -- it should be similar to ufw in terms of defaults though).

• Right off the bat, everything unneeded was blocked. I "needed" no configuration, except for maybe...
• Whatever CUPS runs on (when I use it)
• Sometimes I ran python -m http.server -- I unblocked port 8000 for personal use.
• I chose to unblock port 53 (DNS). I wanted to connect to another computer via hostname IIRC (e.g. connecting to raspberry-pi.local. I might be misremembering this though).
• At one point I played with NGINX -- that's port 80 (HTTP) and port 443 (HTTPS).
• SSH was already permitted (port 22 -- you need root access to enable traffic through ports below 1024 anyway so this wasn't an issue for running typical apps)

I didn't use WireShark back then, really. I think I just ran something like

sudo lsof -nP -iTCP -sTCP:LISTEN

which showed me a bunch of port traffic (mostly just harmless language servers).

You don't have to dive to deep into all the "egress" and "ingress" and whatnot unless you're doing something special. Or your software uses a weird port. (LocalSend lol)

Worth noting that if you're trying to block telemetery or ads or things like that, using an adblocking dns is probably the better option. Either through a pihole on your network or some online adblocking dns.

Other than that, if you're looking for one because you think you "need" one, don't worry too much if it's just a personal computer connected to a router. Most distros ship with sensible defaults for security.

If you actually want to use a firewall, block all incoming and allow all outgoing is a reasonable rule of thumb if you aren't running a server. Note that "block incoming" doesn't block connections that the system itself started.

You should block everything, except the things you want to get through. A firewall (at least in Linux) blocks everything inbound by default.

What can I do to see the intetnet traffic from individual apps

Wireshark

what I might want to block?

One strategy is to block everything, and open ports as needed. Beware that most guides focus on inbound traffic, whereas you seem to be focusing on outbound traffic.

UFW

This is just my personal computer and I'm a newbie to configure firewalls

Leave it alone.

If you want to experiment, set up a VM and experiment there.

Also, if you want to learn about Linux firewalls, go for iptables instead. UFW is easier, yes, but you won't get the standard way of configuring a Linux firewall, though to be honest, unless you are directly connecting the computer to the internet, you probably won't need to bother.

And if you are working in an environment where you are dealing with a segmented network with limited access between segments, they will probably already use a separate firewall that is easier to manage centrally than induvidual firewalls running on individual computers

You don't need a firewall on the LAN. It is just an annoyance to have to open ports later. Extra bureaucracy without benefits. This isn't Windows, you can can easily control your processes, choose if they bind to the network interface and on which port.

A firewall by default blocks everything coming from outside going in (without being requested).
Firewalls can also block traffic going out from your PC to the internet. In a company where you need to protect against data exfiltration by employees, and as a last resort safeguard against malware communicating with outside servers, you want that. In that case, a security expert makes a detailed plan of all installed software, to determine what needs to connect from which internal IP to which external IP over which port. Then all other outbound traffic is blocked. This needs to be adjusted constantly, every time a new software is installed or an update changes a software's requirements. It's a full-time job.

On a home PC running Linux, that's absolute overkill. There are no untrusted users in your home and you're probably not the target for a directed attack by skilled actors. So just leave ufw on default, which blocks all inbound traffic and allows all outbound.

I think you might be looking for something like OpenSnitch.

In a nutshell,

• Use wireshark

• See if theres any weird connections going on (i.e you visit pancakes.com and wireshark shows unrelatedsite.com making a request as well)

• Block unrelatedsite.com

"What about firewalls?"

Block from ports 1000 'till the very end (65565 if I'm not mistaken.) -- that is your "bread and butter" approach.

"W-what if I'm using a port past 1000?"

Nah, you (very likely) aren't and never will.

You don't need a firewall on a typical desktop computer. You only need them on routers and servers.

That is because your personal computer is not actually on the internet. It is on a local network (LAN) and it talks only to your router. The router is the computer connected to the internet, and it has a firewall.

The question highlights a classic misunderstanding about networking that IMO should be better addressed. I was like OP once, and panicking about this pointlessly.

Addendum: You're all replying to OP as if they're a sysadmin managing a public-facing server. But OP says clearly that they're just a beginner on a PC - which will almost certainly be firewalled by their router. We should be encouraging and educating people like this, not terrorizing them about all the risks they're taking.

I would advise that you ignore a lot if the advise here and do your own research. You probably don't need a local Firewall and if you want to block content use DNS and browser extensions

the command ss shows connections