Maybe the open ports are not meant to be accessed.
On Debian derived distributions, installing a software package generally also causes any associated service to be started. For instance, if you install Apache then the web server will be started at installation time. (I personally think this is a really bad idea, but the Debian maintainers have been doing this for a long time and probably won't ever stop.)
The problem with this is that at installation time, it's unlikely that you have already configured the server to operate in the manner you wish. Without a firewall, the service is then open to the world to access in its default configuration, whatever that might be.
By having a host firewall, such a service would not be accessible until you explicitly allowed the ports in the firewall. You would do this only after configuring the service.
A number of reasons -In addition to @MicharlHampton answer mostly security being made up of layers. If something does start running which is not supposed to, a firewall can mitigate the risk.
Maybe the open ports are not meant to be accessed.
On Debian derived distributions, installing a software package generally also causes any associated service to be started. For instance, if you install Apache then the web server will be started at installation time. (I personally think this is a really bad idea, but the Debian maintainers have been doing this for a long time and probably won't ever stop.)
The problem with this is that at installation time, it's unlikely that you have already configured the server to operate in the manner you wish. Without a firewall, the service is then open to the world to access in its default configuration, whatever that might be.
By having a host firewall, such a service would not be accessible until you explicitly allowed the ports in the firewall. You would do this only after configuring the service.
A number of reasons -In addition to @MicharlHampton answer mostly security being made up of layers. If something does start running which is not supposed to, a firewall can mitigate the risk.