ufw package integration
Didier Roche
didrocks at gmail.com
Fri Sep 5 07:51:34 BST 2008
(Sorry of top post as gmail seems to be used to it...)
On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
> > Not listening is sufficient - that is the point
> > Having a firewall that is automatically updated as packages are installed
> is
> > dangerous. This is similar to UPnP and not the right way to do security
> >
> > By having all packages automatically update the firewall - you may as
> well
> > not have a firewall
> >
> > Just because a HTTP server is installed it doesn't mean that it should be
> > accessible. The decision to open the firewall should be a separate
> action
> >
> > Often packages get installed that are only intended to be accessed via a
> > single interface on machines with multiple interfaces or via local host
> ONLY
> >
> > It really defeats the purpose of having a firewall if the ports are
> opened
> > automatically
>
Hum, no. From what I understand, ufw allow different application policies
for package integration. The default policy is SKIP[1], so no rules are
automatically added to the firewall. You can set it so ALLOW or DENY to
automatically add rules to your firewall when installing a package.
My tests when working on adding ufw integration to various packages
confirmed that.
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.
>
>
Yes, the subject has diverged. Now that the previous point is - I think -
solved, let's go on the closing port question when removing/purging a
package.
Didier
[1] https://wiki.ubuntu.com/UbuntuFirewall#Package%20Integration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080905/08b0ff7e/attachment-0001.htm
More information about the ubuntu-devel
mailing list