ufw package integration

[Jamie Strandboge]

On Wed, 03 Sep 2008, Steve Langasek wrote:

> On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> > With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> > application (package) integration. This allows packages to declare their
> > ports and protocols to ufw, so user's can specify an application profile
> > when adding and removing rules. Application profiles can be thought of
> > as simply port/protocol groups that are referenced by name.
> 
> > For example, when apache is installed, it could add a file to
> > /etc/ufw/applications.d which declares it as running on tcp port 80.
> 
> If the files are installed in /etc/, then they have to be config files
> (conffiles or otherwise).  Config files are left installed when packages are
> removed, and deleted only on package purge.  How does this design prevent
> leaving ports open when the package that they legitimately correspond to is
> no longer installed?
> 

This is (of course) correct. If the user decides to create a rule using
the profile, then on removal or purge the rule is not removed.
Application rules are no different than regular rules in this regard.
Eg, these are equivalent:

# ufw allow 80/tcp
# ufw allow Apache

ufw tries to not make firewall policy decisions on behalf of the user on
package installation, and does not open any ports on package install. As
such, just like opening tcp port 80 is opt in, using application profile
'Apache' is also opt in.

ufw handles the purge of an application gracefully and will still
display the rule via 'ufw status' as if the package was still installed.

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080905/7cabdc14/attachment-0001.pgp