ufw package integration

[Jamie Strandboge]

On Thu, 04 Sep 2008, Luke L wrote:

>    Should package integration be disabled by default?

There is confusion as to what 'package integration' actually does. When
I sent the email, this is what it meant:

a) a package can declare itself to ufw via profiles that have various
   port/protocol combinations
b) a user can use profile names in rules in addition to port/protocol
   combinations
c) an administrator can set the 'default application policy' to be one
   of 'skip', 'allow' or 'deny'. This affects what happens when
   'ufw app update --add-new <profile>' is run. 'skip' is the default
   and will *under no circumstances* add any rules to the firewall. Only
   if the default application policy is changed away from 'skip' will
   any rules be added
d) with the above in place, I had written a section in UbuntuFirewall which
   used 'ufw app update --add-new <profile>' in postinst, so that *if* an
   administrator decided to change the default policy to something other
   than 'skip', rules could be automatically added on installation.

However, after posting the email, I decided that using dpkg triggers was
the way to go (thanks Colin Watson!), and as such, 'update --add-new' is
no longer used in Ubuntu packaging, so it is not possible to open any
ports via package integration at this time (when functionality in dpkg
triggers is added, this may change in the future). All applications in
Ubuntu that supply application profiles take advantage of dpkg triggers.

Bottom line: 'a' and 'b' are the common use cases, and using package
integration is completely opt in.

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080905/62d8d9c0/attachment.pgp