[ubuntu-hardened] ufw package integration

Jamie Strandboge jamie at canonical.com
Tue Aug 19 22:05:44 BST 2008


With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
application (package) integration. This allows packages to declare their
ports and protocols to ufw, so user's can specify an application profile
when adding and removing rules. Application profiles can be thought of
as simply port/protocol groups that are referenced by name.

For example, when apache is installed, it could add a file to
/etc/ufw/applications.d which declares it as running on tcp port 80.
User's could then do:
$ sudo ufw allow Apache

The equivalent non-profile command is:
$ sudo ufw allow 80/tcp

While this is somewhat more convenient for users, things get more
interesting when packages declare multiple profiles, eg 'Apache',
'Apache Secure' and 'Apache Full', which could correspond to 80/tcp,
443/tcp and 80,443/tcp respectively. This becomes even more useful when
an application has several port/protocol combinations, such as Samba,
which might declare 137,138/udp and 139,445/tcp.

ufw also allows changing a profile, then updating all rules referencing
the profile. Eg, say an administrator adds a profile called 'Custom Web
App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web
App'". Later the administrator adds 8081/tcp. A user can then run "ufw
app update 'Custom Web App'" which will update the firewall to allow
both 8080/tcp and 8081/tcp.

Finally, ufw can be configured to automatically add a rule when a user
runs 'ufw app update --add-new <profile>'. The default policy for the
new rule is configured using 'ufw app default <policy>'. The default
policy is 'skip' which will not add a new rule automatically, as well as
allow and deny.

Technically, groupings are accomplished by using the iptables '-m
comment' option. All grouped rules have the same comment which
references the profile name, which avoids collisions. Added rules still
remain after profile removal and users can delete rules referencing
these removed profiles. Application integration can be used with ufw's
simple and extended syntax. See 'man ufw' and [1] for details and status.

Help is needed in adding profiles to various packages. The changes
needed and testing procedures are documented in [2], while some targeted
packages are listed in [3]. This is a great way to get involved and
improve one's packaging skills. Please create new bug reports with
debdiffs attached, and I or someone from the Ubuntu Server team can
upload the updated package.

Thanks and enjoy!

Jamie

[1] https://wiki.ubuntu.com/UbuntuFirewall
[2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages
[3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080819/5f312340/attachment.pgp 


More information about the ubuntu-hardened mailing list