[ubuntu-hardened] ufw package integration
jdinkel at gmail.com
Thu Sep 4 15:58:40 BST 2008
On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks at gmail.com> wrote:
> 2008/9/4 Nicolas Valcárcel <nvalcarcel at ubuntu.com>
>> On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
>> > How does this design prevent
>> > leaving ports open when the package that they legitimately correspond
>> > to is
>> > no longer installed?
>> I think we can (if it's not already preventing it) add a command
>> on .postrm that disables it on ufw. At the end this files are just for
>> declaring profiles, not enabling or open any port, they just describe a
>> service ports so the user doesn't need to care about them just enable
>> that service on ufw. So we don't need to care about those files opening
>> any port, but for disabling them on ufw after removing.
> The issue is more complex than that. Because you do not know which profile
> is currently loaded (they can be more than one profile by package.
> A typical example is Apache which has 3 profiles: one for port 80, one for
> 443 and the last one for both of them.
> An idea might be to force (without watching at the error in case the
> profile is not associated to a rule) the removal of the corresponding rules
> by doing "sudo ufw delete allow <profile>" on all profiles of the package
> (and even "sudo ufw delete deny <profile>"/"sudo ufw delete limit
> <profile>". Maybe a "sudo ufw delete any_policy <profile>" will be a good
> new command).
> What is the case if another package use the same port and had it opened
> (with ufw profile integration)? Does the port is still open on the firewall
> (which is what we really want)?
I would say leave the ports open and leave the profile files. Leave it up
to the user to manage the firewall. If the package is removed, it's not
going to be listening on those ports any more anyway.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened