[ubuntu-hardened] ufw package integration
Cody A.W. Somerville
cody-somerville at ubuntu.com
Thu Sep 4 16:02:18 BST 2008
On Thu, Sep 4, 2008 at 11:58 AM, James Dinkel <jdinkel at gmail.com> wrote:
> On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks at gmail.com> wrote:
>> 2008/9/4 Nicolas Valcárcel <nvalcarcel at ubuntu.com>
>>> On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
>>> > How does this design prevent
>>> > leaving ports open when the package that they legitimately correspond
>>> > to is
>>> > no longer installed?
>>> I think we can (if it's not already preventing it) add a command
>>> on .postrm that disables it on ufw. At the end this files are just for
>>> declaring profiles, not enabling or open any port, they just describe a
>>> service ports so the user doesn't need to care about them just enable
>>> that service on ufw. So we don't need to care about those files opening
>>> any port, but for disabling them on ufw after removing.
>> The issue is more complex than that. Because you do not know which profile
>> is currently loaded (they can be more than one profile by package.
>> A typical example is Apache which has 3 profiles: one for port 80, one for
>> 443 and the last one for both of them.
>> An idea might be to force (without watching at the error in case the
>> profile is not associated to a rule) the removal of the corresponding rules
>> by doing "sudo ufw delete allow <profile>" on all profiles of the package
>> (and even "sudo ufw delete deny <profile>"/"sudo ufw delete limit
>> <profile>". Maybe a "sudo ufw delete any_policy <profile>" will be a good
>> new command).
>> What is the case if another package use the same port and had it opened
>> (with ufw profile integration)? Does the port is still open on the firewall
>> (which is what we really want)?
> I would say leave the ports open and leave the profile files. Leave it up
> to the user to manage the firewall. If the package is removed, it's not
> going to be listening on those ports any more anyway.
Why don't we just leave all ports open then? :P
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> More info: https://wiki.ubuntu.com/ServerTeam
Cody A.W. Somerville
Software Systems Release Engineer
Custom Engineering Solutions Group
Canonical OEM Services
Email: cody.somerville at canonical.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened