[ubuntu-hardened] ufw package integration

Cody A.W. Somerville cody-somerville at ubuntu.com
Thu Sep 4 16:02:18 BST 2008


On Thu, Sep 4, 2008 at 11:58 AM, James Dinkel <jdinkel at gmail.com> wrote:

> On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks at gmail.com> wrote:
>
>>
>> 2008/9/4 Nicolas Valcárcel <nvalcarcel at ubuntu.com>
>>
>>> On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
>>> > How does this design prevent
>>> > leaving ports open when the package that they legitimately correspond
>>> > to is
>>> > no longer installed?
>>>
>>> I think we can (if it's not already preventing it) add a command
>>> on .postrm that disables it on ufw. At the end this files are just for
>>> declaring profiles, not enabling or open any port, they just describe a
>>> service ports so the user doesn't need to care about them just enable
>>> that service on ufw. So we don't need to care about those files opening
>>> any port, but for disabling them on ufw after removing.
>>>
>>>
>> The issue is more complex than that. Because you do not know which profile
>> is currently loaded (they can be more than one profile by package.
>> A typical example is Apache which has 3 profiles: one for port 80, one for
>> 443 and the last one for both of them.
>>
>> An idea might be to force (without watching at the error in case the
>> profile is not associated to a rule) the removal of the corresponding rules
>> by doing "sudo ufw delete allow <profile>" on all profiles of the package
>> (and even "sudo ufw delete deny <profile>"/"sudo ufw delete limit
>> <profile>". Maybe a "sudo ufw delete any_policy <profile>" will be a good
>> new command).
>>
>> What is the case if another package use the same port and had it opened
>> (with ufw profile integration)? Does the port is still open on the firewall
>> (which is what we really want)?
>>
>
> I would say leave the ports open and leave the profile files.  Leave it up
> to the user to manage the firewall.  If the package is removed, it's not
> going to be listening on those ports any more anyway.
>

Why don't we just leave all ports open then? :P


>
>
> James
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
Cody A.W. Somerville
Software Systems Release Engineer
Custom Engineering Solutions Group
Canonical OEM Services
Cell: 506-449-5899
Email: cody.somerville at canonical.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080904/5d0dac0d/attachment-0001.htm 


More information about the ubuntu-hardened mailing list