[ubuntu-hardened] ufw package integration

Luke L lukehasnoname at gmail.com
Thu Sep 4 22:55:41 BST 2008


Should package integration be disabled by default? I know a lot of Linux
people who are a little unsettled by how much Ubuntu attempts to automate
things, without users' control or knowledge. Not all those arguments hold
water, but if a firewall were opening and closing ports on a system without
the admin's express, explicit consent, it  could quickly drive away the
users this could benefit.

As the disclaimer goes with EVERY post I make to the MLs here: I am not an
expert, and I am not an active developer here. I am asking that it be
considered, if it hasn't already, that package integration be an optional,
if not disabled-by-default, feature. Let the admin know (with confirmation)
that package integration is on, and that the OS will attempt to
"inetlligently" (emphasis on quotes) adjust firewall settings based on
installed programs.

It could be argued that if someone wants full control over their firewall
they could just use iptables, but meh.

On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel at gmail.com> wrote:

> On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren at ubuntu.com> wrote:
>
>> On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
>> > I would say leave the ports open and leave the profile files.  Leave
>> > it up to the user to manage the firewall.  If the package is removed,
>> > it's not going to be listening on those ports any more anyway.
>>
>> If "not listening" was sufficient, there'd be little point in having a
>> firewall in the first place, wouldn't there?
>>
>> --
>> Soren Hansen
>
>
> Well, 'not listening' _should_ be sufficient, however I prefer (and
> suggest) to use a firewall as an extra layer of protection.  I must have
> been mistaken, I did not realize we were debating the merits of a firewall,
> only whether or not packages should automatically change firewall rules.  Of
> course, if I trusted packages to manage opening and closing their own
> firewall rules, then I might as well trust them to listen or not on those
> ports, so in that case then yes there would be little point in having a
> firewall in the first place.
>
> James
>
> On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <
> cody-somerville at ubuntu.com> wrote:
>
>>
>> Why don't we just leave all ports open then? :P
>>
>> --
>> Cody A.W. Somerville <cody.somerville at canonical.com>
>>
>
>
> Well, for a long time that was the standard setup for Ubuntu.  As I
> mentioned above though, I would suggest using a firewall with all ports
> blocked by default as an additional layer of protection.
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
Luke L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080904/807b3923/attachment-0001.htm 


More information about the ubuntu-hardened mailing list