[ubuntu-hardened] ufw package integration
silvio at pizzaroot.com.br
Fri Sep 5 02:15:06 BST 2008
On Thursday 04 September 2008 18:55:41 Luke L wrote:
I second that. I'm also a new guy here but consider these two small examples:
- When you install a DNS server (e.g. bind), it listens on UDP 53 for normal
DNS requests and TCP 53 for zone transfer requests. The package could not
possibly know who should be allowed to query or transfer zones to/from this
- When you install a Mail server (e.g. postfix), again, package can't know if
this is just an internal mail server, a relay for a specific server pool or a
If I enable ufw is because I want to protect a service, it has no use if the
package itself open up the ports.
With that said, it will be of great help if the package can provide a template
with the ports used by the package so the admin can just adjust the rules and
enable the protection.
Just my 2 cents.
> Should package integration be disabled by default? I know a lot of Linux
> people who are a little unsettled by how much Ubuntu attempts to automate
> things, without users' control or knowledge. Not all those arguments hold
> water, but if a firewall were opening and closing ports on a system without
> the admin's express, explicit consent, it could quickly drive away the
> users this could benefit.
> As the disclaimer goes with EVERY post I make to the MLs here: I am not an
> expert, and I am not an active developer here. I am asking that it be
> considered, if it hasn't already, that package integration be an optional,
> if not disabled-by-default, feature. Let the admin know (with confirmation)
> that package integration is on, and that the OS will attempt to
> "inetlligently" (emphasis on quotes) adjust firewall settings based on
> installed programs.
> It could be argued that if someone wants full control over their firewall
> they could just use iptables, but meh.
> On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel at gmail.com> wrote:
> > On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren at ubuntu.com> wrote:
> >> On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> >> > I would say leave the ports open and leave the profile files. Leave
> >> > it up to the user to manage the firewall. If the package is removed,
> >> > it's not going to be listening on those ports any more anyway.
> >> If "not listening" was sufficient, there'd be little point in having a
> >> firewall in the first place, wouldn't there?
> >> --
> >> Soren Hansen
> > Well, 'not listening' _should_ be sufficient, however I prefer (and
> > suggest) to use a firewall as an extra layer of protection. I must have
> > been mistaken, I did not realize we were debating the merits of a
> > firewall, only whether or not packages should automatically change
> > firewall rules. Of course, if I trusted packages to manage opening and
> > closing their own firewall rules, then I might as well trust them to
> > listen or not on those ports, so in that case then yes there would be
> > little point in having a firewall in the first place.
> > James
> > On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <
> > cody-somerville at ubuntu.com> wrote:
> >> Why don't we just leave all ports open then? :P
> >> --
> >> Cody A.W. Somerville <cody.somerville at canonical.com>
> > Well, for a long time that was the standard setup for Ubuntu. As I
> > mentioned above though, I would suggest using a firewall with all ports
> > blocked by default as an additional layer of protection.
More information about the ubuntu-hardened