[ubuntu-hardened] ufw package integration

[Chris Martin]

Not listening is sufficient - that is the point
Having a firewall that is automatically updated as packages are installed is
dangerous.  This is similar to UPnP and not the right way to do security

By having all packages automatically update the firewall - you may as well
not have a firewall

Just because a HTTP server is installed it doesn't mean that it should be
accessible.  The decision to open the firewall should be a separate action

Often packages get installed that are only intended to be accessed via a
single interface on machines with multiple interfaces or via local host ONLY

It really defeats the purpose of having a firewall if the ports are opened
automatically

---------------------------------
Chris Martin
e:  chris at martin.name
m: +61(0)419812371
---------------------------------
-----Original Message-----
From: ubuntu-devel-bounces at lists.ubuntu.com
[mailto:ubuntu-devel-bounces at lists.ubuntu.com] On Behalf Of Soren Hansen
Sent: Friday, 5 September 2008 1:39 AM
To: ubuntu-server at lists.ubuntu.com; ubuntu-hardened at lists.ubuntu.com;
ubuntu-devel at lists.ubuntu.com
Subject: Re: ufw package integration

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> I would say leave the ports open and leave the profile files.  Leave
> it up to the user to manage the firewall.  If the package is removed,
> it's not going to be listening on those ports any more anyway.

If "not listening" was sufficient, there'd be little point in having a
firewall in the first place, wouldn't there?

-- 
Soren Hansen               | 
Virtualisation specialist  | Ubuntu Server Team
Canonical Ltd.             | http://www.ubuntu.com/