[ubuntu-hardened] ufw package integration

Didier Roche didrocks at gmail.com
Fri Sep 5 07:51:34 BST 2008


(Sorry of top post as gmail seems to be used to it...)

On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
> > Not listening is sufficient - that is the point
> > Having a firewall that is automatically updated as packages are installed
> is
> > dangerous.  This is similar to UPnP and not the right way to do security
> >
> > By having all packages automatically update the firewall - you may as
> well
> > not have a firewall
> >
> > Just because a HTTP server is installed it doesn't mean that it should be
> > accessible.  The decision to open the firewall should be a separate
> action
> >
> > Often packages get installed that are only intended to be accessed via a
> > single interface on machines with multiple interfaces or via local host
> ONLY
> >
> > It really defeats the purpose of having a firewall if the ports are
> opened
> > automatically
>

Hum, no. From what I understand, ufw allow different application policies
for package integration. The default policy is SKIP[1], so no rules are
automatically added to the firewall. You can set it so ALLOW or DENY to
automatically add rules to your firewall when installing a package.

My tests when working on adding ufw integration to various packages
confirmed that.


> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.
>
>
Yes, the subject has diverged. Now that the previous point is - I think -
solved, let's go on the closing port question when removing/purging a
package.

Didier

[1] https://wiki.ubuntu.com/UbuntuFirewall#Package%20Integration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080905/08b0ff7e/attachment.htm 


More information about the ubuntu-hardened mailing list