[ubuntu-hardened] ufw package integration

Nick Barcet nick.barcet at canonical.com
Fri Sep 5 07:57:35 BST 2008

Soren Hansen wrote:
> On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
>> Not listening is sufficient - that is the point
>> Having a firewall that is automatically updated as packages are installed is
>> dangerous.  This is similar to UPnP and not the right way to do security
>> By having all packages automatically update the firewall - you may as well
>> not have a firewall
>> Just because a HTTP server is installed it doesn't mean that it should be
>> accessible.  The decision to open the firewall should be a separate action
>> Often packages get installed that are only intended to be accessed via a
>> single interface on machines with multiple interfaces or via local host ONLY
>> It really defeats the purpose of having a firewall if the ports are opened
>> automatically
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.

We were, indeed, and if I quote Jamie's original email that started this

> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.
> User's could then do:
> $ sudo ufw allow Apache

it seems clear that port WILL NOT be opened automatically.  It will
require the user's intervention.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080905/08858056/attachment.pgp 

More information about the ubuntu-hardened mailing list