[ubuntu-hardened] ufw package integration
nick.barcet at canonical.com
Fri Sep 5 07:57:35 BST 2008
Soren Hansen wrote:
> On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
>> Not listening is sufficient - that is the point
>> Having a firewall that is automatically updated as packages are installed is
>> dangerous. This is similar to UPnP and not the right way to do security
>> By having all packages automatically update the firewall - you may as well
>> not have a firewall
>> Just because a HTTP server is installed it doesn't mean that it should be
>> accessible. The decision to open the firewall should be a separate action
>> Often packages get installed that are only intended to be accessed via a
>> single interface on machines with multiple interfaces or via local host ONLY
>> It really defeats the purpose of having a firewall if the ports are opened
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.
We were, indeed, and if I quote Jamie's original email that started this
> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.
> User's could then do:
> $ sudo ufw allow Apache
it seems clear that port WILL NOT be opened automatically. It will
require the user's intervention.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080905/08858056/attachment.pgp
More information about the ubuntu-hardened