[ubuntu-hardened] ufw package integration
Nick Barcet
nick.barcet at canonical.com
Fri Sep 5 07:57:35 BST 2008
Soren Hansen wrote:
> On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
>> Not listening is sufficient - that is the point
>> Having a firewall that is automatically updated as packages are installed is
>> dangerous. This is similar to UPnP and not the right way to do security
>>
>> By having all packages automatically update the firewall - you may as well
>> not have a firewall
>>
>> Just because a HTTP server is installed it doesn't mean that it should be
>> accessible. The decision to open the firewall should be a separate action
>>
>> Often packages get installed that are only intended to be accessed via a
>> single interface on machines with multiple interfaces or via local host ONLY
>>
>> It really defeats the purpose of having a firewall if the ports are opened
>> automatically
>
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.
We were, indeed, and if I quote Jamie's original email that started this
thread:
> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.
> User's could then do:
> $ sudo ufw allow Apache
it seems clear that port WILL NOT be opened automatically. It will
require the user's intervention.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080905/08858056/attachment.pgp
More information about the ubuntu-hardened
mailing list