[ubuntu-hardened] ufw package integration
jamie at canonical.com
Fri Sep 5 16:38:57 BST 2008
On Thu, 04 Sep 2008, Luke L wrote:
> Should package integration be disabled by default?
There is confusion as to what 'package integration' actually does. When
I sent the email, this is what it meant:
a) a package can declare itself to ufw via profiles that have various
b) a user can use profile names in rules in addition to port/protocol
c) an administrator can set the 'default application policy' to be one
of 'skip', 'allow' or 'deny'. This affects what happens when
'ufw app update --add-new <profile>' is run. 'skip' is the default
and will *under no circumstances* add any rules to the firewall. Only
if the default application policy is changed away from 'skip' will
any rules be added
d) with the above in place, I had written a section in UbuntuFirewall which
used 'ufw app update --add-new <profile>' in postinst, so that *if* an
administrator decided to change the default policy to something other
than 'skip', rules could be automatically added on installation.
However, after posting the email, I decided that using dpkg triggers was
the way to go (thanks Colin Watson!), and as such, 'update --add-new' is
no longer used in Ubuntu packaging, so it is not possible to open any
ports via package integration at this time (when functionality in dpkg
triggers is added, this may change in the future). All applications in
Ubuntu that supply application profiles take advantage of dpkg triggers.
Bottom line: 'a' and 'b' are the common use cases, and using package
integration is completely opt in.
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20080905/62d8d9c0/attachment.pgp
More information about the ubuntu-hardened