ufw package integration
didrocks at gmail.com
Thu Sep 4 10:11:07 UTC 2008
2008/9/4 Nicolas Valcárcel <nvalcarcel at ubuntu.com>
> On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> > How does this design prevent
> > leaving ports open when the package that they legitimately correspond
> > to is
> > no longer installed?
> I think we can (if it's not already preventing it) add a command
> on .postrm that disables it on ufw. At the end this files are just for
> declaring profiles, not enabling or open any port, they just describe a
> service ports so the user doesn't need to care about them just enable
> that service on ufw. So we don't need to care about those files opening
> any port, but for disabling them on ufw after removing.
The issue is more complex than that. Because you do not know which profile
is currently loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for
443 and the last one for both of them.
An idea might be to force (without watching at the error in case the profile
is not associated to a rule) the removal of the corresponding rules by doing
"sudo ufw delete allow <profile>" on all profiles of the package (and even
"sudo ufw delete deny <profile>"/"sudo ufw delete limit <profile>". Maybe a
"sudo ufw delete any_policy <profile>" will be a good new command).
What is the case if another package use the same port and had it opened
(with ufw profile integration)? Does the port is still open on the firewall
(which is what we really want)?
PS: Sorry Nicolas. I really have to get rid of gmail with its ML
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-server