[ubuntu-hardened] ufw package integration

Jamie Strandboge jamie at canonical.com
Fri Sep 5 15:53:29 UTC 2008


On Fri, 05 Sep 2008, Jamie Strandboge wrote:

> This is (of course) correct. If the user decides to create a rule using
> the profile, then on removal or purge the rule is not removed.
> Application rules are no different than regular rules in this regard.
> Eg, these are equivalent:
> 
> # ufw allow 80/tcp
> # ufw allow Apache
> 
> ufw tries to not make firewall policy decisions on behalf of the user on
> package installation, and does not open any ports on package install. As
> such, just like opening tcp port 80 is opt in, using application profile
> 'Apache' is also opt in.
> 
> ufw handles the purge of an application gracefully and will still

Also, the decision to *not* remove rules on package purge and/or removal
is because that would undo in packaging what an administrator had
explicitly added to his/her firewall outside of packaging. This is making
an adminstrative decision for the user that IMO ufw and it's packaging is
not equipped to make properly.

There is an argument for removing the rules if the default application
policy was changed from 'skip' *and* the packaging adds profiles via
'update --add-new'. However, this is not what is currently happening in
packaging and can be discussed if this happens at some future date (see
other email regarding this).

Jamie

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20080905/960dc2d1/attachment.pgp>


More information about the ubuntu-server mailing list