FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 09-04-2008, 10:11 AM
"Didier Roche"
 
Default ufw package integration

2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>


On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

PS: Sorry Nicolas. I really have to get rid of gmail with its ML management...

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 02:58 PM
"James Dinkel"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks@gmail.com> wrote:


2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>



On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

I would say leave the ports open and leave the profile files.* Leave it up to the user to manage the firewall.* If the package is removed, it's not going to be listening on those ports any more anyway.


James

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 02:58 PM
"James Dinkel"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks@gmail.com> wrote:


2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>



On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

I would say leave the ports open and leave the profile files.* Leave it up to the user to manage the firewall.* If the package is removed, it's not going to be listening on those ports any more anyway.


James

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 03:02 PM
"Cody A.W. Somerville"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 11:58 AM, James Dinkel <jdinkel@gmail.com> wrote:

On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks@gmail.com> wrote:



2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>




On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

I would say leave the ports open and leave the profile files.* Leave it up to the user to manage the firewall.* If the package is removed, it's not going to be listening on those ports any more anyway.

Why don't we just leave all ports open then? :P
*



James


--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam


--
Cody A.W. Somerville
Software Systems Release Engineer

Custom Engineering Solutions Group
Canonical OEM Services
Cell: 506-449-5899
Email: cody.somerville@canonical.com


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 03:02 PM
"Cody A.W. Somerville"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 11:58 AM, James Dinkel <jdinkel@gmail.com> wrote:

On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <didrocks@gmail.com> wrote:



2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>




On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

I would say leave the ports open and leave the profile files.* Leave it up to the user to manage the firewall.* If the package is removed, it's not going to be listening on those ports any more anyway.

Why don't we just leave all ports open then? :P
*



James


--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam


--
Cody A.W. Somerville
Software Systems Release Engineer

Custom Engineering Solutions Group
Canonical OEM Services
Cell: 506-449-5899
Email: cody.somerville@canonical.com


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 03:39 PM
Soren Hansen
 
Default ufw package integration

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> I would say leave the ports open and leave the profile files. Leave
> it up to the user to manage the firewall. If the package is removed,
> it's not going to be listening on those ports any more anyway.

If "not listening" was sufficient, there'd be little point in having a
firewall in the first place, wouldn't there?

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 03:39 PM
Soren Hansen
 
Default ufw package integration

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> I would say leave the ports open and leave the profile files. Leave
> it up to the user to manage the firewall. If the package is removed,
> it's not going to be listening on those ports any more anyway.

If "not listening" was sufficient, there'd be little point in having a
firewall in the first place, wouldn't there?

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 03:58 PM
"James Dinkel"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. *Leave

> it up to the user to manage the firewall. *If the package is removed,

> it's not going to be listening on those ports any more anyway.



If "not listening" was sufficient, there'd be little point in having a

firewall in the first place, wouldn't there?



--

Soren Hansen
Well, 'not listening' _should_ be sufficient, however I prefer (and suggest) to use a firewall as an extra layer of protection.* I must have been mistaken, I did not realize we were debating the merits of a firewall, only whether or not packages should automatically change firewall rules.* Of course, if I trusted packages to manage opening and closing their own firewall rules, then I might as well trust them to listen or not on those ports, so in that case then yes there would be little point in having a firewall in the first place.


James

On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <cody-somerville@ubuntu.com> wrote:


Why don't we just leave all ports open then? :P

--
Cody A.W. Somerville




Well, for a long time that was the standard setup for Ubuntu.* As I mentioned above though, I would suggest using a firewall with all ports blocked by default as an additional layer of protection.


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 03:58 PM
"James Dinkel"
 
Default ufw package integration

On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. *Leave

> it up to the user to manage the firewall. *If the package is removed,

> it's not going to be listening on those ports any more anyway.



If "not listening" was sufficient, there'd be little point in having a

firewall in the first place, wouldn't there?



--

Soren Hansen
Well, 'not listening' _should_ be sufficient, however I prefer (and suggest) to use a firewall as an extra layer of protection.* I must have been mistaken, I did not realize we were debating the merits of a firewall, only whether or not packages should automatically change firewall rules.* Of course, if I trusted packages to manage opening and closing their own firewall rules, then I might as well trust them to listen or not on those ports, so in that case then yes there would be little point in having a firewall in the first place.


James

On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <cody-somerville@ubuntu.com> wrote:


Why don't we just leave all ports open then? :P

--
Cody A.W. Somerville




Well, for a long time that was the standard setup for Ubuntu.* As I mentioned above though, I would suggest using a firewall with all ports blocked by default as an additional layer of protection.


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 09:55 PM
"Luke L"
 
Default ufw package integration

Should package integration be disabled by default? I know a lot of Linux people who are a little unsettled by how much Ubuntu attempts to automate things, without users' control or knowledge. Not all those arguments hold water, but if a firewall were opening and closing ports on a system without the admin's express, explicit consent, it* could quickly drive away the users this could benefit.


As the disclaimer goes with EVERY post I make to the MLs here: I am not an expert, and I am not an active developer here. I am asking that it be considered, if it hasn't already, that package integration be an optional, if not disabled-by-default, feature. Let the admin know (with confirmation) that package integration is on, and that the OS will attempt to "inetlligently" (emphasis on quotes) adjust firewall settings based on installed programs.


It could be argued that if someone wants full control over their firewall they could just use iptables, but meh.

On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel@gmail.com> wrote:

On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:


On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. *Leave

> it up to the user to manage the firewall. *If the package is removed,

> it's not going to be listening on those ports any more anyway.



If "not listening" was sufficient, there'd be little point in having a

firewall in the first place, wouldn't there?



--

Soren Hansen
Well, 'not listening' _should_ be sufficient, however I prefer (and suggest) to use a firewall as an extra layer of protection.* I must have been mistaken, I did not realize we were debating the merits of a firewall, only whether or not packages should automatically change firewall rules.* Of course, if I trusted packages to manage opening and closing their own firewall rules, then I might as well trust them to listen or not on those ports, so in that case then yes there would be little point in having a firewall in the first place.



James

On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <cody-somerville@ubuntu.com> wrote:



Why don't we just leave all ports open then? :P


--
Cody A.W. Somerville




Well, for a long time that was the standard setup for Ubuntu.* As I mentioned above though, I would suggest using a firewall with all ports blocked by default as an additional layer of protection.




--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam


--
Luke L.


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 07:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org