FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 09-04-2008, 09:55 PM
"Luke L"
 
Default ufw package integration

Should package integration be disabled by default? I know a lot of Linux people who are a little unsettled by how much Ubuntu attempts to automate things, without users' control or knowledge. Not all those arguments hold water, but if a firewall were opening and closing ports on a system without the admin's express, explicit consent, it* could quickly drive away the users this could benefit.


As the disclaimer goes with EVERY post I make to the MLs here: I am not an expert, and I am not an active developer here. I am asking that it be considered, if it hasn't already, that package integration be an optional, if not disabled-by-default, feature. Let the admin know (with confirmation) that package integration is on, and that the OS will attempt to "inetlligently" (emphasis on quotes) adjust firewall settings based on installed programs.


It could be argued that if someone wants full control over their firewall they could just use iptables, but meh.

On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel@gmail.com> wrote:

On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:


On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. *Leave

> it up to the user to manage the firewall. *If the package is removed,

> it's not going to be listening on those ports any more anyway.



If "not listening" was sufficient, there'd be little point in having a

firewall in the first place, wouldn't there?



--

Soren Hansen
Well, 'not listening' _should_ be sufficient, however I prefer (and suggest) to use a firewall as an extra layer of protection.* I must have been mistaken, I did not realize we were debating the merits of a firewall, only whether or not packages should automatically change firewall rules.* Of course, if I trusted packages to manage opening and closing their own firewall rules, then I might as well trust them to listen or not on those ports, so in that case then yes there would be little point in having a firewall in the first place.



James

On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <cody-somerville@ubuntu.com> wrote:



Why don't we just leave all ports open then? :P


--
Cody A.W. Somerville




Well, for a long time that was the standard setup for Ubuntu.* As I mentioned above though, I would suggest using a firewall with all ports blocked by default as an additional layer of protection.




--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam


--
Luke L.


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 01:15 AM
Silvio Fonseca
 
Default ufw package integration

On Thursday 04 September 2008 18:55:41 Luke L wrote:
I second that. I'm also a new guy here but consider these two small examples:

- When you install a DNS server (e.g. bind), it listens on UDP 53 for normal
DNS requests and TCP 53 for zone transfer requests. The package could not
possibly know who should be allowed to query or transfer zones to/from this
server.

- When you install a Mail server (e.g. postfix), again, package can't know if
this is just an internal mail server, a relay for a specific server pool or a
public server.

If I enable ufw is because I want to protect a service, it has no use if the
package itself open up the ports.

With that said, it will be of great help if the package can provide a template
with the ports used by the package so the admin can just adjust the rules and
enable the protection.

Just my 2 cents.

Silvio Fonseca

> Should package integration be disabled by default? I know a lot of Linux
> people who are a little unsettled by how much Ubuntu attempts to automate
> things, without users' control or knowledge. Not all those arguments hold
> water, but if a firewall were opening and closing ports on a system without
> the admin's express, explicit consent, it could quickly drive away the
> users this could benefit.
>
> As the disclaimer goes with EVERY post I make to the MLs here: I am not an
> expert, and I am not an active developer here. I am asking that it be
> considered, if it hasn't already, that package integration be an optional,
> if not disabled-by-default, feature. Let the admin know (with confirmation)
> that package integration is on, and that the OS will attempt to
> "inetlligently" (emphasis on quotes) adjust firewall settings based on
> installed programs.
>
> It could be argued that if someone wants full control over their firewall
> they could just use iptables, but meh.
>
> On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel@gmail.com> wrote:
> > On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:
> >> On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> >> > I would say leave the ports open and leave the profile files. Leave
> >> > it up to the user to manage the firewall. If the package is removed,
> >> > it's not going to be listening on those ports any more anyway.
> >>
> >> If "not listening" was sufficient, there'd be little point in having a
> >> firewall in the first place, wouldn't there?
> >>
> >> --
> >> Soren Hansen
> >
> > Well, 'not listening' _should_ be sufficient, however I prefer (and
> > suggest) to use a firewall as an extra layer of protection. I must have
> > been mistaken, I did not realize we were debating the merits of a
> > firewall, only whether or not packages should automatically change
> > firewall rules. Of course, if I trusted packages to manage opening and
> > closing their own firewall rules, then I might as well trust them to
> > listen or not on those ports, so in that case then yes there would be
> > little point in having a firewall in the first place.
> >
> > James
> >
> > On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <
> >
> > cody-somerville@ubuntu.com> wrote:
> >> Why don't we just leave all ports open then? :P
> >>
> >> --
> >> Cody A.W. Somerville <cody.somerville@canonical.com>
> >
> > Well, for a long time that was the standard setup for Ubuntu. As I
> > mentioned above though, I would suggest using a firewall with all ports
> > blocked by default as an additional layer of protection.
> >
> >

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 01:15 AM
Silvio Fonseca
 
Default ufw package integration

On Thursday 04 September 2008 18:55:41 Luke L wrote:
I second that. I'm also a new guy here but consider these two small examples:

- When you install a DNS server (e.g. bind), it listens on UDP 53 for normal
DNS requests and TCP 53 for zone transfer requests. The package could not
possibly know who should be allowed to query or transfer zones to/from this
server.

- When you install a Mail server (e.g. postfix), again, package can't know if
this is just an internal mail server, a relay for a specific server pool or a
public server.

If I enable ufw is because I want to protect a service, it has no use if the
package itself open up the ports.

With that said, it will be of great help if the package can provide a template
with the ports used by the package so the admin can just adjust the rules and
enable the protection.

Just my 2 cents.

Silvio Fonseca

> Should package integration be disabled by default? I know a lot of Linux
> people who are a little unsettled by how much Ubuntu attempts to automate
> things, without users' control or knowledge. Not all those arguments hold
> water, but if a firewall were opening and closing ports on a system without
> the admin's express, explicit consent, it could quickly drive away the
> users this could benefit.
>
> As the disclaimer goes with EVERY post I make to the MLs here: I am not an
> expert, and I am not an active developer here. I am asking that it be
> considered, if it hasn't already, that package integration be an optional,
> if not disabled-by-default, feature. Let the admin know (with confirmation)
> that package integration is on, and that the OS will attempt to
> "inetlligently" (emphasis on quotes) adjust firewall settings based on
> installed programs.
>
> It could be argued that if someone wants full control over their firewall
> they could just use iptables, but meh.
>
> On Thu, Sep 4, 2008 at 10:58 AM, James Dinkel <jdinkel@gmail.com> wrote:
> > On Thu, Sep 4, 2008 at 10:39 AM, Soren Hansen <soren@ubuntu.com> wrote:
> >> On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> >> > I would say leave the ports open and leave the profile files. Leave
> >> > it up to the user to manage the firewall. If the package is removed,
> >> > it's not going to be listening on those ports any more anyway.
> >>
> >> If "not listening" was sufficient, there'd be little point in having a
> >> firewall in the first place, wouldn't there?
> >>
> >> --
> >> Soren Hansen
> >
> > Well, 'not listening' _should_ be sufficient, however I prefer (and
> > suggest) to use a firewall as an extra layer of protection. I must have
> > been mistaken, I did not realize we were debating the merits of a
> > firewall, only whether or not packages should automatically change
> > firewall rules. Of course, if I trusted packages to manage opening and
> > closing their own firewall rules, then I might as well trust them to
> > listen or not on those ports, so in that case then yes there would be
> > little point in having a firewall in the first place.
> >
> > James
> >
> > On Thu, Sep 4, 2008 at 10:02 AM, Cody A.W. Somerville <
> >
> > cody-somerville@ubuntu.com> wrote:
> >> Why don't we just leave all ports open then? :P
> >>
> >> --
> >> Cody A.W. Somerville <cody.somerville@canonical.com>
> >
> > Well, for a long time that was the standard setup for Ubuntu. As I
> > mentioned above though, I would suggest using a firewall with all ports
> > blocked by default as an additional layer of protection.
> >
> >

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 01:31 AM
"Chris Martin"
 
Default ufw package integration

Not listening is sufficient - that is the point
Having a firewall that is automatically updated as packages are installed is
dangerous. This is similar to UPnP and not the right way to do security

By having all packages automatically update the firewall - you may as well
not have a firewall

Just because a HTTP server is installed it doesn't mean that it should be
accessible. The decision to open the firewall should be a separate action

Often packages get installed that are only intended to be accessed via a
single interface on machines with multiple interfaces or via local host ONLY

It really defeats the purpose of having a firewall if the ports are opened
automatically

---------------------------------
Chris Martin
e: chris@martin.name
m: +61(0)419812371
---------------------------------
-----Original Message-----
From: ubuntu-devel-bounces@lists.ubuntu.com
[mailto:ubuntu-devel-bounces@lists.ubuntu.com] On Behalf Of Soren Hansen
Sent: Friday, 5 September 2008 1:39 AM
To: ubuntu-server@lists.ubuntu.com; ubuntu-hardened@lists.ubuntu.com;
ubuntu-devel@lists.ubuntu.com
Subject: Re: ufw package integration

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> I would say leave the ports open and leave the profile files. Leave
> it up to the user to manage the firewall. If the package is removed,
> it's not going to be listening on those ports any more anyway.

If "not listening" was sufficient, there'd be little point in having a
firewall in the first place, wouldn't there?

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 01:31 AM
"Chris Martin"
 
Default ufw package integration

Not listening is sufficient - that is the point
Having a firewall that is automatically updated as packages are installed is
dangerous. This is similar to UPnP and not the right way to do security

By having all packages automatically update the firewall - you may as well
not have a firewall

Just because a HTTP server is installed it doesn't mean that it should be
accessible. The decision to open the firewall should be a separate action

Often packages get installed that are only intended to be accessed via a
single interface on machines with multiple interfaces or via local host ONLY

It really defeats the purpose of having a firewall if the ports are opened
automatically

---------------------------------
Chris Martin
e: chris@martin.name
m: +61(0)419812371
---------------------------------
-----Original Message-----
From: ubuntu-devel-bounces@lists.ubuntu.com
[mailto:ubuntu-devel-bounces@lists.ubuntu.com] On Behalf Of Soren Hansen
Sent: Friday, 5 September 2008 1:39 AM
To: ubuntu-server@lists.ubuntu.com; ubuntu-hardened@lists.ubuntu.com;
ubuntu-devel@lists.ubuntu.com
Subject: Re: ufw package integration

On Thu, Sep 04, 2008 at 09:58:40AM -0500, James Dinkel wrote:
> I would say leave the ports open and leave the profile files. Leave
> it up to the user to manage the firewall. If the package is removed,
> it's not going to be listening on those ports any more anyway.

If "not listening" was sufficient, there'd be little point in having a
firewall in the first place, wouldn't there?

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 06:38 AM
Soren Hansen
 
Default ufw package integration

On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
> Not listening is sufficient - that is the point
> Having a firewall that is automatically updated as packages are installed is
> dangerous. This is similar to UPnP and not the right way to do security
>
> By having all packages automatically update the firewall - you may as well
> not have a firewall
>
> Just because a HTTP server is installed it doesn't mean that it should be
> accessible. The decision to open the firewall should be a separate action
>
> Often packages get installed that are only intended to be accessed via a
> single interface on machines with multiple interfaces or via local host ONLY
>
> It really defeats the purpose of having a firewall if the ports are opened
> automatically

Unless I'm much mistaken here, all that's being discussed is *closing*
ports when you uninstall the package that "owned" the ports in question.

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 06:38 AM
Soren Hansen
 
Default ufw package integration

On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
> Not listening is sufficient - that is the point
> Having a firewall that is automatically updated as packages are installed is
> dangerous. This is similar to UPnP and not the right way to do security
>
> By having all packages automatically update the firewall - you may as well
> not have a firewall
>
> Just because a HTTP server is installed it doesn't mean that it should be
> accessible. The decision to open the firewall should be a separate action
>
> Often packages get installed that are only intended to be accessed via a
> single interface on machines with multiple interfaces or via local host ONLY
>
> It really defeats the purpose of having a firewall if the ports are opened
> automatically

Unless I'm much mistaken here, all that's being discussed is *closing*
ports when you uninstall the package that "owned" the ports in question.

--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 06:51 AM
"Didier Roche"
 
Default ufw package integration

(Sorry of top post as gmail seems to be used to it...)


On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:

> Not listening is sufficient - that is the point

> Having a firewall that is automatically updated as packages are installed is

> dangerous. *This is similar to UPnP and not the right way to do security

>

> By having all packages automatically update the firewall - you may as well

> not have a firewall

>

> Just because a HTTP server is installed it doesn't mean that it should be

> accessible. *The decision to open the firewall should be a separate action

>

> Often packages get installed that are only intended to be accessed via a

> single interface on machines with multiple interfaces or via local host ONLY

>

> It really defeats the purpose of having a firewall if the ports are opened

> automatically
Hum, no. From what I understand, ufw allow different application policies for package integration. The default policy is SKIP[1], so no rules are automatically added to the firewall. You can set it so ALLOW or DENY to automatically add rules to your firewall when installing a package.


My tests when working on adding ufw integration to various packages confirmed that.




Unless I'm much mistaken here, all that's being discussed is *closing*

ports when you uninstall the package that "owned" the ports in question.




Yes, the subject has diverged. Now that the previous point is - I think - solved, let's go on the closing port question when removing/purging a package.

Didier

[1] https://wiki.ubuntu.com/UbuntuFirewall#Package%20Integration


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 06:51 AM
"Didier Roche"
 
Default ufw package integration

(Sorry of top post as gmail seems to be used to it...)


On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:

> Not listening is sufficient - that is the point

> Having a firewall that is automatically updated as packages are installed is

> dangerous. *This is similar to UPnP and not the right way to do security

>

> By having all packages automatically update the firewall - you may as well

> not have a firewall

>

> Just because a HTTP server is installed it doesn't mean that it should be

> accessible. *The decision to open the firewall should be a separate action

>

> Often packages get installed that are only intended to be accessed via a

> single interface on machines with multiple interfaces or via local host ONLY

>

> It really defeats the purpose of having a firewall if the ports are opened

> automatically
Hum, no. From what I understand, ufw allow different application policies for package integration. The default policy is SKIP[1], so no rules are automatically added to the firewall. You can set it so ALLOW or DENY to automatically add rules to your firewall when installing a package.


My tests when working on adding ufw integration to various packages confirmed that.




Unless I'm much mistaken here, all that's being discussed is *closing*

ports when you uninstall the package that "owned" the ports in question.




Yes, the subject has diverged. Now that the previous point is - I think - solved, let's go on the closing port question when removing/purging a package.

Didier

[1] https://wiki.ubuntu.com/UbuntuFirewall#Package%20Integration


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 06:57 AM
Nick Barcet
 
Default ufw package integration

Soren Hansen wrote:
> On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
>> Not listening is sufficient - that is the point
>> Having a firewall that is automatically updated as packages are installed is
>> dangerous. This is similar to UPnP and not the right way to do security
>>
>> By having all packages automatically update the firewall - you may as well
>> not have a firewall
>>
>> Just because a HTTP server is installed it doesn't mean that it should be
>> accessible. The decision to open the firewall should be a separate action
>>
>> Often packages get installed that are only intended to be accessed via a
>> single interface on machines with multiple interfaces or via local host ONLY
>>
>> It really defeats the purpose of having a firewall if the ports are opened
>> automatically
>
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.

We were, indeed, and if I quote Jamie's original email that started this
thread:

> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.
> User's could then do:
> $ sudo ufw allow Apache

it seems clear that port WILL NOT be opened automatically. It will
require the user's intervention.

Nick

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 10:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org