FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 09-05-2008, 06:57 AM
Nick Barcet
 
Default ufw package integration

Soren Hansen wrote:
> On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote:
>> Not listening is sufficient - that is the point
>> Having a firewall that is automatically updated as packages are installed is
>> dangerous. This is similar to UPnP and not the right way to do security
>>
>> By having all packages automatically update the firewall - you may as well
>> not have a firewall
>>
>> Just because a HTTP server is installed it doesn't mean that it should be
>> accessible. The decision to open the firewall should be a separate action
>>
>> Often packages get installed that are only intended to be accessed via a
>> single interface on machines with multiple interfaces or via local host ONLY
>>
>> It really defeats the purpose of having a firewall if the ports are opened
>> automatically
>
> Unless I'm much mistaken here, all that's being discussed is *closing*
> ports when you uninstall the package that "owned" the ports in question.

We were, indeed, and if I quote Jamie's original email that started this
thread:

> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.
> User's could then do:
> $ sudo ufw allow Apache

it seems clear that port WILL NOT be opened automatically. It will
require the user's intervention.

Nick

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 03:09 PM
Jamie Strandboge
 
Default ufw package integration

On Wed, 03 Sep 2008, Steve Langasek wrote:

> On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> > With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> > application (package) integration. This allows packages to declare their
> > ports and protocols to ufw, so user's can specify an application profile
> > when adding and removing rules. Application profiles can be thought of
> > as simply port/protocol groups that are referenced by name.
>
> > For example, when apache is installed, it could add a file to
> > /etc/ufw/applications.d which declares it as running on tcp port 80.
>
> If the files are installed in /etc/, then they have to be config files
> (conffiles or otherwise). Config files are left installed when packages are
> removed, and deleted only on package purge. How does this design prevent
> leaving ports open when the package that they legitimately correspond to is
> no longer installed?
>

This is (of course) correct. If the user decides to create a rule using
the profile, then on removal or purge the rule is not removed.
Application rules are no different than regular rules in this regard.
Eg, these are equivalent:

# ufw allow 80/tcp
# ufw allow Apache

ufw tries to not make firewall policy decisions on behalf of the user on
package installation, and does not open any ports on package install. As
such, just like opening tcp port 80 is opt in, using application profile
'Apache' is also opt in.

ufw handles the purge of an application gracefully and will still
display the rule via 'ufw status' as if the package was still installed.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 03:09 PM
Jamie Strandboge
 
Default ufw package integration

On Wed, 03 Sep 2008, Steve Langasek wrote:

> On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> > With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> > application (package) integration. This allows packages to declare their
> > ports and protocols to ufw, so user's can specify an application profile
> > when adding and removing rules. Application profiles can be thought of
> > as simply port/protocol groups that are referenced by name.
>
> > For example, when apache is installed, it could add a file to
> > /etc/ufw/applications.d which declares it as running on tcp port 80.
>
> If the files are installed in /etc/, then they have to be config files
> (conffiles or otherwise). Config files are left installed when packages are
> removed, and deleted only on package purge. How does this design prevent
> leaving ports open when the package that they legitimately correspond to is
> no longer installed?
>

This is (of course) correct. If the user decides to create a rule using
the profile, then on removal or purge the rule is not removed.
Application rules are no different than regular rules in this regard.
Eg, these are equivalent:

# ufw allow 80/tcp
# ufw allow Apache

ufw tries to not make firewall policy decisions on behalf of the user on
package installation, and does not open any ports on package install. As
such, just like opening tcp port 80 is opt in, using application profile
'Apache' is also opt in.

ufw handles the purge of an application gracefully and will still
display the rule via 'ufw status' as if the package was still installed.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 03:12 PM
Jamie Strandboge
 
Default ufw package integration

On Thu, 04 Sep 2008, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. Leave it up
> to the user to manage the firewall. If the package is removed, it's not
> going to be listening on those ports any more anyway.
>

This is almost what happens. The profile files are conffiles, so they
are removed on purge. However, users can still a) see the application
rule via 'ufw status' and b) still delete the application rule by using
the profile name.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 03:12 PM
Jamie Strandboge
 
Default ufw package integration

On Thu, 04 Sep 2008, James Dinkel wrote:

> I would say leave the ports open and leave the profile files. Leave it up
> to the user to manage the firewall. If the package is removed, it's not
> going to be listening on those ports any more anyway.
>

This is almost what happens. The profile files are conffiles, so they
are removed on purge. However, users can still a) see the application
rule via 'ufw status' and b) still delete the application rule by using
the profile name.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 03:38 PM
Jamie Strandboge
 
Default ufw package integration

On Thu, 04 Sep 2008, Luke L wrote:

> Should package integration be disabled by default?

There is confusion as to what 'package integration' actually does. When
I sent the email, this is what it meant:

a) a package can declare itself to ufw via profiles that have various
port/protocol combinations
b) a user can use profile names in rules in addition to port/protocol
combinations
c) an administrator can set the 'default application policy' to be one
of 'skip', 'allow' or 'deny'. This affects what happens when
'ufw app update --add-new <profile>' is run. 'skip' is the default
and will *under no circumstances* add any rules to the firewall. Only
if the default application policy is changed away from 'skip' will
any rules be added
d) with the above in place, I had written a section in UbuntuFirewall which
used 'ufw app update --add-new <profile>' in postinst, so that *if* an
administrator decided to change the default policy to something other
than 'skip', rules could be automatically added on installation.

However, after posting the email, I decided that using dpkg triggers was
the way to go (thanks Colin Watson!), and as such, 'update --add-new' is
no longer used in Ubuntu packaging, so it is not possible to open any
ports via package integration at this time (when functionality in dpkg
triggers is added, this may change in the future). All applications in
Ubuntu that supply application profiles take advantage of dpkg triggers.

Bottom line: 'a' and 'b' are the common use cases, and using package
integration is completely opt in.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 03:38 PM
Jamie Strandboge
 
Default ufw package integration

On Thu, 04 Sep 2008, Luke L wrote:

> Should package integration be disabled by default?

There is confusion as to what 'package integration' actually does. When
I sent the email, this is what it meant:

a) a package can declare itself to ufw via profiles that have various
port/protocol combinations
b) a user can use profile names in rules in addition to port/protocol
combinations
c) an administrator can set the 'default application policy' to be one
of 'skip', 'allow' or 'deny'. This affects what happens when
'ufw app update --add-new <profile>' is run. 'skip' is the default
and will *under no circumstances* add any rules to the firewall. Only
if the default application policy is changed away from 'skip' will
any rules be added
d) with the above in place, I had written a section in UbuntuFirewall which
used 'ufw app update --add-new <profile>' in postinst, so that *if* an
administrator decided to change the default policy to something other
than 'skip', rules could be automatically added on installation.

However, after posting the email, I decided that using dpkg triggers was
the way to go (thanks Colin Watson!), and as such, 'update --add-new' is
no longer used in Ubuntu packaging, so it is not possible to open any
ports via package integration at this time (when functionality in dpkg
triggers is added, this may change in the future). All applications in
Ubuntu that supply application profiles take advantage of dpkg triggers.

Bottom line: 'a' and 'b' are the common use cases, and using package
integration is completely opt in.

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-05-2008, 03:53 PM
Jamie Strandboge
 
Default ufw package integration

On Fri, 05 Sep 2008, Jamie Strandboge wrote:

> This is (of course) correct. If the user decides to create a rule using
> the profile, then on removal or purge the rule is not removed.
> Application rules are no different than regular rules in this regard.
> Eg, these are equivalent:
>
> # ufw allow 80/tcp
> # ufw allow Apache
>
> ufw tries to not make firewall policy decisions on behalf of the user on
> package installation, and does not open any ports on package install. As
> such, just like opening tcp port 80 is opt in, using application profile
> 'Apache' is also opt in.
>
> ufw handles the purge of an application gracefully and will still

Also, the decision to *not* remove rules on package purge and/or removal
is because that would undo in packaging what an administrator had
explicitly added to his/her firewall outside of packaging. This is making
an adminstrative decision for the user that IMO ufw and it's packaging is
not equipped to make properly.

There is an argument for removing the rules if the default application
policy was changed from 'skip' *and* the packaging adds profiles via
'update --add-new'. However, this is not what is currently happening in
packaging and can be discussed if this happens at some future date (see
other email regarding this).

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-05-2008, 03:53 PM
Jamie Strandboge
 
Default ufw package integration

On Fri, 05 Sep 2008, Jamie Strandboge wrote:

> This is (of course) correct. If the user decides to create a rule using
> the profile, then on removal or purge the rule is not removed.
> Application rules are no different than regular rules in this regard.
> Eg, these are equivalent:
>
> # ufw allow 80/tcp
> # ufw allow Apache
>
> ufw tries to not make firewall policy decisions on behalf of the user on
> package installation, and does not open any ports on package install. As
> such, just like opening tcp port 80 is opt in, using application profile
> 'Apache' is also opt in.
>
> ufw handles the purge of an application gracefully and will still

Also, the decision to *not* remove rules on package purge and/or removal
is because that would undo in packaging what an administrator had
explicitly added to his/her firewall outside of packaging. This is making
an adminstrative decision for the user that IMO ufw and it's packaging is
not equipped to make properly.

There is an argument for removing the rules if the default application
policy was changed from 'skip' *and* the packaging adds profiles via
'update --add-new'. However, this is not what is currently happening in
packaging and can be discussed if this happens at some future date (see
other email regarding this).

Jamie

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 

Thread Tools




All times are GMT. The time now is 01:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org