ufw package integration
With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
application (package) integration. This allows packages to declare their ports and protocols to ufw, so user's can specify an application profile when adding and removing rules. Application profiles can be thought of as simply port/protocol groups that are referenced by name. For example, when apache is installed, it could add a file to /etc/ufw/applications.d which declares it as running on tcp port 80. User's could then do: $ sudo ufw allow Apache The equivalent non-profile command is: $ sudo ufw allow 80/tcp While this is somewhat more convenient for users, things get more interesting when packages declare multiple profiles, eg 'Apache', 'Apache Secure' and 'Apache Full', which could correspond to 80/tcp, 443/tcp and 80,443/tcp respectively. This becomes even more useful when an application has several port/protocol combinations, such as Samba, which might declare 137,138/udp and 139,445/tcp. ufw also allows changing a profile, then updating all rules referencing the profile. Eg, say an administrator adds a profile called 'Custom Web App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web App'". Later the administrator adds 8081/tcp. A user can then run "ufw app update 'Custom Web App'" which will update the firewall to allow both 8080/tcp and 8081/tcp. Finally, ufw can be configured to automatically add a rule when a user runs 'ufw app update --add-new <profile>'. The default policy for the new rule is configured using 'ufw app default <policy>'. The default policy is 'skip' which will not add a new rule automatically, as well as allow and deny. Technically, groupings are accomplished by using the iptables '-m comment' option. All grouped rules have the same comment which references the profile name, which avoids collisions. Added rules still remain after profile removal and users can delete rules referencing these removed profiles. Application integration can be used with ufw's simple and extended syntax. See 'man ufw' and [1] for details and status. Help is needed in adding profiles to various packages. The changes needed and testing procedures are documented in [2], while some targeted packages are listed in [3]. This is a great way to get involved and improve one's packaging skills. Please create new bug reports with debdiffs attached, and I or someone from the Ubuntu Server team can upload the updated package. Thanks and enjoy! Jamie [1] https://wiki.ubuntu.com/UbuntuFirewall [2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages [3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam |
ufw package integration
With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
application (package) integration. This allows packages to declare their ports and protocols to ufw, so user's can specify an application profile when adding and removing rules. Application profiles can be thought of as simply port/protocol groups that are referenced by name. For example, when apache is installed, it could add a file to /etc/ufw/applications.d which declares it as running on tcp port 80. User's could then do: $ sudo ufw allow Apache The equivalent non-profile command is: $ sudo ufw allow 80/tcp While this is somewhat more convenient for users, things get more interesting when packages declare multiple profiles, eg 'Apache', 'Apache Secure' and 'Apache Full', which could correspond to 80/tcp, 443/tcp and 80,443/tcp respectively. This becomes even more useful when an application has several port/protocol combinations, such as Samba, which might declare 137,138/udp and 139,445/tcp. ufw also allows changing a profile, then updating all rules referencing the profile. Eg, say an administrator adds a profile called 'Custom Web App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web App'". Later the administrator adds 8081/tcp. A user can then run "ufw app update 'Custom Web App'" which will update the firewall to allow both 8080/tcp and 8081/tcp. Finally, ufw can be configured to automatically add a rule when a user runs 'ufw app update --add-new <profile>'. The default policy for the new rule is configured using 'ufw app default <policy>'. The default policy is 'skip' which will not add a new rule automatically, as well as allow and deny. Technically, groupings are accomplished by using the iptables '-m comment' option. All grouped rules have the same comment which references the profile name, which avoids collisions. Added rules still remain after profile removal and users can delete rules referencing these removed profiles. Application integration can be used with ufw's simple and extended syntax. See 'man ufw' and [1] for details and status. Help is needed in adding profiles to various packages. The changes needed and testing procedures are documented in [2], while some targeted packages are listed in [3]. This is a great way to get involved and improve one's packaging skills. Please create new bug reports with debdiffs attached, and I or someone from the Ubuntu Server team can upload the updated package. Thanks and enjoy! Jamie [1] https://wiki.ubuntu.com/UbuntuFirewall [2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages [3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
ufw package integration
On Tue, Aug 19, 2008 at 4:05 PM, Jamie Strandboge <jamie@canonical.com> wrote:
With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports application (package) integration. This allows packages to declare their <snip> Jamie This sounds like a good idea.* I can tell you it took me a while to figure out what ports Samba needed.* I had googled for it, and apparently found innaccurate or old information (this was before I knew about netstat).* Anyway, this should make it much simpler. I do have one suggestion though.* I am the type of sysadmin who likes to know exactly what is going on with his system (which is probably why I generally like text editing config files over gui interfaces), so it would be nice if a short message after running the command would tell you what ports were being opened (I know I could just look over the config file, but to make things easier...).* Such as: $ sudo ufw allow Apache-Full Opening 80,443/tcp This would give me some peace of mind to know it is opening the ports I want, and also be convenient for services with unkown ports in case I would need to open those ports on an external firewall appliance. James -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam |
ufw package integration
On Tue, Aug 19, 2008 at 4:05 PM, Jamie Strandboge <jamie@canonical.com> wrote:
With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports application (package) integration. This allows packages to declare their <snip> Jamie This sounds like a good idea.* I can tell you it took me a while to figure out what ports Samba needed.* I had googled for it, and apparently found innaccurate or old information (this was before I knew about netstat).* Anyway, this should make it much simpler. I do have one suggestion though.* I am the type of sysadmin who likes to know exactly what is going on with his system (which is probably why I generally like text editing config files over gui interfaces), so it would be nice if a short message after running the command would tell you what ports were being opened (I know I could just look over the config file, but to make things easier...).* Such as: $ sudo ufw allow Apache-Full Opening 80,443/tcp This would give me some peace of mind to know it is opening the ports I want, and also be convenient for services with unkown ports in case I would need to open those ports on an external firewall appliance. James -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
ufw package integration
On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports > application (package) integration. This allows packages to declare their > ports and protocols to ufw, so user's can specify an application profile > when adding and removing rules. Application profiles can be thought of > as simply port/protocol groups that are referenced by name. > For example, when apache is installed, it could add a file to > /etc/ufw/applications.d which declares it as running on tcp port 80. If the files are installed in /etc/, then they have to be config files (conffiles or otherwise). Config files are left installed when packages are removed, and deleted only on package purge. How does this design prevent leaving ports open when the package that they legitimately correspond to is no longer installed? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam |
ufw package integration
On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports > application (package) integration. This allows packages to declare their > ports and protocols to ufw, so user's can specify an application profile > when adding and removing rules. Application profiles can be thought of > as simply port/protocol groups that are referenced by name. > For example, when apache is installed, it could add a file to > /etc/ufw/applications.d which declares it as running on tcp port 80. If the files are installed in /etc/, then they have to be config files (conffiles or otherwise). Config files are left installed when packages are removed, and deleted only on package purge. How does this design prevent leaving ports open when the package that they legitimately correspond to is no longer installed? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
ufw package integration
On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> How does this design prevent > leaving ports open when the package that they legitimately correspond > to is > no longer installed? I think we can (if it's not already preventing it) add a command on .postrm that disables it on ufw. At the end this files are just for declaring profiles, not enabling or open any port, they just describe a service ports so the user doesn't need to care about them just enable that service on ufw. So we don't need to care about those files opening any port, but for disabling them on ufw after removing. -- aka nxvl Key fingerprint = BCE4 27A0 D03E 55DE DA2D BE06 891D 8DEE 6545 97FE gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam |
ufw package integration
On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> How does this design prevent > leaving ports open when the package that they legitimately correspond > to is > no longer installed? I think we can (if it's not already preventing it) add a command on .postrm that disables it on ufw. At the end this files are just for declaring profiles, not enabling or open any port, they just describe a service ports so the user doesn't need to care about them just enable that service on ufw. So we don't need to care about those files opening any port, but for disabling them on ufw after removing. -- aka nxvl Key fingerprint = BCE4 27A0 D03E 55DE DA2D BE06 891D 8DEE 6545 97FE gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
ufw package integration
On wo, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote: > > With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports > > application (package) integration. This allows packages to declare their > > ports and protocols to ufw, so user's can specify an application profile > > when adding and removing rules. Application profiles can be thought of > > as simply port/protocol groups that are referenced by name. > > > For example, when apache is installed, it could add a file to > > /etc/ufw/applications.d which declares it as running on tcp port 80. > > If the files are installed in /etc/, then they have to be config files > (conffiles or otherwise). Config files are left installed when packages are > removed, and deleted only on package purge. How does this design prevent > leaving ports open when the package that they legitimately correspond to is > no longer installed? Something similar as for initscripts, which also linger around? test -e $DAEMON || exit 0 -- Dennis K. The universe tends towards maximum irony. Don't push it. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
ufw package integration
2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>
On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote: > How does this design prevent > leaving ports open when the package that they legitimately correspond > to is > no longer installed? I think we can (if it's not already preventing it) add a command on .postrm that disables it on ufw. At the end this files are just for declaring profiles, not enabling or open any port, they just describe a service ports so the user doesn't need to care about them just enable that service on ufw. So we don't need to care about those files opening any port, but for disabling them on ufw after removing. The issue is more complex than that. Because you do not know which profile is currently loaded (they can be more than one profile by package. A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them. An idea might be to force (without watching at the error in case the profile is not associated to a rule) the removal of the corresponding rules by doing "sudo ufw delete allow <profile>" on all profiles of the package (and even "sudo ufw delete deny <profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo ufw delete any_policy <profile>" will be a good new command). What is the case if another package use the same port and had it opened (with ufw profile integration)? Does the port is still open on the firewall (which is what we really want)? PS: Sorry Nicolas. I really have to get rid of gmail with its ML management... -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam |
| All times are GMT. The time now is 07:45 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.