FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 08-19-2008, 09:05 PM
Jamie Strandboge
 
Default ufw package integration

With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
application (package) integration. This allows packages to declare their
ports and protocols to ufw, so user's can specify an application profile
when adding and removing rules. Application profiles can be thought of
as simply port/protocol groups that are referenced by name.

For example, when apache is installed, it could add a file to
/etc/ufw/applications.d which declares it as running on tcp port 80.
User's could then do:
$ sudo ufw allow Apache

The equivalent non-profile command is:
$ sudo ufw allow 80/tcp

While this is somewhat more convenient for users, things get more
interesting when packages declare multiple profiles, eg 'Apache',
'Apache Secure' and 'Apache Full', which could correspond to 80/tcp,
443/tcp and 80,443/tcp respectively. This becomes even more useful when
an application has several port/protocol combinations, such as Samba,
which might declare 137,138/udp and 139,445/tcp.

ufw also allows changing a profile, then updating all rules referencing
the profile. Eg, say an administrator adds a profile called 'Custom Web
App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web
App'". Later the administrator adds 8081/tcp. A user can then run "ufw
app update 'Custom Web App'" which will update the firewall to allow
both 8080/tcp and 8081/tcp.

Finally, ufw can be configured to automatically add a rule when a user
runs 'ufw app update --add-new <profile>'. The default policy for the
new rule is configured using 'ufw app default <policy>'. The default
policy is 'skip' which will not add a new rule automatically, as well as
allow and deny.

Technically, groupings are accomplished by using the iptables '-m
comment' option. All grouped rules have the same comment which
references the profile name, which avoids collisions. Added rules still
remain after profile removal and users can delete rules referencing
these removed profiles. Application integration can be used with ufw's
simple and extended syntax. See 'man ufw' and [1] for details and status.

Help is needed in adding profiles to various packages. The changes
needed and testing procedures are documented in [2], while some targeted
packages are listed in [3]. This is a great way to get involved and
improve one's packaging skills. Please create new bug reports with
debdiffs attached, and I or someone from the Ubuntu Server team can
upload the updated package.

Thanks and enjoy!

Jamie

[1] https://wiki.ubuntu.com/UbuntuFirewall
[2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages
[3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-19-2008, 09:05 PM
Jamie Strandboge
 
Default ufw package integration

With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
application (package) integration. This allows packages to declare their
ports and protocols to ufw, so user's can specify an application profile
when adding and removing rules. Application profiles can be thought of
as simply port/protocol groups that are referenced by name.

For example, when apache is installed, it could add a file to
/etc/ufw/applications.d which declares it as running on tcp port 80.
User's could then do:
$ sudo ufw allow Apache

The equivalent non-profile command is:
$ sudo ufw allow 80/tcp

While this is somewhat more convenient for users, things get more
interesting when packages declare multiple profiles, eg 'Apache',
'Apache Secure' and 'Apache Full', which could correspond to 80/tcp,
443/tcp and 80,443/tcp respectively. This becomes even more useful when
an application has several port/protocol combinations, such as Samba,
which might declare 137,138/udp and 139,445/tcp.

ufw also allows changing a profile, then updating all rules referencing
the profile. Eg, say an administrator adds a profile called 'Custom Web
App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web
App'". Later the administrator adds 8081/tcp. A user can then run "ufw
app update 'Custom Web App'" which will update the firewall to allow
both 8080/tcp and 8081/tcp.

Finally, ufw can be configured to automatically add a rule when a user
runs 'ufw app update --add-new <profile>'. The default policy for the
new rule is configured using 'ufw app default <policy>'. The default
policy is 'skip' which will not add a new rule automatically, as well as
allow and deny.

Technically, groupings are accomplished by using the iptables '-m
comment' option. All grouped rules have the same comment which
references the profile name, which avoids collisions. Added rules still
remain after profile removal and users can delete rules referencing
these removed profiles. Application integration can be used with ufw's
simple and extended syntax. See 'man ufw' and [1] for details and status.

Help is needed in adding profiles to various packages. The changes
needed and testing procedures are documented in [2], while some targeted
packages are listed in [3]. This is a great way to get involved and
improve one's packaging skills. Please create new bug reports with
debdiffs attached, and I or someone from the Ubuntu Server team can
upload the updated package.

Thanks and enjoy!

Jamie

[1] https://wiki.ubuntu.com/UbuntuFirewall
[2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages
[3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration

--
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 08-20-2008, 05:15 PM
"James Dinkel"
 
Default ufw package integration

On Tue, Aug 19, 2008 at 4:05 PM, Jamie Strandboge <jamie@canonical.com> wrote:

With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports

application (package) integration. This allows packages to declare their

<snip>


Jamie



This sounds like a good idea.* I can tell you it took me a while to figure out what ports Samba needed.* I had googled for it, and apparently found innaccurate or old information (this was before I knew about netstat).* Anyway, this should make it much simpler.


I do have one suggestion though.* I am the type of sysadmin who likes to know exactly what is going on with his system (which is probably why I generally like text editing config files over gui interfaces), so it would be nice if a short message after running the command would tell you what ports were being opened (I know I could just look over the config file, but to make things easier...).* Such as:


$ sudo ufw allow Apache-Full
Opening 80,443/tcp

This would give me some peace of mind to know it is opening the ports I want, and also be convenient for services with unkown ports in case I would need to open those ports on an external firewall appliance.


James

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-20-2008, 05:15 PM
"James Dinkel"
 
Default ufw package integration

On Tue, Aug 19, 2008 at 4:05 PM, Jamie Strandboge <jamie@canonical.com> wrote:

With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports

application (package) integration. This allows packages to declare their

<snip>


Jamie



This sounds like a good idea.* I can tell you it took me a while to figure out what ports Samba needed.* I had googled for it, and apparently found innaccurate or old information (this was before I knew about netstat).* Anyway, this should make it much simpler.


I do have one suggestion though.* I am the type of sysadmin who likes to know exactly what is going on with his system (which is probably why I generally like text editing config files over gui interfaces), so it would be nice if a short message after running the command would tell you what ports were being opened (I know I could just look over the config file, but to make things easier...).* Such as:


$ sudo ufw allow Apache-Full
Opening 80,443/tcp

This would give me some peace of mind to know it is opening the ports I want, and also be convenient for services with unkown ports in case I would need to open those ports on an external firewall appliance.


James

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 12:33 AM
Steve Langasek
 
Default ufw package integration

On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> application (package) integration. This allows packages to declare their
> ports and protocols to ufw, so user's can specify an application profile
> when adding and removing rules. Application profiles can be thought of
> as simply port/protocol groups that are referenced by name.

> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.

If the files are installed in /etc/, then they have to be config files
(conffiles or otherwise). Config files are left installed when packages are
removed, and deleted only on package purge. How does this design prevent
leaving ports open when the package that they legitimately correspond to is
no longer installed?

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 12:33 AM
Steve Langasek
 
Default ufw package integration

On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> application (package) integration. This allows packages to declare their
> ports and protocols to ufw, so user's can specify an application profile
> when adding and removing rules. Application profiles can be thought of
> as simply port/protocol groups that are referenced by name.

> For example, when apache is installed, it could add a file to
> /etc/ufw/applications.d which declares it as running on tcp port 80.

If the files are installed in /etc/, then they have to be config files
(conffiles or otherwise). Config files are left installed when packages are
removed, and deleted only on package purge. How does this design prevent
leaving ports open when the package that they legitimately correspond to is
no longer installed?

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 05:41 AM
Nicolas Valcárcel
 
Default ufw package integration

On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> How does this design prevent
> leaving ports open when the package that they legitimately correspond
> to is
> no longer installed?

I think we can (if it's not already preventing it) add a command
on .postrm that disables it on ufw. At the end this files are just for
declaring profiles, not enabling or open any port, they just describe a
service ports so the user doesn't need to care about them just enable
that service on ufw. So we don't need to care about those files opening
any port, but for disabling them on ufw after removing.

--
aka nxvl
Key fingerprint = BCE4 27A0 D03E 55DE DA2D BE06 891D 8DEE 6545 97FE
gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 09-04-2008, 05:41 AM
Nicolas Valcárcel
 
Default ufw package integration

On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> How does this design prevent
> leaving ports open when the package that they legitimately correspond
> to is
> no longer installed?

I think we can (if it's not already preventing it) add a command
on .postrm that disables it on ufw. At the end this files are just for
declaring profiles, not enabling or open any port, they just describe a
service ports so the user doesn't need to care about them just enable
that service on ufw. So we don't need to care about those files opening
any port, but for disabling them on ufw after removing.

--
aka nxvl
Key fingerprint = BCE4 27A0 D03E 55DE DA2D BE06 891D 8DEE 6545 97FE
gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE



--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 10:10 AM
Dennis Kaarsemaker
 
Default ufw package integration

On wo, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:
> On Tue, Aug 19, 2008 at 05:05:44PM -0400, Jamie Strandboge wrote:
> > With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports
> > application (package) integration. This allows packages to declare their
> > ports and protocols to ufw, so user's can specify an application profile
> > when adding and removing rules. Application profiles can be thought of
> > as simply port/protocol groups that are referenced by name.
>
> > For example, when apache is installed, it could add a file to
> > /etc/ufw/applications.d which declares it as running on tcp port 80.
>
> If the files are installed in /etc/, then they have to be config files
> (conffiles or otherwise). Config files are left installed when packages are
> removed, and deleted only on package purge. How does this design prevent
> leaving ports open when the package that they legitimately correspond to is
> no longer installed?

Something similar as for initscripts, which also linger around?

test -e $DAEMON || exit 0
--
Dennis K.

The universe tends towards maximum irony. Don't push it.
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 09-04-2008, 10:11 AM
"Didier Roche"
 
Default ufw package integration

2008/9/4 Nicolas Valcárcel <nvalcarcel@ubuntu.com>


On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote:

> How does this design prevent

> leaving ports open when the package that they legitimately correspond

> to is

> no longer installed?



I think we can (if it's not already preventing it) add a command

on .postrm that disables it on ufw. At the end this files are just for

declaring profiles, not enabling or open any port, they just describe a

service ports so the user doesn't need to care about them just enable

that service on ufw. So we don't need to care about those files opening

any port, but for disabling them on ufw after removing.




The issue is more
complex than that. Because you do not know which profile is currently
loaded (they can be more than one profile by package.
A typical example is Apache which has 3 profiles: one for port 80, one for 443 and the last one for both of them.


An idea might be to force (without watching at the error in case
the profile is not associated to a rule) the removal of the
corresponding rules by doing "sudo ufw delete allow <profile>" on
all profiles of the package (and even "sudo ufw delete deny
<profile>"/"sudo ufw delete limit <profile>". Maybe a "sudo
ufw delete any_policy <profile>" will be a good new command).


What is the case if another package use the same port and had it
opened (with ufw profile integration)? Does the port is still open on
the firewall (which is what we really want)?

PS: Sorry Nicolas. I really have to get rid of gmail with its ML management...

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 06:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org