With the upload of ufw 0.20 to Intrepid yesterday, ufw now supports application (package) integration. This allows packages to declare their ports and protocols to ufw, so user's can specify an application profile when adding and removing rules. Application profiles can be thought of as simply port/protocol groups that are referenced by name.
For example, when apache is installed, it could add a file to /etc/ufw/applications.d which declares it as running on tcp port 80. User's could then do: $ sudo ufw allow Apache The equivalent non-profile command is: $ sudo ufw allow 80/tcp While this is somewhat more convenient for users, things get more interesting when packages declare multiple profiles, eg 'Apache', 'Apache Secure' and 'Apache Full', which could correspond to 80/tcp, 443/tcp and 80,443/tcp respectively. This becomes even more useful when an application has several port/protocol combinations, such as Samba, which might declare 137,138/udp and 139,445/tcp. ufw also allows changing a profile, then updating all rules referencing the profile. Eg, say an administrator adds a profile called 'Custom Web App', which listens on 8080/tcp. A user then runs "ufw allow 'Custom Web App'". Later the administrator adds 8081/tcp. A user can then run "ufw app update 'Custom Web App'" which will update the firewall to allow both 8080/tcp and 8081/tcp. Finally, ufw can be configured to automatically add a rule when a user runs 'ufw app update --add-new <profile>'. The default policy for the new rule is configured using 'ufw app default <policy>'. The default policy is 'skip' which will not add a new rule automatically, as well as allow and deny. Technically, groupings are accomplished by using the iptables '-m comment' option. All grouped rules have the same comment which references the profile name, which avoids collisions. Added rules still remain after profile removal and users can delete rules referencing these removed profiles. Application integration can be used with ufw's simple and extended syntax. See 'man ufw' and [1] for details and status. Help is needed in adding profiles to various packages. The changes needed and testing procedures are documented in [2], while some targeted packages are listed in [3]. This is a great way to get involved and improve one's packaging skills. Please create new bug reports with debdiffs attached, and I or someone from the Ubuntu Server team can upload the updated package. Thanks and enjoy! Jamie [1] https://wiki.ubuntu.com/UbuntuFirewall [2] https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages [3] https://wiki.ubuntu.com/ServerTeam/Roadmap#UFW%20Package%20Integration -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
