On Thu, Sep 4, 2008 at 11:58 AM, James Dinkel <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 4, 2008 at 5:11 AM, Didier Roche <[EMAIL PROTECTED]> wrote: > >> >> 2008/9/4 Nicolas Valcárcel <[EMAIL PROTECTED]> >> >>> On Wed, 2008-09-03 at 17:33 -0700, Steve Langasek wrote: >>> > How does this design prevent >>> > leaving ports open when the package that they legitimately correspond >>> > to is >>> > no longer installed? >>> >>> I think we can (if it's not already preventing it) add a command >>> on .postrm that disables it on ufw. At the end this files are just for >>> declaring profiles, not enabling or open any port, they just describe a >>> service ports so the user doesn't need to care about them just enable >>> that service on ufw. So we don't need to care about those files opening >>> any port, but for disabling them on ufw after removing. >>> >>> >> The issue is more complex than that. Because you do not know which profile >> is currently loaded (they can be more than one profile by package. >> A typical example is Apache which has 3 profiles: one for port 80, one for >> 443 and the last one for both of them. >> >> An idea might be to force (without watching at the error in case the >> profile is not associated to a rule) the removal of the corresponding rules >> by doing "sudo ufw delete allow <profile>" on all profiles of the package >> (and even "sudo ufw delete deny <profile>"/"sudo ufw delete limit >> <profile>". Maybe a "sudo ufw delete any_policy <profile>" will be a good >> new command). >> >> What is the case if another package use the same port and had it opened >> (with ufw profile integration)? Does the port is still open on the firewall >> (which is what we really want)? >> > > I would say leave the ports open and leave the profile files. Leave it up > to the user to manage the firewall. If the package is removed, it's not > going to be listening on those ports any more anyway. > Why don't we just leave all ports open then? :P > > > James > > -- > ubuntu-server mailing list > [email protected] > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > More info: https://wiki.ubuntu.com/ServerTeam > -- Cody A.W. Somerville Software Systems Release Engineer Custom Engineering Solutions Group Canonical OEM Services Cell: 506-449-5899 Email: [EMAIL PROTECTED]
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
