(Sorry of top post as gmail seems to be used to it...) On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote: > > Not listening is sufficient - that is the point > > Having a firewall that is automatically updated as packages are installed > is > > dangerous. This is similar to UPnP and not the right way to do security > > > > By having all packages automatically update the firewall - you may as > well > > not have a firewall > > > > Just because a HTTP server is installed it doesn't mean that it should be > > accessible. The decision to open the firewall should be a separate > action > > > > Often packages get installed that are only intended to be accessed via a > > single interface on machines with multiple interfaces or via local host > ONLY > > > > It really defeats the purpose of having a firewall if the ports are > opened > > automatically >
Hum, no. From what I understand, ufw allow different application policies for package integration. The default policy is SKIP[1], so no rules are automatically added to the firewall. You can set it so ALLOW or DENY to automatically add rules to your firewall when installing a package. My tests when working on adding ufw integration to various packages confirmed that. > Unless I'm much mistaken here, all that's being discussed is *closing* > ports when you uninstall the package that "owned" the ports in question. > > Yes, the subject has diverged. Now that the previous point is - I think - solved, let's go on the closing port question when removing/purging a package. Didier [1] https://wiki.ubuntu.com/UbuntuFirewall#Package%20Integration
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
