Soren Hansen wrote: > On Fri, Sep 05, 2008 at 11:31:27AM +1000, Chris Martin wrote: >> Not listening is sufficient - that is the point >> Having a firewall that is automatically updated as packages are installed is >> dangerous. This is similar to UPnP and not the right way to do security >> >> By having all packages automatically update the firewall - you may as well >> not have a firewall >> >> Just because a HTTP server is installed it doesn't mean that it should be >> accessible. The decision to open the firewall should be a separate action >> >> Often packages get installed that are only intended to be accessed via a >> single interface on machines with multiple interfaces or via local host ONLY >> >> It really defeats the purpose of having a firewall if the ports are opened >> automatically > > Unless I'm much mistaken here, all that's being discussed is *closing* > ports when you uninstall the package that "owned" the ports in question.
We were, indeed, and if I quote Jamie's original email that started this thread: > For example, when apache is installed, it could add a file to > /etc/ufw/applications.d which declares it as running on tcp port 80. > User's could then do: > $ sudo ufw allow Apache it seems clear that port WILL NOT be opened automatically. It will require the user's intervention. Nick
signature.asc
Description: OpenPGP digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
