On Thu, 04 Sep 2008, Luke L wrote: > Should package integration be disabled by default?
There is confusion as to what 'package integration' actually does. When I sent the email, this is what it meant: a) a package can declare itself to ufw via profiles that have various port/protocol combinations b) a user can use profile names in rules in addition to port/protocol combinations c) an administrator can set the 'default application policy' to be one of 'skip', 'allow' or 'deny'. This affects what happens when 'ufw app update --add-new <profile>' is run. 'skip' is the default and will *under no circumstances* add any rules to the firewall. Only if the default application policy is changed away from 'skip' will any rules be added d) with the above in place, I had written a section in UbuntuFirewall which used 'ufw app update --add-new <profile>' in postinst, so that *if* an administrator decided to change the default policy to something other than 'skip', rules could be automatically added on installation. However, after posting the email, I decided that using dpkg triggers was the way to go (thanks Colin Watson!), and as such, 'update --add-new' is no longer used in Ubuntu packaging, so it is not possible to open any ports via package integration at this time (when functionality in dpkg triggers is added, this may change in the future). All applications in Ubuntu that supply application profiles take advantage of dpkg triggers. Bottom line: 'a' and 'b' are the common use cases, and using package integration is completely opt in. Jamie -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
