On Fri, 05 Sep 2008, Jamie Strandboge wrote: > This is (of course) correct. If the user decides to create a rule using > the profile, then on removal or purge the rule is not removed. > Application rules are no different than regular rules in this regard. > Eg, these are equivalent: > > # ufw allow 80/tcp > # ufw allow Apache > > ufw tries to not make firewall policy decisions on behalf of the user on > package installation, and does not open any ports on package install. As > such, just like opening tcp port 80 is opt in, using application profile > 'Apache' is also opt in. > > ufw handles the purge of an application gracefully and will still
Also, the decision to *not* remove rules on package purge and/or removal is because that would undo in packaging what an administrator had explicitly added to his/her firewall outside of packaging. This is making an adminstrative decision for the user that IMO ufw and it's packaging is not equipped to make properly. There is an argument for removing the rules if the default application policy was changed from 'skip' *and* the packaging adds profiles via 'update --add-new'. However, this is not what is currently happening in packaging and can be discussed if this happens at some future date (see other email regarding this). Jamie -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
