[Novalug] ufw applications.d syntax

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Wed Sep 15 00:26:17 EDT 2010


  I understand the motivation. I just question the tradeoffs.

How many applications DO have more than one port? The answer, up until 
recently, was Very Few.

Indeed, one could argue that having more than one is a poor design. In 
fact, with the advent of commands like StartTLS, protocols like LDAP are 
moving back to one.

Iptables already has the ability to read commands from files, so having 
the application repeated twice for the various ought not to confuse the 
newbies.

What else does it have to justify its existence?

JIM

On 9/14/2010 8:08 PM, Jason Kohles wrote:
> Like many things in ubuntu, it's intended to make things easier for beginners (and does have some very nice features), but behind the scenes it's just building iptables rules, so you can just keep using iptables if you want to.
>
> As for the ports, you can use service names for things that are listed in /etc/services and iptables will look them up.  The ufw method doesn't seem much easier for applications that only need one port, but when you get things that need multiple ports it does make it kind of nice to be able to say 'allow this application' rather than adding a whole set of rules for each host.
>
>
>
> Jason Kohles
> Palantir Technologies | Forward Deployed Engineer
> jkohles@palantirtech.com | 703.957.5784
>
> ----- Original Message -----
> From: James Ewing Cottrell 3rd<JECottrell3@Comcast.NET>
> To: Jason Kohles
> Cc: mark@winksmith.com<mark@winksmith.com>; Novalug<novalug@calypso.tux.org>
> Sent: Tue Sep 14 16:28:48 2010
> Subject: Re: [Novalug] ufw applications.d syntax
>
>    UNCOMPLICATED FireWall?
>
> How about GDSFW, as in Gratuitously Different Syntax.
>
> Now I have something else to remember besides iptables.
>
> All this just so I don't have to lookup ports?
>
> Perhaps the solution is to make iptables read /etc/services if it
> doesn't already.
>
> JIM
>
> On 9/14/2010 4:39 PM, Jason Kohles wrote:
>> The files in applications.d don't specify allow/deny rules, and they don't include any information about networks or hosts, they only specify information about what ports and protocols an application uses, so that you can specify firewall rules without having to figure out what ports you need.
>>
>> So, for example, if you have this in applications.d (and you presumably do have something like this, based on the ufw output):
>>
>> [Dovecot Secure IMAP]
>> title=Dovecot Secure IMAP
>> description=A secure IMAP server
>> ports=993/tcp
>>
>> Then you can use that to make it easier to punch holes in the firewall, like so:
>>
>> ufw allow from 192.168.1.0/24 to any app dovecot
>> ufw allow from 192.168.2.0/24 to any app dovecot
>> ufw allow from 192.168.3.0/24 to any app dovecot
>>
>>
>> More Info:
>>
>> https://wiki.ubuntu.com/UncomplicatedFirewall
>> http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw.8.html
>> http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw-framework.8.html
>> https://help.ubuntu.com/10.04/serverguide/C/firewall.html
>>
>> On Sep 14, 2010, at 4:01 PM, Mark Smith wrote:
>>
>>> first i've seen it too, but it comes with ubuntu so i thought
>>> i'd give it a go.
>>>
>>> the "allow" command doesn't seem to permit the syntax you suggested.
>>>
>>>
>>> On Tue, Sep 14, 2010 at 10:32:09AM -0400, James Ewing Cottrell 3rd wrote:
>>>> How about just Annexing another /24 and saying
>>>>
>>>> Dovecot Secure IMAP ALLOW 192.168.1.0/22
>>>>
>>>> Or just use iptables to firewall things and run UFW wide open, or
>>>> maybe with all of 192.168.
>>>>
>>>> BTW, are you sure that this file supports netmasks? Some apps only
>>>> support globbing as in
>>>>
>>>> Dovecot Secure IMAP ALLOW 192.168.1.*
>>>> Dovecot Secure IMAP ALLOW 192.168.2.*
>>>> Dovecot Secure IMAP ALLOW 192.168.3.*
>>>>
>>>> I dunno what UFW is, so I couldn't say.
>>>>
>>>> JIM
>>>>
>>>> On 9/13/2010 4:38 AM, Mark Smith wrote:
>>>>> i can represent three CIDR/24 blocks for networks which i can accept
>>>>> all kinds of requests.  i think the ufw concept of applications is kinda
>>>>> neat too.  i was hoping someone here had a handle on how to update the
>>>>> /etc/ufw/applications.d/* files to accept ports from several different
>>>>> networks.  it doesn't seem to support it.
>>>>>
>>>>> for instance, it woudl be nice to make this:
>>>>>
>>>>> 	To                         Action      From
>>>>> 	--                         ------      ----
>>>>> 	Dovecot Secure IMAP        ALLOW       Anywhere
>>>>>
>>>>> into this:
>>>>>
>>>>> 	To                         Action      From
>>>>> 	--                         ------      ----
>>>>> 	Dovecot Secure IMAP        ALLOW       192.168.1.0/24
>>>>> 	Dovecot Secure IMAP        ALLOW       192.168.2.0/24
>>>>> 	Dovecot Secure IMAP        ALLOW       192.168.3.0/24
>>>>>
>>>>> the documention isn't really straight forward in this regard.
>>>>> seems like you can't do it.  i'm setup already in the fw department.
>>> -- 
>>> Mark Smith
>>> mark@winksmith.com
>>> mark@tux.org
>>> _______________________________________________
>>> Novalug mailing list
>>> Novalug@calypso.tux.org
>>> http://calypso.tux.org/mailman/listinfo/novalug
>> _________________________________________________________
>> Jason Kohles, RHCA
>> Palantir Technologies | Forward Deployed Engineer
>> jkohles@palantir.com | 703.957.5784
>> _________________________________________________________
>>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3135 - Release Date: 09/14/10 14:34:00
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20100915/07ee15a4/attachment.htm>


More information about the Novalug mailing list