[Novalug] ufw applications.d syntax
James Ewing Cottrell 3rd
JECottrell3 at Comcast.NET
Wed Sep 15 00:26:17 EDT 2010
I understand the motivation. I just question the tradeoffs.
How many applications DO have more than one port? The answer, up until
recently, was Very Few.
Indeed, one could argue that having more than one is a poor design. In
fact, with the advent of commands like StartTLS, protocols like LDAP are
moving back to one.
Iptables already has the ability to read commands from files, so having
the application repeated twice for the various ought not to confuse the
What else does it have to justify its existence?
On 9/14/2010 8:08 PM, Jason Kohles wrote:
> Like many things in ubuntu, it's intended to make things easier for beginners (and does have some very nice features), but behind the scenes it's just building iptables rules, so you can just keep using iptables if you want to.
> As for the ports, you can use service names for things that are listed in /etc/services and iptables will look them up. The ufw method doesn't seem much easier for applications that only need one port, but when you get things that need multiple ports it does make it kind of nice to be able to say 'allow this application' rather than adding a whole set of rules for each host.
> Jason Kohles
> Palantir Technologies | Forward Deployed Engineer
> jkohles at palantirtech.com | 703.957.5784
> ----- Original Message -----
> From: James Ewing Cottrell 3rd<JECottrell3 at Comcast.NET>
> To: Jason Kohles
> Cc: mark at winksmith.com<mark at winksmith.com>; Novalug<novalug at calypso.tux.org>
> Sent: Tue Sep 14 16:28:48 2010
> Subject: Re: [Novalug] ufw applications.d syntax
> UNCOMPLICATED FireWall?
> How about GDSFW, as in Gratuitously Different Syntax.
> Now I have something else to remember besides iptables.
> All this just so I don't have to lookup ports?
> Perhaps the solution is to make iptables read /etc/services if it
> doesn't already.
> On 9/14/2010 4:39 PM, Jason Kohles wrote:
>> The files in applications.d don't specify allow/deny rules, and they don't include any information about networks or hosts, they only specify information about what ports and protocols an application uses, so that you can specify firewall rules without having to figure out what ports you need.
>> So, for example, if you have this in applications.d (and you presumably do have something like this, based on the ufw output):
>> [Dovecot Secure IMAP]
>> title=Dovecot Secure IMAP
>> description=A secure IMAP server
>> Then you can use that to make it easier to punch holes in the firewall, like so:
>> ufw allow from 192.168.1.0/24 to any app dovecot
>> ufw allow from 192.168.2.0/24 to any app dovecot
>> ufw allow from 192.168.3.0/24 to any app dovecot
>> More Info:
>> On Sep 14, 2010, at 4:01 PM, Mark Smith wrote:
>>> first i've seen it too, but it comes with ubuntu so i thought
>>> i'd give it a go.
>>> the "allow" command doesn't seem to permit the syntax you suggested.
>>> On Tue, Sep 14, 2010 at 10:32:09AM -0400, James Ewing Cottrell 3rd wrote:
>>>> How about just Annexing another /24 and saying
>>>> Dovecot Secure IMAP ALLOW 192.168.1.0/22
>>>> Or just use iptables to firewall things and run UFW wide open, or
>>>> maybe with all of 192.168.
>>>> BTW, are you sure that this file supports netmasks? Some apps only
>>>> support globbing as in
>>>> Dovecot Secure IMAP ALLOW 192.168.1.*
>>>> Dovecot Secure IMAP ALLOW 192.168.2.*
>>>> Dovecot Secure IMAP ALLOW 192.168.3.*
>>>> I dunno what UFW is, so I couldn't say.
>>>> On 9/13/2010 4:38 AM, Mark Smith wrote:
>>>>> i can represent three CIDR/24 blocks for networks which i can accept
>>>>> all kinds of requests. i think the ufw concept of applications is kinda
>>>>> neat too. i was hoping someone here had a handle on how to update the
>>>>> /etc/ufw/applications.d/* files to accept ports from several different
>>>>> networks. it doesn't seem to support it.
>>>>> for instance, it woudl be nice to make this:
>>>>> To Action From
>>>>> -- ------ ----
>>>>> Dovecot Secure IMAP ALLOW Anywhere
>>>>> into this:
>>>>> To Action From
>>>>> -- ------ ----
>>>>> Dovecot Secure IMAP ALLOW 192.168.1.0/24
>>>>> Dovecot Secure IMAP ALLOW 192.168.2.0/24
>>>>> Dovecot Secure IMAP ALLOW 192.168.3.0/24
>>>>> the documention isn't really straight forward in this regard.
>>>>> seems like you can't do it. i'm setup already in the fw department.
>>> Mark Smith
>>> mark at winksmith.com
>>> mark at tux.org
>>> Novalug mailing list
>>> Novalug at calypso.tux.org
>> Jason Kohles, RHCA
>> Palantir Technologies | Forward Deployed Engineer
>> jkohles at palantir.com | 703.957.5784
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3135 - Release Date: 09/14/10 14:34:00
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Novalug