[TriLUG] host-based dynamic app/port firewall?
Kevin Otte
nivex at nivex.net
Wed Oct 24 11:32:13 EDT 2012
The reason ufw requires you to manually open/close ports rather than
automatically managing that by application is that the maintainers of
the package have no way of knowing your intent for that system.
Furthermore, the intentions of the package maintainer may be different
than yours.
In your example of http: What if you were trying to set up an intranet
rather than a globally accessible website? A default rule of accept all
would be counter to that goal, and if you as the admin assume that the
package just did the right thing, you could expose data you had not
intended to.
In general, a good rule is to start closed and open up what you need.
-- Kevin
On 10/24/2012 12:57 AM, Kevin Hunter wrote:
> Hullo List,
>
> I've found myself pondering the fact that I have intermittent network
> services on my machine. That is to say, sometimes I start Apache,
> disable SSH, or temporarily fire-up a DHCP server.
>
> IPTables is fan-friggin-tastic, but if I at all want to nerd out and
> enable/disable the ports when the service is (not) running I must do it
> manually. For example, after I start Apache:
>
> # iptables -A INPUT -i eth0 -p tcp –dport 80 -j ACCEPT
>
> Of course, if I have ufw handy, I can use the simpler syntax of:
>
> # ufw deny http; ufw reload
>
> Or something to that effect. However, I'm wondering if someone hasn't
> already packaged up an automation script for this sort of behavior that
> I'm not seeing in my various googlings. Succinctly: is there a tool in
> a distro repo that automatically and _dynamically_ enables and disables
> a port in the firewall depending on the specific binding of applications
> to ports, and according to user-defined rules?
>
> Or, since no application would be listening on a port, is it a complete
> non-issue? (For example, if Apache is disabled, and since nothing else
> should be listening on port 80, does it amount to the same thing as if
> there were a firewall rule denying access?)
>
> So far, I've only been able to find the standard firewall appliance
> packet filtering and stateful inspection, which clearly doesn't apply to
> my question as it's a separate host.
>
> Thanks for any insight.
>
> Kevin
>
More information about the TriLUG
mailing list