igalic
commented
10 years ago The problem with this is that it's a major change to the behaviour we've had so far, so we'd have to bump the version to 1.5.x
Closed fredrikt closed 10 years ago
igalic
commented
10 years ago The problem with this is that it's a major change to the behaviour we've had so far, so we'd have to bump the version to 1.5.x
fredrikt
commented
10 years ago Thanks for considering the patch.
What is a major change?
The deny/reject thing becomes a little less permissive, but the change could be argued to be equivalent of fixing a security hole (which is usually done even though it breaks backwards compatibility).
The allow-part should be backwards compatible (for everyone with an eth0 interface, i.e. almost everyone), no?
Maybe you can cherry-pick the allow-change until you are ready to increase the major version if you don't want to do that now?
1) For Deny and Reject, I think it is dangerous to default to denying/rejecting packets only to the eth0 IP address. If I have two interfaces, and do ufw::deny { 'foo': port => x, proto => 'tcp' }, wouldn't I expect the deny rule to apply to both my interfaces?
2) For allow, maybe $::ipaddress alone would be a sensible default? I tried to maintain backwards compatibility while still fixing the bug that prevented my specified $ip from being used, since my $ipaddress_eth0 == undef.