Feature Request: UFW App Definition for WSDD

[brianhenk]

I think it would be a good addition to WSDD to add a UFW app definition so that I could run something like 'ufw add wsd' rather than adding individual rules for each port.

I'm not sure if this is a change that should be made here or if it should be part of how WSDD is packaged for distros.

[christgau]

I'm not sure if this is a change that should be made here or if it should be part of how WSDD is packaged for distros.

I'm not sure either. IMO, this can be handled like it is done with service/init configuration files, i.e. put an application profile file under etc/ufw/wsdd.profile (or the like). Distros can then choose if they package it directly or use their own.

So, in principle, your idea sounds quite good.

Personally, I'm not a user of UFW and thus have no experiences with that. I looked up the profile/app definition syntax which looks quite simple. So it would probably be easy to create such a file. What I was wondering about is IGMP traffic which is required by wsdd. But wsdd is of course not the only application that makes use of it. Should according IGMP "rules" be included in the application file as well? If yes, doesn't that interfere with other applications as well?

Do you have ideas or could you start contributing an UFW app definition from which we can start from?!

[lamarch]

I tried to make an UFW app definition for WSDD, here it is :

[wsdd]
title=WSDD
description=Web Service Discovery host daemon, that enable Samba hosts to be found by Windows client.
ports=3702/udp|5357/tcp

This goes in a file under /etc/ufw/applications.d/ (I don't know if we need to name it wsdd).

Then you need to update the application definitions with ufw app update wsdd.

And then ufw allow wsdd.

Unfortunately, I don't have any idea of how we could include this configuration file in the installation process...

[JedMeister]

IMO the place to put it would be in etc/ufw (in this repo).

Then to have it included in the debian package, the packager would need to tweak the current install to copy the new ufw definition file to /etc/ufw/applications.d/ on install. Also ufw should be added as a dependency (probably either a "suggests" or perhaps a "recommends"). Then finally a post install snippet that checks for ufw and if installed, runs the required ufw commands.

I suggest that you wait for feedback from @christgau as he may have other ideas on where he wants the file to be stored. Once you know where to put it, you could just open a new PR adding the specific file.

Then we'd just need to wait for the package maintainer to update the package to apply these changes.

[christgau]

Yes, etc/ufw is fine for me. The individual package maintainers are responsible to place that file wherever it is appropriate during the package installation. @lamarch, feel free to open up an PR as @JedMeister suggested.

That being sad: Has anyone tested the proposed UFW definition file? What about multicast traffic? Can the rules be more restrictive? I am asking, because I have no idea how UFW works in detail and I am used to ip/nftables with restrictive default policies with "everything off" by default....

[JedMeister]

TBH I'm way out of my depth and probably chiming in where I'm not needed :grin: but happy to share my 2c...

Has anyone tested the proposed UFW definition file?

I haven't and I'm not super familiar with UFW either.

Having said that according to the docs UFW still uses ip/nftables under the hood - it's just a user friendly cli front end. My understanding is that when "enabled" it drops everything that there is not an explicit rule for (but I didn't read it all - it probably explicitly says on that page).

[lamarch]

I have tested the definition file, and it works.

However, I'm not familiar with UFW, and maybe there is a way to make it more restrictive. I'm actually doing research to perfectly match your firewall config from the readme file.

I'll open a PR as soon as I get there.

[christgau]

resolved with #169