lamarch
commented
1 year ago There isn't much of documentation about UFW application profile, but it looks like we can not restrict more the application rules (restrict to in or out only)
Closed lamarch closed 1 year ago
lamarch
commented
1 year ago There isn't much of documentation about UFW application profile, but it looks like we can not restrict more the application rules (restrict to in or out only)
christgau
commented
1 year ago Thanks for your contribution. I just noticed that over at https://github.com/ageis/ufw-application-profiles/pull/1 an application profile for wsdd was defined as well. The PR also cites wsdd's readme 😉 and the application profile is essentially (and non surprisingly) identical to your proposal.
I just checked if UFW is capable of accepting more than just ports and protocols in application profiles, but from my understanding of the source code this isn't the case. So in the end, a host might be announced to a non-local network, at least for IPv4, but this appears to be accepted even for other services like VNC. Thus, we may consider this as intentionally although it's net very secure from my point of view. However, any firewall is better than no firewall.
Nevertheless, there are minor things to improve w.r.t to the UFW recommendations for profiles:
- For consistency, profile names should start with a capital letter and the title should be a short, simple phrase.
lamarch
commented
1 year ago Whoops, it looks like I just reinvented the wheel (not as much maybe).
It's also what I was thinking about, a lot of well-known apps use this system for convenience, and this "minor" security flaw doesn't seem to worry a lot.
What's going to happen now ? The package maintainer need to update their repos too ? Are they notified of this change ?
christgau
commented
1 year ago Whoops, it looks like I just reinvented the wheel (not as much maybe).
No "whoops" here, you just independently did the same thing as another person and came to same result. That would be a nice thing in science. 😉
It's also what I was thinking about, a lot of well-known apps use this system for convenience, and this "minor" security flaw doesn't seem to worry a lot.
Apparently. This still causes my eyebrow to be raised, but it appears to be the way to go here.
What's going to happen now ?
I'll merge your changes any time soon, add an entry to the changelog and maybe release a new version.
The package maintainer need to update their repos too ?
They don't "need" in the sense that they "have to". The package maintainers will probably know what they have to do 😉
Are they notified of this change ?
Not by me, simply because I don't have contact information and have the impression that it is actually not required since Github has some nice notification features. I assume (know) that some of the maintainers are observing this repo here, so it's not an issue from my perspective.
See #159