[Request] Uncomplicated Firewall

hardframed · 2008-02-09 21:11:31

Hello,

Ubuntu hardy introduces a new firewall ufw (Uncomplicated Firewall).
It's a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports.

It strikes me that this can make a good high level solution for configuring iptables on arch. It's very similar to the way network is set up with ethtool. What is your thoughts on this? I'm actually asking if this would be a solution that could be implemented to arch core, not to forget that it will be highly maintained, thus reduce the work for the arch team.

https://wiki.ubuntu.com/UbuntuFirewall

Last edited by hardframed (2008-02-10 20:10:33)

brebs · 2008-03-14 15:49:32

Here's a pkgbuild:

# Unfinished - need to replace /etc/init.d/ufw

pkgname=ufw
pkgver=0.16
pkgrel=1
pkgdesc="Ubuntu's Uncomplicated Firewall"
arch=(i686 x86_64)
# http://packages.ubuntu.com/hardy/ucf
url="https://launchpad.net/ufw"
license=('GPL')
depends=('iptables>=1.3.3' 'python>=2.5')
source=(http://archive.ubuntu.com/ubuntu/pool/main/u/ufw/ufw_${pkgver}.tar.gz)
md5sums=('cb077dca1cecd41e49b151c4ca5cc947')

build() {
  cd ${startdir}/src/ufw-${pkgver} || return 1

  python ./setup.py install --root=$startdir/pkg/ || return 1

  # Docs
  mkdir -p $startdir/pkg/usr/share/doc/$pkgname
  install -m644 -t $startdir/pkg/usr/share/doc/$pkgname/ README* TODO || return 1
}

stefan1975 · 2008-03-17 16:38:48

Hi,

I have tried running ufw on Arch but there seems to be a dependency missing. When compiling from source or using this PKGBUILD ufw installs fine but fails starting due to the following missing file referred by in the init script:

. /lib/lsb/init-functions

from what I can tell it is a default script providing a logging mechanism for ubuntu or something. Removing the sourcing of this file does not helps because it seems to refer to the functions used in the init script like "log_failure_msg"

ufw seems like a nice CLI addition for quickly setting up a firewall without the need for a large GUI solution but a bit more userfriendly then iptables.

stefan.

pelle.k · 2008-03-17 19:04:03

I suppose you already know about fireHOL? Just a thought. ufw sounds nice though. iptables is not only complicated (to the average joe), it's also dangerous if you don't know what you're doing....

thetictacaddict · 2008-05-10 16:53:13

In Ubuntu, /lib/lsb/init-functions is part of the package lsb-base.

stefan1975 · 2008-05-12 07:53:21

well i got it working by just adding init-functions from the lsb-base source to /lib/lsb

http://archive.ubuntu.com/ubuntu/pool/m … tu1.tar.gz

i will try to whip it up in an updated pkg-build when i have the time. so far installing it from source with the init-functions in place does the trick. i must say that ufw works pretty nice, I know my way around iptables but this does simplify things and without a cumbersome GUI, I'd say it is rather KISS of ubuntu to have implemented this. I am sure ubuntu users will start to complain about the CLI and that for 8.10 they will have a GUI but for me a "ufw allow ssh" seems really elegant.

stefan

SpookyET · 2008-05-12 13:43:44

Does it play nice wit moblock?

stefan1975 · 2008-05-12 13:52:42

SpookyET wrote:

Does it play nice wit moblock?

haven't tested myself but from what I know of moblock (peerguardianish host blocking) here shouldn't be any reason why it would not, it is merely a simple CLI interface for good-old-iptables, so if i the end you will just get your old-school iptables rules back just in a more easy way to enter them.

stefan

Last edited by stefan1975 (2008-05-12 13:54:06)

LTSmash · 2008-05-17 20:13:26

stefan1975 wrote:

well i got it working by just adding init-functions from the lsb-base source to /lib/lsb
http://archive.ubuntu.com/ubuntu/pool/m … tu1.tar.gz
i will try to whip it up in an updated pkg-build when i have the time. so far installing it from source with the init-functions in place does the trick. i must say that ufw works pretty nice, I know my way around iptables but this does simplify things and without a cumbersome GUI, I'd say it is rather KISS of ubuntu to have implemented this. I am sure ubuntu users will start to complain about the CLI and that for 8.10 they will have a GUI but for me a "ufw allow ssh" seems really elegant.
stefan

You mind to tell me how to fix what is missing?
Better, do I have to install LSB?

SpookyET · 2008-05-17 20:49:54

We have LSB 1.4-4 in AUR.

stefan1975 · 2008-05-17 20:57:30

LTSmash wrote:

You mind to tell me how to fix what is missing?
Better, do I have to install LSB?

no you do not have to install LSB. there may be a more elegant way of fixing this, but at least it works as follows:

1) download lsb ubuntu package
2) tar zxvf lsb.tar.gz
3) look up file init-functions in sub folder of extracted source package for lsb
4) sudo mkdir /lib/lsb
5) cp init-functions /lib/lsb
6) download and install ufw from source
7) with the init-functions in place you are all set and can run it just fine

this does not mean it "integrates" with Arch like in /etc/rc.d and can just be started like a daemon in /etc/rc.conf (yet).

stefan

stefan1975 · 2008-05-17 21:00:39

SpookyET wrote:

We have LSB 1.4-4 in AUR.

i tried that, but i do believe it did not provide /lib/lsb/init-functions

stefan

LTSmash · 2008-05-17 22:21:55

stefan1975 wrote:

SpookyET wrote:
We have LSB 1.4-4 in AUR.
i tried that, but i do believe it did not provide /lib/lsb/init-functions
stefan

Well, what if I make a package only for LSB's init-functions, and then submit it to AUR?

That would make a practical solution...

there:

# Contributor: LTSmash <lord.ltsmash@gmail.com>
pkgname=init-functions
pkgver=3.2
pkgrel=1
pkgdesc="Functions used at init time by the Linux Stadard Base"
arch=(i686 x86_64)
url="www.linuxbase.org"
license=('GPL')
install=
source=(http://archive.ubuntu.com/ubuntu/pool/main/l/lsb/lsb_3.2-4ubuntu1.tar.gz)
md5sums=('c77e0f6649fd01645b919cf41f25d366')

build() {
  cd $srcdir/lsb-$pkgver
  mkdir -p $startdir/pkg/lib/lsb
  cp $pkgname $startdir/pkg/lib/lsb/$pkgname
}

Easier impossible

EDIT: Corrected the PKGBUILD.

Last edited by LTSmash (2008-05-17 22:42:01)

SpookyET · 2008-05-17 22:28:08

Neah. It's rubbish. We either package LSB 3.2, or we do not.

LTSmash · 2008-05-17 22:42:59

SpookyET wrote:

Neah. It's rubbish. We either package LSB 3.2, or we do not.

This is just a workaround for installing the ufw, we aren't trying to use the LSB... so your comment is out of site.

LTSmash · 2008-05-17 23:02:09

I did update a little bit the UFW PKGBUILD since the other posted here doesn't works anymore:

# Contributor: LTSmash <lord.ltsmash@gmail.com>
pkgname=ufw
pkgver=0.16.2
pkgrel=1
pkgdesc="Ubuntu's Uncomplicated Firewall"
arch=(i686 x86_64)
url="https://launchpad.net/ufw"
license=('GPL')
depends=('iptables>=1.3.3' 'python>=2.5')
source=(http://archive.ubuntu.com/ubuntu/pool/main/u/ufw/ufw_${pkgver}.tar.gz)
md5sums=('833cc7452e1118f1fa37c3d065ddf66a')

build() {
  cd ${startdir}/src/ufw-${pkgver} || return 1
  python ./setup.py install --root=$startdir/pkg/ || return 1

  #Docs
  mkdir -p $startdir/pkg/usr/share/doc/$pkgname
  install -m644 -t $startdir/pkg/usr/share/doc/$pkgname/ README* TODO || return 1
}

LTSmash · 2008-05-17 23:22:01

LTSmash wrote:

I did update a little bit the UFW PKGBUILD since the other posted here doesn't works anymore:

# Contributor: LTSmash <lord.ltsmash@gmail.com>
pkgname=ufw
pkgver=0.16.2
pkgrel=1
pkgdesc="Ubuntu's Uncomplicated Firewall"
arch=(i686 x86_64)
url="https://launchpad.net/ufw"
license=('GPL')
depends=('iptables>=1.3.3' 'python>=2.5')
source=(http://archive.ubuntu.com/ubuntu/pool/main/u/ufw/ufw_${pkgver}.tar.gz)
md5sums=('833cc7452e1118f1fa37c3d065ddf66a')

build() {
  cd ${startdir}/src/ufw-${pkgver} || return 1
  python ./setup.py install --root=$startdir/pkg/ || return 1

  #Docs
  mkdir -p $startdir/pkg/usr/share/doc/$pkgname
  install -m644 -t $startdir/pkg/usr/share/doc/$pkgname/ README* TODO || return 1
}

Hum, I already noticed that this won't work.

The setup.py somehow makes the executable to look for itself in the selected installation root, so the code MUST be patched to work correctly with pacman.

I'm looking forward to know how they package ufw for Ubuntu without experiencing this problem...

NOTE:
The error is this:

[root@LTS-Arch ufw]# ufw status
ERROR: uid is 0 but '/home/ltsmash/PKGBUILDS/ufw/pkg/etc/default/ufw' is owned by 501

NOTE: I didn't execute ufw from /home/ltsmash/PKGBUILDS/ufw/pkg/etc/default/ufw

Last edited by LTSmash (2008-05-18 21:32:28)

LTSmash · 2008-05-18 21:34:21

I filled a bug in launchpad so that they make ufw portable (hope so):

https://bugs.launchpad.net/ufw/+bug/231770

It would be great however if someone made a patch and submited it.

SpookyET · 2008-05-18 23:18:36

LTSmash wrote:

I filled a bug in launchpad so that they make ufw portable (hope so):
https://bugs.launchpad.net/ufw/+bug/231770
It would be great however if someone made a patch and submited it.

It is portable. That's the point of LSB. We're at fault.

LTSmash · 2008-05-18 23:28:48

SpookyET wrote:

LTSmash wrote:
I filled a bug in launchpad so that they make ufw portable (hope so):
https://bugs.launchpad.net/ufw/+bug/231770
It would be great however if someone made a patch and submited it.
It is portable. That's the point of LSB. We're at fault.

Well, using LSB means to use RPM, so I guess that's stupid.

However, the problem this time isn't if we support LSB or not, but how to package ufw for Arch having found a workaround for the LSB's deps.

SpookyET · 2008-05-18 23:36:59

LTSmash wrote:

SpookyET wrote:
LTSmash wrote:
I filled a bug in launchpad so that they make ufw portable (hope so):
https://bugs.launchpad.net/ufw/+bug/231770
It would be great however if someone made a patch and submited it.
It is portable. That's the point of LSB. We're at fault.
Well, using LSB means to use RPM, so I guess that's stupid.
However, the problem this time isn't if we support LSB or not, but how to package ufw for Arch having found a workaround for the LSB's deps.

Full LSB compliance, yes. But, there are degrees of LSB support. RPM is just a package format. Whether it's tar.gz, tar.bz2, rar, zip, rpm, deb, .exe, it does not matter, it's what you do with them, that's where pacman excels, not because of the tar.gz.

SpookyET · 2008-05-18 23:48:14

Let me put it to you this way, debs suck from the dev point of view. They are praised because Synaptic/aptitude/apt-get are awesome. They are good from the user point of view. But, if you had to make one, you would throw yourself of the nearest bridge. RPM creation is similar to pacman packages. I'd take RPM over deb any day. Just use apt with rpm or smart. They are fine. Because of the complicated matter of debs, converting stuff from debian is a bitch.

LTSmash · 2008-05-18 23:57:39

SpookyET wrote:

Let me put it to you this way, debs suck from the dev point of view. They are praised because Synaptic/aptitude/apt-get are awesome. They are good from the user point of view. But, if you had to make one, you would throw yourself of the nearest bridge. RPM creation is similar to pacman packages. I'd take RPM over deb any day. Just use apt with rpm or smart. They are fine. Because of the complicated matter of debs, converting stuff from debian is a bitch.

But what does this has to do with making ufw work with Arch?

I have already told you, I don't care about having LSB in Arch or not, but I care about having ufw...

And the discussion about RPM's vs. DEB vs. pkg.tar.gz is completly out of site (at least that's what I think)

SpookyET · 2008-05-19 00:24:08

I can patch setup.py. The way they get around that problem is by using fakeroot a little more advanced than the way we use fakeroot. The install script never sees the full path on ubuntu.

Last edited by SpookyET (2008-05-19 00:25:53)

LTSmash · 2008-05-19 00:25:29

SpookyET wrote:

I can patch setup.py

Will you?

Arch Linux

#1 2008-02-09 21:11:31

[Request] Uncomplicated Firewall

#2 2008-03-14 15:49:32

Re: [Request] Uncomplicated Firewall

#3 2008-03-17 16:38:48

Re: [Request] Uncomplicated Firewall

#4 2008-03-17 19:04:03

Re: [Request] Uncomplicated Firewall

#5 2008-05-10 16:53:13

Re: [Request] Uncomplicated Firewall

#6 2008-05-12 07:53:21

Re: [Request] Uncomplicated Firewall

#7 2008-05-12 13:43:44

Re: [Request] Uncomplicated Firewall

#8 2008-05-12 13:52:42

Re: [Request] Uncomplicated Firewall

#9 2008-05-17 20:13:26

Re: [Request] Uncomplicated Firewall

#10 2008-05-17 20:49:54

Re: [Request] Uncomplicated Firewall

#11 2008-05-17 20:57:30

Re: [Request] Uncomplicated Firewall

#12 2008-05-17 21:00:39

Re: [Request] Uncomplicated Firewall

#13 2008-05-17 22:21:55

Re: [Request] Uncomplicated Firewall

#14 2008-05-17 22:28:08

Re: [Request] Uncomplicated Firewall

#15 2008-05-17 22:42:59

Re: [Request] Uncomplicated Firewall

#16 2008-05-17 23:02:09

Re: [Request] Uncomplicated Firewall

#17 2008-05-17 23:22:01

Re: [Request] Uncomplicated Firewall

#18 2008-05-18 21:34:21

Re: [Request] Uncomplicated Firewall

#19 2008-05-18 23:18:36

Re: [Request] Uncomplicated Firewall

#20 2008-05-18 23:28:48

Re: [Request] Uncomplicated Firewall

#21 2008-05-18 23:36:59

Re: [Request] Uncomplicated Firewall

#22 2008-05-18 23:48:14

Re: [Request] Uncomplicated Firewall

#23 2008-05-18 23:57:39

Re: [Request] Uncomplicated Firewall

#24 2008-05-19 00:24:08

Re: [Request] Uncomplicated Firewall

#25 2008-05-19 00:25:29

Re: [Request] Uncomplicated Firewall

Board footer