My UCS server is accessible from the internet. In the default configuration, the UCS firewall is wide open, which makes sense in a closed distributed environment, which isn’t accessible from the internet.
In order to secure it and savely put it in the internet, I had to close lots of not necessary ports and modified several further rules, to only allow inbound traffic on these local ports.
However, after almost each minor update, these security related configurations gets altered again, which is quite annoying, and highly unsecure. For example right now I updated several packages and again:
Create security/packetfilter/package/univention-bind/udp/53/all
Create security/packetfilter/package/univention-bind/tcp/53/all
Create security/packetfilter/package/univention-bind/udp/7777/all
Create security/packetfilter/package/univention-bind/tcp/7777/all
Create security/packetfilter/package/univention-bind/udp/53/all/en
Create security/packetfilter/package/univention-bind/tcp/53/all/en
Create security/packetfilter/package/univention-bind/udp/7777/all/en
Create security/packetfilter/package/univention-bind/tcp/7777/all/en
File: /etc/security/packetfilter.d/10_univention-firewall_start.sh
I don’t want these ports open, and I don’t need them open, because I only have one single master UCS and nothing else. 53 is routed from the local IP, which is all I need, and not from outside open.
So as a suggestion: Don’t modify the firewall with just minor updates and if you do so, put a big warning with a list of modified port, to check the firewall rules again, if the update modified them