My main interest in application firewall capabilities is something that wtdt mentioned. All my interenet is pay per mb and expensive. I don't have another choice. I would love to not get surprises in a huge bill because something decided to update or I forgot to turn something off.
I'm also looking for an application based firewall. I recently went abroad with my netbook and £40 (around $70, premium rate bandwidth on foreign network) worth of 3G was blown before I even started using it properly because:
- I left Prey anti-theft running (which can only be disabled via the website).
- Ubuntu auto updates was enabled.
- I also suspect I had a couple of rogue apps connecting on port 80.
I'm pissed Ubuntu let me do this and if legit apps can connect to the Internet without my (at the time) knowing so can rogue apps and something for tracking these sort of outgoing connections is (still) needed. I'm now actually considering having a Windows dual boot system just so I can use a real personal firewall.
UPDATE: I've emailed the author of "linux-firewall.org" about getting the source code for his application ( http://linux-firewall.org/ ) as that seems to be exactly what most people need but I don't trust random binary installers on the 'net offering exactly the kind of thing Ubuntu needs...
Last edited by brownb2; August 21st, 2011 at 03:26 PM.
Basically the "rogue apps" are exactly those you configured yourself.
Considering you would have allowed such traffic in the first place I do not see how you can come to that conclusion.
If you are interested, there are ways of monitoring your bandwidth and determining what is using your bandwidth.
see also tools such as htop.
Ubuntu should magically spot that you have travelled abroad and are using expensive bandwidth, then automagically reconfigure itself not to update, automagically log into your Prey account and disable that and automagically disable those rogue apps?
What???? Seriously you are joking right?
How about taking some responsibility for yourself?
In case I don't see ya; good afternoon, good evening, and goodnight
Users cannot possibly be expected to keep track of each app individually and if you read the title of this thread you'd understand that a central point, the firewall, one that used to work, is an ideal place to block these types of connections on a per app basis. Previously my "taking some responsibility" was assuming (g)ufw was up to the job and I would be prompted for outgoing connections ala Sunbelt Firewall et al.
With respect to the other posters, I really don't want to do network analysis on a netbook on holiday especially when I see in Windows I can just disable outgoing connections for everything but Thunderbird and Firefox. How easy is this with ufw/ipchains (and if it is easy, if it's command line based, again it's not suitable unless you're a developer/techie - which I am, BUT it's not something I can recommend to others)?
Related, the linux-firewall.org owner never responded to requests for source code so I'm making the assumption that it's unstable and/or unsecure (in all senses).
But in this case the user specifically configured Ubuntu to use a higher then the default bandwidth, but then blamed Ubuntu for the increased bandwidth.
So yes, this is an example where the user is indeed at fault.
I just finished carefully reading every single post in this thread, and have a couple of things to say:
*) Using the term "Windows mindset" or repeating "this isn't Windows" is a cop out - a way of avoiding discussing the details, by lumping dissenting voices into a generic stereotyping.
*) Phone home software in drivers IS an issue, and it's unavoidable. It has absolutely no connection with questions re. repositories vs. other sources. It's the consequence of equipment manufacturers working hard to dig deeper into the pockets of their customers, and working hard to leverage their sales/transactions into further profit regardless of the ethics of their methods. Use of those drivers is a necessity; the equipment is designed from scratch to insist on it. This problem won't go away just because this is Linux, and the time-honored traditional methods & tools in Linux are insufficient to obstructing this new threat to privacy. Therefore, new tools & methods are required.
Based on what I've read in this thread, process #'s are insufficient for this task, as are port #'s. The problem in limiting outgoing connections on a per-application basis, is that the Linux environment doesn't maintain a comprehensive table of program I.D. #'s. (Please correct me, if I'm wrong about that.) In the absence of a comprehensive table of program I.D. #'s, it's not possible to maintain a table of which programs own which current connections - or, to block programs from making connections. Such a table of program I.D. #'s would have to be updated & maintained during every instance of program installation, including assigning separate I.D. #'s for each & every driver. Given such a table to reference, it would be easy to implement per-program internet access privileges. The registration table would have 3 columns: Text of program name, numeric program I.D. # assigned at installation time, and numeric value indicating privileges.
If such a table existed, then establishing a connection could be allowed or refused based on the value of the privileges info in the table. A request for an outgoing connection would require the requesting program to provide a valid I.D. #. Administrators would be able to review &/or edit the privileges in the table on an as-needed basis. A session log would be maintained of programs owning current outgoing connections, with start & end times. The drawback to this framework, is the possibility of programs accessing the table's values for the purpose of spoofing I.D. #'s & associated privileges. I'm not proposing that this would be a replacement for IPtables - it would be an associated accesory, plugging a gap in the security measures.
I don't know the details of operation, re. TuxGuardian, so I don't know if it does what I've proposed here. All I'm really sure of, is that software to do what I've written in the previous 2 paragraphs is needed.
But, please don't tell me that if I want such a feature in the OS then I should write it myself. My programming activities were limited to BASIC - however, my experience in flowcharting, principles of program design, and complex systems analysis are still valid & useful. Of course, if you think it would be right & proper for the entire Linux community to wait until I somehow manage to master writing software in a new language like C++ or Python...?
To sum up: A new problem exists, and traditional methods are insufficient for dealing with it. A method for controlling this problem exists - all that's required is for the community of Linux developers to recognize & acknowledge the problem, then create software that applies the remedy.
"That's my motto - a place for everything, and everything all over the place!"
-- From an old comic I once saw.--
If you find a driver that "phones home" in the Ubuntu repositories then please show it to us and file a bug report.
Otherwise , do not install 3rd party software. If you are concerned about such third party hardware, do not buy it.
There are several vendors that sell computers with Linux pre-installed:
There is no security model that can protect you when you are going to install third party, closed source applications or driver(s). You run the installer as root and it has full access to your system, including the ability to deactivate any "application based firewall" you might write or install.
You complain about the "windows mentality" , although you have little or no experience with Linux or linux security. This is the problem. The first step is for you to understand how linux works, then how linux security is designed.
Rather then bothering to take the time to understand how Linux works, you come in here demanding some feature of the developers. Such an attitude does not go far here on the forums, and even less with developers.
Because you do not understand Linux, you come across as making unreasonable demands, and people (developers) loose interest in listening to such demands very, very, very fast.
If you want an insight to how developers think read:
sure it is red hat, but you get the idea.
If you file a bug report about a third party driver, such as nvidia, "phoning home" with any major Linux project, Ubuntu, Debian, Fedora, etc, it will be marked as invalid, and rightly so.
Last edited by bodhi.zazen; August 25th, 2011 at 03:16 PM.