TuxGuardian - application based firewall

[OpSecShellshock]

Ok guys, I don't know exactly what your backgrounds are, but an application based firewall is needed for linux to gain popularity and maintain it's high security. I use appamor, selinux, snort, and a host of other hids services to maintain my host. However, to run online games that access multiple ip addresses or even use services such as skype witch uses p2p to communicate, an application based firewall is needed. I definately don't want to open all the ports needed for those services on my host for anytime use, and i don't want to keep turning everything off to use them. An application based firewall is needed to continue to maintain our call to the world that ubuntu is ready to be used as your home os.

Don't know about gaming, but Skype works just fine with UFW in a default-deny configuration. That is to say, if the connection is initiated by the user on the client side, then the established and related connections will work just fine. It just doesn't allow unsolicited connections to be initiated from external devices. For Skype, all I have to do is start the client and sign in; no need to open any ports or anything like that. I don't deny anything on the egress side since the only things that connect that way are things that I've started in the first place. Denying outbound traffic doesn't really improve security (on the Linux desktop), but can restrict functionality greatly, or worse, can lead users to make granular changes which undermine whatever protection they thought they were setting up in the first place.

[chocolateboy]

The only other similar project I came across was linux-firewall.org ,although it didnt work as promised on my machine, so I cant vouch for it.

Another old one is Program Guard, which was last updated in 2005.

There's also snet (2009). There's a good discussion of it here.

[mainerror]

You can't guarantee that it will not be created. When this happen linux users will not be prepered.

I think you have to get comfortable with the underlaying structure and way Linux works to judge.

Anyway, maybe it is great tool for IT professionals but for desktop, an application working like tuxguardian would be simpler and better solution at least for newbies.

Believe me real IT professionals won't use that neither will they use Linux based firewalls at all. IT professionals use BSD based firewalls for good reasons. You might want to investigate a bit on that to see why.

I don't work on servers and I really don't care about servers.

This is quite bad. Servers require the most security possible as the host sensible data. You can definitely look at how servers get secured and learn from that. This is like the Formula 1 of the IT world. Good ideas and concepts can be adapted for normal cars to get them more efficient and so on. Same applies for security.

Ok guys, I don't know exactly what your backgrounds are, but an application based firewall is needed for linux to gain popularity and maintain it's high security.

A application based firewall will only give you a false feeling of security like it does on Windows. Sure you might feel secure to have one but you definitely are no more secure than without.

[KonfuseKitty]

As a simple end user who isn't getting much if anything out of the usually promoted solutions such as apparmor, I must say I find the attitude expressed by the experts here in response to the OP highly regrettable.


I for one, would greatly appreciate a solution that let me simply create a rule "This application can't access the internet". I've tried achieving this with apparmor, by doing a test on so constraining Opera, to no effect (and have posted about it in a thread a few weeks ago). Perhaps this can be done with ufw/iptables, but I haven't managed to work it out.


Again, to all the experts, please accept that some of us are too busy accomplishing "real world" tasks with Linux and don't have the time or the inclination to learn complex solutions. We do need simple and powerful options as suggested by the OP. Maybe Tuxguardian isn't the right tool, but the idea is sound.

[OpSecShellshock]

As a simple end user who isn't getting much if anything out of the usually promoted solutions such as apparmor, I must say I find the attitude expressed by the experts here in response to the OP highly regrettable.


I for one, would greatly appreciate a solution that let me simply create a rule "This application can't access the internet". I've tried achieving this with apparmor, by doing a test on so constraining Opera, to no effect (and have posted about it in a thread a few weeks ago). Perhaps this can be done with ufw/iptables, but I haven't managed to work it out.


Again, to all the experts, please accept that some of us are too busy accomplishing "real world" tasks with Linux and don't have the time or the inclination to learn complex solutions. We do need simple and powerful options as suggested by the OP. Maybe Tuxguardian isn't the right tool, but the idea is sound.

I do understand this; however, when looking for solutions it's important to first define a problem. Does it take an additional application to prevent something that isn't happening in the first place?

The development framework for the desktop environment is modular. Software that needs to access the internet is created specifically to access the internet and says so in its descriptions. For example, if something is running in a web browser, it will be accessing the internet. A weather applet installed in the panel or on a dock is going to be accessing the internet. Same for an applet that alerts on new mail. An IM client is going to as well. Those applications are made to do that.

Things like word processors and other productivity applications probably don't need to most of the time, and so they won't. When there's an active link in a PDF or doc file, it will open a browser if there's not one already open, rather than simply connecting itself (well, except for Adobe Reader, which for whatever reason allows the running of scripts and can access the web directly, but that's just bad design and there are alternatives).

Shell scripts can be read as text files before running them to see what they do. If they can't be, or if they're obfuscated or encoded in some weird way, then we all have the option to not run them.

I'm sorry to come across as so exasperated, but I'm having a difficult time understanding exactly what purpose an application based firewall would really serve. I think it would be easier to constrain things on an individual basis, if it's necessary to do so at all. It's probably easier to get support for specific tasks/constraints on specific applications as well.

[fmfrisch]

Shell scripts can be read as text files before running them to see what they do. If they can't be, or if they're obfuscated or encoded in some weird way, then we all have the option to not run them.

But the average user linux and ubuntu is starting to attract won't read a shell script.

I'm absolutely no expert on this topic, on the contrary im a complete n00b. But the general idea of linux being safe out of the box and that there is a discussion whether it's possible to hack this or that instead of WHEN it's going to happen seems rather distant to me. (again im no expert so feel free to unload your expertise on me. I need the education).

I mean a 14 year old hacked FBI. Seems to me most things are possible in this digital world!

[OpSecShellshock]

But the average user linux and ubuntu is starting to attract won't read a shell script.

I'm absolutely no expert on this topic, on the contrary im a complete n00b. But the general idea of linux being safe out of the box and that there is a discussion whether it's possible to hack this or that instead of WHEN it's going to happen seems rather distant to me. (again im no expert so feel free to unload your expertise on me. I need the education).

I mean a 14 year old hacked FBI. Seems to me most things are possible in this digital world!

Well don't get me wrong; Linux computers get successfully intruded upon all the time. It's just that when it happens, it's due to something the user did (enabling remote administrative access, installing malicious packages or running bad scripts), rather than something they failed to do (such as installing some "security" tool).

[Googleler]

Without a firewall I think you are virtually exposed to the hackers with or without Linux environment. I've used TuxGuardian in the past and I think is a pretty well application for computer security.

[mainerror]

Yes indeed a firewall should be required anyway but not as a software which probably is even running in user space on the machine itself. A nice OpenBSD box for example behind the router (or if versed enough even as the router) would be optimal.

[cariboo]

A firewall really doesn't do anything on a default installation, as there are no ports open to the outside world, and if you are behind a router, it's a belt + suspenders type of activity.

it's just like the poster earlier that tried to block Opera from accessing the Internet. Web browsers and many other programs use random high ports for out going connections, so it's pretty hard to block a port if you don't know which one it is using, and it changes every time you use a program, have a look at this example:

Code:

netstat -tn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.1.215:43915     209.85.225.125:5222     ESTABLISHED
tcp        0      0 192.168.1.215:56053     192.168.1.235:22        ESTABLISHED
tcp        0      0 127.0.0.1:7634          127.0.0.1:53732         TIME_WAIT  
tcp        1      0 192.168.1.215:44341     96.8.82.129:80          CLOSE_WAIT 
tcp        1      0 192.168.1.215:51431     96.8.82.129:80          CLOSE_WAIT

I've bolded the outgoing ports, these change every time a program is opened.