TuxGuardian - application based firewall

[LucasAdams]

Unfortunately the average user is notoriously good at getting infected from anything from rootkits to "free" screensavers. If it looks good they'll click on it, install it and click yes to every warning. Unfortunately for us this is the group of users we are pandering to.

While Ubuntu has done an excellent job providing a secure OS, and the community has helped refine and improve it, there still remains a need to run potentially malicious programs locally. It therefore becomes important to provide as many tools as possible to "sandbox" applications. While experts can block communication on certain ports, certain protocols and IP addresses; there is still a need to block communication on a program level. We need an interactive method of stopping communication before it initiates and deciding whether to Allow or Deny.

[KonfuseKitty]

The argument that this is somehow an issue of Windows versus Linux, ignorance versus knowledge, is disingenuous and quite dangerous. There is no good reason to not strive for simple and powerful solutions if such is possible. Blacklisting, or better yet, whitelisting applications that can or can't connect to the internet - why should that be seen as the user avoiding having to learn how a Linux computer works? I could learn all there is to learn about Linux security, but would still appreciate a simple instruction "Nothing but Opera and Evolution can connect to the internet". Not 100% secure, but a good deal better than having to listen to packets, grep the results, interpret, etc. etc. I regret to say that the attitude of the experts here, the fact that they resort to the "You're coming from Windows so you don't know" non-argument is anything but helpful.


I've just noticed in my logs that on every startup and wakeup my computer is connecting to Canonical servers, even though automatic checks are disabled in the Update Manager. If I had the tool as discussed in this tread, this wouldn't be an issue. But as things are, I have to fiddle with some networking startup script to deal with it.

[mainerror]

I've just noticed in my logs that on every startup and wakeup my computer is connecting to Canonical servers, even though automatic checks are disabled in the Update Manager. If I had the tool as discussed in this tread, this wouldn't be an issue. But as things are, I have to fiddle with some networking startup script to deal with it.

Ah I see the old "oh-gosh-windows-is-communicating-with-microsoft" problem. With the risk to sound very rude you simply don't seem to understand that much about the OS you are operating on and apparently would like to just block all whats unknown to not further care about. Instead people should try to investigate whats going on.

I'm quite certain that the communication going on might be related to the statistics gathering which you have agreed to then installing Ubuntu. You know the checkbox asking you for permission to collect anonymous statistics about preferred packages. Even if it's not the case I'm more than 100% certain that it's not the NSA neither Canonical trying to get your bank account information.

I don't quite understand why people tend to be that paranoid about such stuff but then click on a IM message that they can win a iPhone 4 or that there is an awesome video on YouTube they just have to watch. Peoples common sense and the sense for security seems to be extremely off which is exactly the point I'm talking about.

Try to teach the new generation and the old generation too to a certain extent what security means and what to keep an eye on. Just creating a mechanism to make them click and forget is so wrong. It will only help them to not bother anymore about it and their sense of security remains off.

I know this sounds like a rant and in fact it also is a rant that most new to Linux in general seem to not want to understand and learn their OS and they seem to not want to understand and learn about security neither but instead they want to have what they were used to. Install a anti-virus, a firewall program and then forget about all that networking and security crap.

We are definitely moving towards a future where knowledge about computers and how they work will be required even more day to day so I fail to understand why people still don't want to open their minds and learn about new things as they simply have to. Maybe not today but soon enough.

/rant

[Kinstonian]

Ah I see the old "oh-gosh-windows-is-communicating-with-microsoft" problem. With the risk to sound very rude you simply don't seem to understand that much about the OS you are operating on and apparently would like to just block all whats unknown to not further care about. Instead people should try to investigate whats going on.

That "block all whats unknown to not further care about" is called "default deny." It's a best practice and comes from the principle of least privilege. I think he wants to follow that principle and wants more visibility and control over what happens on his computer. Where I come from, regardless of the OS, those are good things.

[Dave_L]

...
We are definitely moving towards a future where knowledge about computers and how they work will be required even more day to day so I fail to understand why people still don't want to open their minds and learn about new things as they simply have to. Maybe not today but soon enough./rant

No offense, but that's merely wishful thinking.

The average user doesn't want to learn more about computers. To him, a computer is just another appliance like a washing machine or a microwave oven. He wants to be able to push a few buttons and not have to think about it.

And since most computers are bought by average users, their needs will be prioritized, because that's where the profit is for hardware manufacturers and software vendors.

[LucasAdams]

When I was installing Ubuntu 10.10 a slide show played. It said I should experiment with the OS because it was "safe".

Users don't care about how it works. They want and need their hand to be held. Even experts need their hand held. Ever ran an application that wasn't in the repositories? You just exposed yourself to attack. What about backdoors in the repository? How would you even know it was there?

These kind of tools are necessary to ensure Ubuntu stays safe. Sure it will make some people complacent but its better than not having it at all.

[mainerror]

That "block all whats unknown to not further care about" is called "default deny." It's a best practice and comes from the principle of least privilege. I think he wants to follow that principle and wants more visibility and control over what happens on his computer. Where I come from, regardless of the OS, those are good things.

Well thats perfectly fine for firewalls I would never argue about that but it should not be applied to everything. I don't refer to network traffic but more to the general thinking pattern.

And Ubuntu doesn't listen on unused ports by default.

[OpSecShellshock]

That "block all whats unknown to not further care about" is called "default deny." It's a best practice and comes from the principle of least privilege. I think he wants to follow that principle and wants more visibility and control over what happens on his computer. Where I come from, regardless of the OS, those are good things.

Right, but what people have been trying to say is that's the way Ubuntu already is, without having to use any additional tools. Things like web browsers, mail and chat clients and package/update managers access the internet as part of their intended functions. Unless the user starts them up they won't even run, much less establish network connections (though obviously the update manager can be configured--by the user--to check automatically). Sure, it's true that the connections from those applications won't be "blocked" in the strictest sense, but they also won't even be made or attempted until the application is specifically launched, which works out to the same thing without having to do anything.

Having said that, when I first started using Ubuntu I also denied all outbound traffic and then put in exceptions. The only things that ended up happening were that my messages log was filled with a bunch of DHCP failures and my clock was always wrong because my NTP requests weren't getting out. Eventually I made exceptions for those, after learning what they were (and there was no way around having to do that, see).

A couple years later I started really reading the forums here, including the security stickies and some other threads about network activity management. That was how I found out that by default, nothing connects from the outside in without it being a response to a request initiated locally. So what I did was I compared what my network activity looked like with only incoming connections denied but outgoing connections allowed to what it looked like under my old rules of denying everything in and out with a list of exceptions. It was the same. It turned out that what I'd been doing before was making things more difficult for myself but had been gaining absolutely nothing.

My hope is that a testimonial from my own experience as a new user will be more helpful than a simple repetition of the same things long-time users always say.

[Kinstonian]

Well thats perfectly fine for firewalls I would never argue about that but it should not be applied to everything. I don't refer to network traffic but more to the general thinking pattern.

Good, because this thread is about firewalls.

And Ubuntu doesn't listen on unused ports by default.

Secure by default is great and I love it. However, it only means you have to do less to harden the OS before you start using it.

It's a term that only covers the very beginning of security, and doesn't mean you're secure tomorrow when you install additional software/services, have to install patches, determine what action to take after getting a security warning in FireFox/NoScript, back up your important data, choose strong passwords for websites, etc. Secure by default is a small part of security, and it has an increasingly smaller impact on security as time goes by.

Even if you don't have any services you can still get hacked through a client side vulnerability. That's why you need to keep things like your browser updated and use NoScript, etc.

[Kinstonian]

Right, but what people have been trying to say is that's the way Ubuntu already is, without having to use any additional tools. Things like web browsers, mail and chat clients and package/update managers access the internet as part of their intended functions. Unless the user starts them up they won't even run, much less establish network connections (though obviously the update manager can be configured--by the user--to check automatically). Sure, it's true that the connections from those applications won't be "blocked" in the strictest sense, but they also won't even be made or attempted until the application is specifically launched, which works out to the same thing without having to do anything.

Having said that, when I first started using Ubuntu I also denied all outbound traffic and then put in exceptions. The only things that ended up happening were that my messages log was filled with a bunch of DHCP failures and my clock was always wrong because my NTP requests weren't getting out. Eventually I made exceptions for those, after learning what they were (and there was no way around having to do that, see).

A couple years later I started really reading the forums here, including the security stickies and some other threads about network activity management. That was how I found out that by default, nothing connects from the outside in without it being a response to a request initiated locally. So what I did was I compared what my network activity looked like with only incoming connections denied but outgoing connections allowed to what it looked like under my old rules of denying everything in and out with a list of exceptions. It was the same. It turned out that what I'd been doing before was making things more difficult for myself but had been gaining absolutely nothing.

My hope is that a testimonial from my own experience as a new user will be more helpful than a simple repetition of the same things long-time users always say.

True, but the point of this kind of firewall isn't about being notified or preventing web browsers and email. I think it would be nice to be notified as soon as wget or ftp were used, and be able to permit/block it if necessary. Preventing an attacker's toolkit from getting on your computer is critical and can mean the difference between a minor or major incident. Wouldn't you want to know if a process like Nmap or a new process you don't know about wants to make an outbound connection to the Internet out of the blue?