Page 7 of 12 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 112

Thread: TuxGuardian - application based firewall

  1. #61
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by arapaho View Post
    No, I want to block it just in case if it could help to be more secure. Some time ego there was a dangerous code in gnome screensaver.
    That is not something that would've been caught by a firewall. I don't even know if AppArmor would've; I doubt it, but don't know enough to say one way or the other.

  2. #62
    Join Date
    Oct 2005
    Location
    Lab, Slovakia
    Beans
    10,783

    Re: TuxGuardian - application based firewall

    Hmm, got to add my 2 Fils worth:
    You are not going to get much support for this type of application, since it has already been beaten to death six ways to Sunday:
    SELinux
    Tomoyo Linux
    AppArmor
    Iptables
    Sudo
    TCPwrappers
    ACLs

    OK, seven.

    Therefore, you would probably do better by learning the above systems first, before reviving an abandoned project.

  3. #63
    Join Date
    Oct 2010
    Beans
    34

    Re: TuxGuardian - application based firewall

    Leopard Flower does per-application firewalling on linux
    https://sourceforge.net/projects/leopardflower/
    Cheers

  4. #64
    Join Date
    Jun 2010
    Beans
    136
    Distro
    Kubuntu 16.04 Xenial Xerus

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by Abir Valg View Post
    Leopard Flower does per-application firewalling on linux
    Thank you for information. I wish some advanced users would test it and share their opinions.

  5. #65
    Join Date
    Feb 2011
    Beans
    26

    Re: TuxGuardian - application based firewall

    bodhi.zazen made a few observations in post #5 that I feel are worthy of further discussion:

    Quote Originally Posted by bodhi.zazen
    Part of the reason is that Linux is not Windows and this type malware does not exist in Linux.
    Quote Originally Posted by bodhi.zazen
    Last, the amount of "damage" any potential clinet could do is very limited on Linux. Sure it could affect things in /tmp or /home, but not system files.
    First, the definition of malware is very broad, and it is often difficult to draw the line between harmful software and "undesirable" software. By "undesirable", I mean software that may send information about your system configuration to some remote server. For example, if I use certain printers, I am forced to install the "driver" provided by the manufacturer, which actually consists of a bundle of undesirable software that I have no choice but to install, since I can only install the driver by installing the entire bundle. Despite any boxes I uncheck, I still do not trust this bundle when it tries to access the Internet, whether it's asking me to register or simply trying to call home with some "nonpersonal" system information. I think it's important to remember that while some people might not care about their system information being phoned home, others (such as me) feel that this is a threat that should be stopped. For this and other reasons, it is not easy to simply classify every threat to your security as "malware". Even if it is true that no malware conceived of in the same sense as bodhi.zazen exists on Linux, it is certainly not true that nothing more subtle but nonetheless undesirable exists. In such cases, I think a user could at least potentially benefit from having an application firewall similar to what has been called "windows based". Even if malware/undesirableware (for lack of a better word) could not affect system files, that doesn't mean it can't phone home with personal information or non system files. It wouldn't require a "specific vulnerability" in Ubuntu for this to happen.

    I'm not going to make the claim that software downloaded from repositories are unsafe. However, I do want to emphasize that it's sometimes impossible to stick only to software in repositories. A printer driver, much like the one I described, or even an important application that has to be run in Wine, is sometimes unavoidable. In fact, when installing Ubuntu for the first time, users will often see the explicit suggestion that they install third party drivers for better functionality (e.g. for their video card). In such situations, users often don't have a choice. They have to use the software, but they also want to maintain their privacy. With a proper application firewall, they won't have to sacrifice their privacy for the sake of functionality.

    Quote Originally Posted by OpSecShellshock
    Things like word processors and other productivity applications probably don't need to most of the time, and so they won't. When there's an active link in a PDF or doc file, it will open a browser if there's not one already open, rather than simply connecting itself (well, except for Adobe Reader, which for whatever reason allows the running of scripts and can access the web directly, but that's just bad design and there are alternatives).
    "Most of the time" isn't good enough if good security is a concern. For those who still need Microsoft Office, it does try to access the Internet for no good reason even if all you're doing is word processing. Using a packet sniffer to try to determine exactly what it and similar applications might be phoning home is both impossible and impractical. There are so too many applications whose developers consider accessing the Internet a right rather than a privilege. In situations where using an alternative is not an option, it would be much simpler to simply block all connection attempts until a user gives their explicit approval through a popup prompt.

    Quote Originally Posted by cariboo907
    A firewall really doesn't do anything on a default installation, as there are no ports open to the outside world, and if you are behind a router, it's a belt + suspenders type of activity.

    it's just like the poster earlier that tried to block Opera from accessing the Internet. Web browsers and many other programs use random high ports for out going connections, so it's pretty hard to block a port if you don't know which one it is using, and it changes every time you use a program, have a look at this example:
    I think you are actually proving the point that an application firewall is important in at least some situations. Since it's so difficult to predict exactly what port an application might be trying to access, it would be easier to add the ability to restrict access by application rather than by port. Of course, good Windows firewalls allow both; first, you define whether an application is allowed Internet access at all. Then, you specify which (if any) ports it is allowed to access.

    Quote Originally Posted by WinstonChurchill
    This program is incredibly silly - not only can all its functionality be accomplished easily with iptables, the entire idea is pointless: simply running 'sudo netstat -nep' will quickly tell you exactly what programs are accessing the internet. Anything that can make itself invisible to netstat would have to be some sort of rootkit, and by definition a rootkit could easily bypass filtering like TuxGuardian. There are several GUI frontends for the kernel iptables functionality out there - if you're too lazy to use the shell, use those.

    This is exactly the thing that would sound like a great idea to someone unfamiliar with Linux, when in reality it is a greater detriment to security than the service it provides is worth. It reeks of Windows, and I don't like it.

    -1 from me.
    I will agree that an application firewall is not an adequate defense against rootkits, but I also think you are missing the point of such a program. For everything that is not hidden but not necessarily desirable, an application firewall could be an excellent response.

    I also found it interesting that you claim an application firewall would be a "greater detriment to security than the service it provides is worth". Jake Edge quotes Paul Moore on the "user request" feature of personal firewalls: "my opinion is that it is a poor option for security and typically only results in training the user to click the 'allow' button when the pfwall [dialog] box pops up on his/her screen". The problem with Moore's claim is overgeneralization. Not all users are typical; therefore, not all users will blindly click "allow" when the dialog pops up, especially users who specifically seek such a feature. What typical users do is irrelevant anyways if you consider that most users don't care about their security. What matters is what the atypical/conscientious users do, and I think there are at least some users in this latter group that could benefit from an application firewall.

    Quote Originally Posted by mainerror
    I don't quite understand why people tend to be that paranoid about such stuff but then click on a IM message that they can win a iPhone 4 or that there is an awesome video on YouTube they just have to watch. Peoples common sense and the sense for security seems to be extremely off which is exactly the point I'm talking about.
    How exactly is stereotyping people being productive/helpful in a community like this? The same people who worry about the collection of statistics are not always the same people that click on an IM message that they can win an iPhone 4.

    Quote Originally Posted by OpSecShellshock
    Having said that, when I first started using Ubuntu I also denied all outbound traffic and then put in exceptions. The only things that ended up happening were that my messages log was filled with a bunch of DHCP failures and my clock was always wrong because my NTP requests weren't getting out. Eventually I made exceptions for those, after learning what they were (and there was no way around having to do that, see).
    Quote Originally Posted by mainerror
    Those new people should invest their energy in learning about Linux and Ubuntu instead of trying to start unnecessary projects for inexistent problems. Maybe inexistent problems isn't the right definition the problem is between chair and keyboard.
    I agree. There is no way around learning what to make exceptions for. But with a proper application firewall, the process can certainly be made easier. If you were prompted to allow out the requests to automatically correct your clock, you could then find out what the request was for instead of looking through your logs for everything that might be legitimate and then making an exception for it. Allowing everything and blocking everything else is good if security is the only thing you care about or if you're an expert who already knows exactly what to allow. But for the rest of us who aren't experts, it would help if there was an application firewall to accelerate the process of learning. Even if you disagree with oversimplifying everything, it surely wouldn't hurt to help us learn some of what the experts already know.

    Quote Originally Posted by OpSecShellshock
    My hope is that a testimonial from my own experience as a new user will be more helpful than a simple repetition of the same things long-time users always say.
    Thanks! Your testimonial has definitely been helpful! I think it helps to know that allowing some things and blocking everything else is at least a start.

    Quote Originally Posted by mainerror
    Well thank you very much for posting this as this is exactly what I'm ranting about the last couple of pages. I'm talking about that absolute security is an illusion where a simple front-end giving you the option to simply mark a checkbox to block something only amplifies this illusion.
    To be fair, I don't think that anybody is disagreeing that absolute security is an illusion. We all know that rootkits can bypass application firewalls. But I think it's also important to note that application firewalls can help a new user more quickly learn about legitimate processes and enhance security in at least some situations. So at the very least, being able to mark a checkbox can do much more than simply amplify an illusion of absolute security. On the other hand, if anyone believes there is such a thing as absolute security, the lack of a checkbox certainly won't help matters.

    Still not convinced? See this: http://lwn.net/Articles/129729/
    Last edited by opendoors; March 1st, 2011 at 05:00 AM.

  6. #66
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by opendoors View Post
    I think you are actually proving the point that an application firewall is important in at least some situations. Since it's so difficult to predict exactly what port an application might be trying to access, it would be easier to add the ability to restrict access by application rather than by port. Of course, good Windows firewalls allow both; first, you define whether an application is allowed Internet access at all. Then, you specify which (if any) ports it is allowed to access.
    It may be worth your while to actually check how services connect to each other. If a web browser wants to connect to for example to ubuntuforums.org it opens port 77540 to connect to port 80 at 72.14.213.102, if you now want to connect to www.google.com, a new random high port to is opened to make the connection to port 80 at google. It works the same for any other service too. It would be pretty hard to block the source port for every application, as they use different source ports for every connection that is initiated.

    Here's another example, I'm connected to my G3 via ssh this is what the port info looks like:

    Code:
    ssh        2002 cariboo    3u  IPv4  19211      0t0  TCP 192.168.1.215:41201->192.168.1.235:22 (ESTABLISHED)
    If I connect to the same computer a second time while still connect via the first instance the connection looks like this:

    Code:
    ssh       12629 cariboo    3r  IPv4  78494      0t0  TCP 192.168.1.215:36754->192.168.1.235:22 (ESTABLISHED)
    As you can see the pid for both instances is different, as well as the source ports. I've bolded the pid, source and destination ports. So if you have no way of identifying the service, and source ports before the application is tarted, it's going to be pretty hard to selectively block applications.
    Last edited by cariboo; February 28th, 2011 at 11:59 PM.

  7. #67
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by opendoors View Post
    bodhi.zazen made a few observations in post #5 that I feel are worthy of further discussion:

    <clip>
    </clip>
    If you are wanting to micromanage your internet connections you will need to use a tool such as tcpdump and / or wireshark.

    You then limit connections with iptables.

    Start by blocking all outbound traffic and then whitelist those connections you wish to allow.

    If the white list is too long, go the other way, allow all, and black list ip addresses you wish to block.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #68
    Join Date
    Mar 2011
    Beans
    Hidden!

    Re: TuxGuardian - application based firewall

    I have seen in Windows, installation packages come with "phone home" software. I don't want my printer or my camera program or any other pieces of software to "phone home" without my permission but I need to install that entire Windows installation package to get my stuff to work.

    Now, almost all of the Linux programs we use are written by people who respect that I own my computer and I should be able to decide what it does.

    BUT, I fear as we see more businesses provide "Linux installable" packages, they may start to add "phone home" functionality here as well and we won't always have an Open Source alternative, especially for specialized devices.

    Therefore, I would love an additional tool in my security toolbox that would provide a default deny and/or notification per application to compliment our great port based tools.
    Last edited by wdtd; March 2nd, 2011 at 01:07 AM. Reason: spelling

  9. #69
    Join Date
    Aug 2007
    Location
    From the land down under
    Beans
    1,241
    Distro
    Ubuntu Development Release

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by wdtd View Post
    BUT, I fear as we see more businesses provide "Linux installable" packages, they may start to add "phone home" functionality here as well and we won't always have an Open Source alternative, especially for specialized devices.
    What is the problem with using GUFW to block all outgoing programs by default and add the programs as you need?
    Last edited by ikt; March 2nd, 2011 at 09:38 PM.
    // Blog

  10. #70
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: TuxGuardian - application based firewall

    Quote Originally Posted by ikt View Post
    What is the problem with using GUFW to block all outgoing programs by default and add the programs as you need?
    gufw blocks ports (80, 443, 53, etc) and not applications.

    So if you allow port 80 , all applications can use port 80.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 7 of 12 FirstFirst ... 56789 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •