Hmm, got to add my 2 Fils worth:
You are not going to get much support for this type of application, since it has already been beaten to death six ways to Sunday:
SELinux
Tomoyo Linux
AppArmor
Iptables
Sudo
TCPwrappers
ACLs
OK, seven.
Therefore, you would probably do better by learning the above systems first, before reviving an abandoned project.
Leopard Flower does per-application firewalling on linux
https://sourceforge.net/projects/leopardflower/
Cheers
bodhi.zazen made a few observations in post #5 that I feel are worthy of further discussion:
Originally Posted by bodhi.zazenFirst, the definition of malware is very broad, and it is often difficult to draw the line between harmful software and "undesirable" software. By "undesirable", I mean software that may send information about your system configuration to some remote server. For example, if I use certain printers, I am forced to install the "driver" provided by the manufacturer, which actually consists of a bundle of undesirable software that I have no choice but to install, since I can only install the driver by installing the entire bundle. Despite any boxes I uncheck, I still do not trust this bundle when it tries to access the Internet, whether it's asking me to register or simply trying to call home with some "nonpersonal" system information. I think it's important to remember that while some people might not care about their system information being phoned home, others (such as me) feel that this is a threat that should be stopped. For this and other reasons, it is not easy to simply classify every threat to your security as "malware". Even if it is true that no malware conceived of in the same sense as bodhi.zazen exists on Linux, it is certainly not true that nothing more subtle but nonetheless undesirable exists. In such cases, I think a user could at least potentially benefit from having an application firewall similar to what has been called "windows based". Even if malware/undesirableware (for lack of a better word) could not affect system files, that doesn't mean it can't phone home with personal information or non system files. It wouldn't require a "specific vulnerability" in Ubuntu for this to happen.Originally Posted by bodhi.zazen
I'm not going to make the claim that software downloaded from repositories are unsafe. However, I do want to emphasize that it's sometimes impossible to stick only to software in repositories. A printer driver, much like the one I described, or even an important application that has to be run in Wine, is sometimes unavoidable. In fact, when installing Ubuntu for the first time, users will often see the explicit suggestion that they install third party drivers for better functionality (e.g. for their video card). In such situations, users often don't have a choice. They have to use the software, but they also want to maintain their privacy. With a proper application firewall, they won't have to sacrifice their privacy for the sake of functionality.
"Most of the time" isn't good enough if good security is a concern. For those who still need Microsoft Office, it does try to access the Internet for no good reason even if all you're doing is word processing. Using a packet sniffer to try to determine exactly what it and similar applications might be phoning home is both impossible and impractical. There are so too many applications whose developers consider accessing the Internet a right rather than a privilege. In situations where using an alternative is not an option, it would be much simpler to simply block all connection attempts until a user gives their explicit approval through a popup prompt.Originally Posted by OpSecShellshock
I think you are actually proving the point that an application firewall is important in at least some situations. Since it's so difficult to predict exactly what port an application might be trying to access, it would be easier to add the ability to restrict access by application rather than by port. Of course, good Windows firewalls allow both; first, you define whether an application is allowed Internet access at all. Then, you specify which (if any) ports it is allowed to access.Originally Posted by cariboo907
I will agree that an application firewall is not an adequate defense against rootkits, but I also think you are missing the point of such a program. For everything that is not hidden but not necessarily desirable, an application firewall could be an excellent response.Originally Posted by WinstonChurchill
I also found it interesting that you claim an application firewall would be a "greater detriment to security than the service it provides is worth". Jake Edge quotes Paul Moore on the "user request" feature of personal firewalls: "my opinion is that it is a poor option for security and typically only results in training the user to click the 'allow' button when the pfwall [dialog] box pops up on his/her screen". The problem with Moore's claim is overgeneralization. Not all users are typical; therefore, not all users will blindly click "allow" when the dialog pops up, especially users who specifically seek such a feature. What typical users do is irrelevant anyways if you consider that most users don't care about their security. What matters is what the atypical/conscientious users do, and I think there are at least some users in this latter group that could benefit from an application firewall.
How exactly is stereotyping people being productive/helpful in a community like this? The same people who worry about the collection of statistics are not always the same people that click on an IM message that they can win an iPhone 4.Originally Posted by mainerror
Originally Posted by OpSecShellshockI agree. There is no way around learning what to make exceptions for. But with a proper application firewall, the process can certainly be made easier. If you were prompted to allow out the requests to automatically correct your clock, you could then find out what the request was for instead of looking through your logs for everything that might be legitimate and then making an exception for it. Allowing everything and blocking everything else is good if security is the only thing you care about or if you're an expert who already knows exactly what to allow. But for the rest of us who aren't experts, it would help if there was an application firewall to accelerate the process of learning. Even if you disagree with oversimplifying everything, it surely wouldn't hurt to help us learn some of what the experts already know.Originally Posted by mainerror
Thanks! Your testimonial has definitely been helpful! I think it helps to know that allowing some things and blocking everything else is at least a start.Originally Posted by OpSecShellshock
To be fair, I don't think that anybody is disagreeing that absolute security is an illusion. We all know that rootkits can bypass application firewalls. But I think it's also important to note that application firewalls can help a new user more quickly learn about legitimate processes and enhance security in at least some situations. So at the very least, being able to mark a checkbox can do much more than simply amplify an illusion of absolute security. On the other hand, if anyone believes there is such a thing as absolute security, the lack of a checkbox certainly won't help matters.Originally Posted by mainerror
Still not convinced? See this: http://lwn.net/Articles/129729/
Last edited by opendoors; March 1st, 2011 at 05:00 AM.
It may be worth your while to actually check how services connect to each other. If a web browser wants to connect to for example to ubuntuforums.org it opens port 77540 to connect to port 80 at 72.14.213.102, if you now want to connect to www.google.com, a new random high port to is opened to make the connection to port 80 at google. It works the same for any other service too. It would be pretty hard to block the source port for every application, as they use different source ports for every connection that is initiated.
Here's another example, I'm connected to my G3 via ssh this is what the port info looks like:
If I connect to the same computer a second time while still connect via the first instance the connection looks like this:Code:ssh 2002 cariboo 3u IPv4 19211 0t0 TCP 192.168.1.215:41201->192.168.1.235:22 (ESTABLISHED)
As you can see the pid for both instances is different, as well as the source ports. I've bolded the pid, source and destination ports. So if you have no way of identifying the service, and source ports before the application is tarted, it's going to be pretty hard to selectively block applications.Code:ssh 12629 cariboo 3r IPv4 78494 0t0 TCP 192.168.1.215:36754->192.168.1.235:22 (ESTABLISHED)
Last edited by cariboo; February 28th, 2011 at 11:59 PM.
If you are wanting to micromanage your internet connections you will need to use a tool such as tcpdump and / or wireshark.
You then limit connections with iptables.
Start by blocking all outbound traffic and then whitelist those connections you wish to allow.
If the white list is too long, go the other way, allow all, and black list ip addresses you wish to block.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
I have seen in Windows, installation packages come with "phone home" software. I don't want my printer or my camera program or any other pieces of software to "phone home" without my permission but I need to install that entire Windows installation package to get my stuff to work.
Now, almost all of the Linux programs we use are written by people who respect that I own my computer and I should be able to decide what it does.
BUT, I fear as we see more businesses provide "Linux installable" packages, they may start to add "phone home" functionality here as well and we won't always have an Open Source alternative, especially for specialized devices.
Therefore, I would love an additional tool in my security toolbox that would provide a default deny and/or notification per application to compliment our great port based tools.
Last edited by wdtd; March 2nd, 2011 at 01:07 AM. Reason: spelling
Last edited by ikt; March 2nd, 2011 at 09:38 PM.
// Blog
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Bookmarks