Robust firewall with GUI for my Ubuntu 10.04

[cariboo]

Blocking programs by pid only works if your computer is on 24/7, every time you restart a program, it gets a different pid.

I really fail to see how this is an issue, if you don't want a program to connect to the internet, don't start it.

[CharlesA]

Blocking programs by pid only works if your computer is on 24/7, every time you restart a program, it gets a different pid.

I really fail to see how this is an issue, if you don't want a program to connect to the internet, don't start it.

That makes sense then, thanks.

[arapaho]

I really fail to see how this is an issue,

I'd like to use programs from different sources like for example from this site
http://www.linuxlinks.com/Software/
not only from repositories. And I'm not sure if they are safe and if they can contain a spyware or a keylogger. So, just in case I'd like to block them right at the installation process.

[CharlesA]

I'd like to use programs from different sources like for example from this site
http://www.linuxlinks.com/Software/
not only from repositories. And I'm not sure if they are safe and if they can contain a spyware or a keylogger. So, just in case I'd like to block them right at the installation process.

If you run unverified code, you are opening an entirely new set of worms. There really isn't anything that a firewall can do if you install something that has a keylogger or whatever in it.

[janpol]

If you run unverified code, you are opening an entirely new set of worms. There really isn't anything that a firewall can do if you install something that has a keylogger or whatever in it.

True, and that's true for firewalls in any OS. Also, spyware in Open Source, and for Linux is really really unlikely (ofc not impossible, but really unlikely).

@arapaho: Please, read the thread FuturePilot recommended: http://ubuntuforums.org/showthread.php?t=510812

[The Cog]

It only repeats itself when people deny the truth. Every application has its own designated default ports. An understanding of the seven layer OSI model or even the TCP/IP model will show how this works.

Sorry but that's not right. An application that listens for incoming connections (a server application) must listen on a "well known port" number, or its clients won't know which port number to try to connect to. So for instance, web servers generally listen on port 80, and SSH servers on port 22.

But for applications that only make outgoing connections, there is no particular port number for them. They generally just ask the OS to open a socket and they get the next available (often starting from port 1024 and working up from there). So you can't easily distinguish between applications on the basis of port numbers. You might be able to identify web browsers on the basis that they connect to port 80, but you can't tell between firefox, chromium, lynx or apt-get. The server port is 80, but the client port is essentially random.

I also happen to think there's not that much value in trying to block particular applications anyway. I gather it's not that hard for an application to masquerade as a different one although I don't understand the details - maybe just run a different program in the background? And it is generally standard practice for malware to disable the firewall.

[OpSecShellshock]

Haven't used Firestarter in a while, but as I recall, when you set it to allow an application, what's really happening is that it sets iptables up to allow outgoing connections to the default server-side port generally associated with that application's service. In other words, I don't think it's actually going by process name even then. It also means that a theoretical malicious application, even with a different process name, would still be able to make a connection provided it used one of the allowed services.

[cariboo]

I'd like to use programs from different sources like for example from this site
http://www.linuxlinks.com/Software/
not only from repositories. And I'm not sure if they are safe and if they can contain a spyware or a keylogger. So, just in case I'd like to block them right at the installation process.

I just had a quick look, and every program I saw was already in the repositories. You'd be much better off staying with the repositories, as at least the packages are signed by the dev/maintainer. There should be a really compelling reason to go outside of the repos, like a new feature that isn't available in the repo version.

I would suggest if you need a newer version of something in the repositories, check the ppas (personal package archives) on https://lauchpad.net, as many of the newer packages show up there before they hit the repositories.

[tkoco]

Hey there fellas,
I've been using Windows for quite a few years now. I loved the way how I used to set incoming/outgoing rules for my applications. But I'm having hard time doing that in Ubuntu. I tried searching for a good GUI for iptables but I need your help selecting the best. I might learn iptables someday but for the time being I will be using a nice GUI. I'm currently using GUFW, I've tried Firestarter. All I need is a firewall that would allow me to configure rules for my applications. Please suggest me some.
Thanks

I'm not sure that your question was answered. An inherent problem with any GUI based interface is that should you want to do something which the programmer failed to consider, then you are automatically blocked from doing it through the GUI.

The whole purpose of a firewall is control of the data flow between the computer and the outside world. It is not for the control of applications. That is your job - you control the applications. So, you need to be thinking in terms of data flow.

So, the question here is "What do you want the data flow to do or not do?"

I use Shorewall to set up the IPtables. Why? It is well documented and as flexible as doing it by hand with iptables. Think of iptables/Shorewall in terms of programming. (writing a program in assembly code vs writing it in C or C++) If you had to write a program, which method would you use? Both methods will get the job done.

Back to data flow considerations, the simplist firewall blocks all inbound connections and passes all outbound connections (no services presented to the Internet, and no control of clients connecting to the Internet). Any of the GUI front ends can do this type of firewall.

If you want to set up holes in the firewall (like allowing connections to a web server as an example), then the situation gets a bit more complicated.

And can get even more complicated when you block outbound data going to known security risks. An example of this is to block data headed for any address on TCP ports 445, 5554 and 9996. (Net-Worm:W32/Sasser infection on a Windows based system). Now before anyone says something about "windows" based infections, I respectfully remind everyone that WINE can potentially get infected by windows based malware.

Does this help?

[A_M_S]

You can use this tutorial to prevent applications to access the Internet. (Its CLI solution)

http://ubuntuforums.org/showthread.php?t=1188099