Blocking programs by pid only works if your computer is on 24/7, every time you restart a program, it gets a different pid.
I really fail to see how this is an issue, if you don't want a program to connect to the internet, don't start it.
Blocking programs by pid only works if your computer is on 24/7, every time you restart a program, it gets a different pid.
I really fail to see how this is an issue, if you don't want a program to connect to the internet, don't start it.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
I'd like to use programs from different sources like for example from this site
http://www.linuxlinks.com/Software/
not only from repositories. And I'm not sure if they are safe and if they can contain a spyware or a keylogger. So, just in case I'd like to block them right at the installation process.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
True, and that's true for firewalls in any OS. Also, spyware in Open Source, and for Linux is really really unlikely (ofc not impossible, but really unlikely).
@arapaho: Please, read the thread FuturePilot recommended: http://ubuntuforums.org/showthread.php?t=510812
Sorry but that's not right. An application that listens for incoming connections (a server application) must listen on a "well known port" number, or its clients won't know which port number to try to connect to. So for instance, web servers generally listen on port 80, and SSH servers on port 22.
But for applications that only make outgoing connections, there is no particular port number for them. They generally just ask the OS to open a socket and they get the next available (often starting from port 1024 and working up from there). So you can't easily distinguish between applications on the basis of port numbers. You might be able to identify web browsers on the basis that they connect to port 80, but you can't tell between firefox, chromium, lynx or apt-get. The server port is 80, but the client port is essentially random.
I also happen to think there's not that much value in trying to block particular applications anyway. I gather it's not that hard for an application to masquerade as a different one although I don't understand the details - maybe just run a different program in the background? And it is generally standard practice for malware to disable the firewall.
Haven't used Firestarter in a while, but as I recall, when you set it to allow an application, what's really happening is that it sets iptables up to allow outgoing connections to the default server-side port generally associated with that application's service. In other words, I don't think it's actually going by process name even then. It also means that a theoretical malicious application, even with a different process name, would still be able to make a connection provided it used one of the allowed services.
I just had a quick look, and every program I saw was already in the repositories. You'd be much better off staying with the repositories, as at least the packages are signed by the dev/maintainer. There should be a really compelling reason to go outside of the repos, like a new feature that isn't available in the repo version.
I would suggest if you need a newer version of something in the repositories, check the ppas (personal package archives) on https://lauchpad.net, as many of the newer packages show up there before they hit the repositories.
I'm not sure that your question was answered. An inherent problem with any GUI based interface is that should you want to do something which the programmer failed to consider, then you are automatically blocked from doing it through the GUI.
The whole purpose of a firewall is control of the data flow between the computer and the outside world. It is not for the control of applications. That is your job - you control the applications. So, you need to be thinking in terms of data flow.
So, the question here is "What do you want the data flow to do or not do?"
I use Shorewall to set up the IPtables. Why? It is well documented and as flexible as doing it by hand with iptables. Think of iptables/Shorewall in terms of programming. (writing a program in assembly code vs writing it in C or C++) If you had to write a program, which method would you use? Both methods will get the job done.
Back to data flow considerations, the simplist firewall blocks all inbound connections and passes all outbound connections (no services presented to the Internet, and no control of clients connecting to the Internet). Any of the GUI front ends can do this type of firewall.
If you want to set up holes in the firewall (like allowing connections to a web server as an example), then the situation gets a bit more complicated.
And can get even more complicated when you block outbound data going to known security risks. An example of this is to block data headed for any address on TCP ports 445, 5554 and 9996. (Net-Worm:W32/Sasser infection on a Windows based system). Now before anyone says something about "windows" based infections, I respectfully remind everyone that WINE can potentially get infected by windows based malware.
Does this help?
Last edited by tkoco; November 5th, 2010 at 11:26 PM.
You can use this tutorial to prevent applications to access the Internet. (Its CLI solution)
http://ubuntuforums.org/showthread.php?t=1188099
Notebook ASUS A6JCMAS.219, Intel(R) CPU T2250 @ 1.73GHz,2GiB System Memory, Video G72M [Quadro NVS 110M/GeForce Go 7300], HD 100GB HTS541010G9AT00, Network Intel PRO/Wireless 3945ABG [Golan] (rev 02)
Bookmarks