Workings of Linux Firewalls compared with Zone Alarm
 

Hello,

Despite having a hardware firewall on my ADSL modem I've just been playing around a bit with guarddog to setup the firewall on my Linux box (I'll try to get my head around native ipchains/iptables at a later date !).

But having done so I've contrasted the way that the Zone Alarm firewall works on my Windows box and I think there's room for enhancement/improvement in Linux firewall control. So really I'm just wondering what anyone else thinks ?

For those not familiar with Zone Alarm the main difference is that it's geared to allow control at the application level whereas the Linux firewall seems geared to provide control at the protocol/ports level.

When using Zone Alarm the way it works is that all unsolicited connections from the internet are ignored and whenever a program on the local machine wants to connect to the 'net Zone Alarm will first ask me whether I want to allow this or not. I then answer yes or no and can optionally indicate that it should remember my preference (so I'm not asked again)

Similarly I am also prompted whenever a program wishes to behave as a server (there are also the usual facilities to open certain ports for inbound traffic and to allow greater access for local network connections etc. etc.)

Now as far as I know there aren't any Linux firewalls that have this functionality (I may well be wrong on this !) but I think it's an excellent idea. In the past it has been most helpful in finding trojans/spyware etc. on friends PCs (as the local "person who knows about computers" I do a fair bit of helping out)

So I'm just curious as to what people think of the idea ? and is it worth trying to raise this as a feature request with the relevant developers etc. ?

I realise that someone with an indepth knowledge of their system is probably already quite happy with the way Linux firewall works but, for a newbie especially, I think this would be a good thing - if only for the fact you'd get to know which programs were connecting to the 'net and for what.

I also realise that the problem of Trojans etc. is not quite as prevalent on Linux as it is on Windows (yet ?) but I still think it's a really good feature (i.e. I've allowed outbound SMTP connections but why is "program X" trying to send mail ?)

Finally I may well be completely off on this as, given the "granularity" of *nix systems all programs on a Linux may well communicate through a central application so the idea may not be viable (I don't know Linux well enough to know whether this is the case)

Just some idle musings....

mm yeah, you're right about the ZoneAlarm, I have neither heard of any nice firewalls for linux that'd do the same thing, and ask about programs one by one which can and which can't do this and that...

I also got annoyed of that thing in windows....uppopping windows etc. even tough I didn't want - millions of them. but it'd be nice to have at least one app for linux so that those who want may use this thing :)

Well i notice this in windows too. many programs in windows try connecting to the net either for a update, checking to see if you have a pirate copy etc.... I don't know if theres a program that shows whats currently accessing the net, like a connection monitoring program, that would be cool. but seeing how you can view whats started when you boot up, i will think that only those programs would be able to access the net and no other tasks wouldn't be started without your input. In windows theres tasks that auto starts. like spyware, services and dlls. i don't think linux work that way which means you don't have to worry about blocking programs access to the internet.

im no guru and still a mega newbie, but i know enough about firewalls in general to answere some of your questions/comments.

1. firewalls are for LAN/WAN traffic controll ONLY. that is what a true firewall does.

2. in linux you will have log files, dont as me were they are located, do a /whereis to find them. both ipchanes and iptables have the option to set up log files that will track what ever you want to track.

if you want to see what user, from what LAN IP requested what data from either LAN/WAN you can get that level of info from your log files if you set them up right.

a firewall is not supposed to monitor your software. that is basicaly a virus in its self. that is my #1 grief with things like black ice and other 'software firewalls'. they do things to your OS they are not supposed to do as a firewall.

they should be called system monitors not firewalls. last customer that had blackice on their system and was having problems getting something to install and run propperly called me out. after 1 attempt at getting around blackice, i uninstalled it. cleaned out the registry of all its junk it left behind, then had zero issues getting his app to install/run properly.

if you are behind a NAT router, and that router has a firewall built into it, dont waist the system resources and screw up your OS by installing blackice.

all that being said. i have yet to see a software firewall that will run as well as a hardware one will. now that is not to say that there are not some linux software out there that will not make your linux box as strong and effective as a hardware firewall box, but from what little ive read id stick to learning iptables and code it that way if you really want to turn your linux box into a firewall.

now let the real linux gurus speak. mind you im a M$ guru.

Good points !

So I suppose the answer really is to look at the logs but I was just idly musing. Having said that I'd still like something to perform this functionality as well... I just like it.

Or perhaps that's just my current Linux ignorance/Windows experience speaking ?

Cheers for the replies.

The only firewall I have tried that works similar to Zone Alarm is Fiery Filter. It will give you a pop up screen just like Zone Alarm. But in its present form, it's not usable. The rule settings do not work. So it will give you a dialog box for every packet sent to the system. It also doesn't seem as if it is actively being developed at the moment.