LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-15-2005, 12:00 AM   #1
Trip in VA
Member
 
Registered: Dec 2003
Location: Charlotte Co., VA, USA
Distribution: Aptosid
Posts: 34

Rep: Reputation: 15
Blocking Specific Programs from Network Access?


Hello:

I was trying to figure out how to block particular programs from accessing the internet via a firewall, like ZoneAlarm does in Windows. I've seen tons of information about blocking and unblocking whole ports and IPs, which I've already been able to do, but I want to block some specific PROGRAMS in case I'm not catching everything. Is there a program and/or configuration that will help me?

Fedora Core 4 Kernel 2.6.11-1.1369

- Trip
 
Old 08-15-2005, 05:41 AM   #2
gazzamop
LQ Newbie
 
Registered: Aug 2005
Location: Melbourne, Aust.
Distribution: Gentoo/Ubuntu
Posts: 15

Rep: Reputation: 0
I can't profess to have the answer to your question, as I am unaware of any program that offers such features. I would think that such support for program specific blocking would need to be included in the Kernel, and I am fairly sure that it isn't there.

However I would ask why you want to block specific programs? There may be a better more elegant solution to your problem.

You can setup firewall rules that deny access based on ports - for example you could configure your firewall to only allow outgoing connections to port 80 so that only web browsing is permitted. Similar idea for other functions.

Linux is generally unaffected by the common Windows problem of spyware, adware, anti-piracy tools and other general nasty software 'features' that make tools like ZoneAlarm useful for Windows. In Linux this isn't normally a problem, since the programs written for linux have a dedicated task and won't access the network/internet unless it is part of their task.

So I would really like to know what programs you are trying to block (do they offer an option/configuration perhaps) and why you want to block them.
 
Old 08-15-2005, 06:37 AM   #3
plapla
LQ Newbie
 
Registered: Jul 2003
Distribution: Mandrake
Posts: 10

Rep: Reputation: 0
The paradigm in Linux kernel for controlling network access is the standard source IP, destination IP and port filtering.
This one is inherited from the dedicated firewalls that sits on the edge of a network and thus don't know which process is running on a particular machine.

Since most programs use only a specific port or range of port to function this works fine. Instead of blocking a program, you block the port(s) it uses to access the Net.

Unfortunately if you have to deal with malicious programs that may be able to switch ports until they find one open, even using standard ports like http, this strategy is unsufficient.
Fortunately there is plenty of advanced features in 2.6 kernels firewall and yes gazazmop, there is provision to set rules using caracteristics of the originating process like its PID, UID, GID, SID and even process name (this requires that the feature was compiled in the kernel).
The respective filters are : --pid-owner, --uid-owner, --gid-owner, --sid-owner and --cmd-owner

So you can control finely at program level, user, group or session level what access you want to allow to your linux programs.

But then I don't know what was your specific need since to block access to a particular program, you need to know it and then you most probably know the ports it uses and it if it is maligne then you don't want to keep it on you system !
The problem when defending against mailicious activity is that you don't even know they are there. And even if you know a process name, this is not useful since a program can easily launch another copy of itself with a new, random, process name, thus defeating your rules based on name...

The real usefullness of using process name-based access control would be the opposite approach : Blocking all access except to some specific programs launched by specific trusted users. Using the full command path would also help in running a tight ship.
But as usual to have to plan well your security to avoid gets you stuck behind a locked system

Hope this helps.
 
Old 08-15-2005, 11:11 AM   #4
Trip in VA
Member
 
Registered: Dec 2003
Location: Charlotte Co., VA, USA
Distribution: Aptosid
Posts: 34

Original Poster
Rep: Reputation: 15
If you must know, I am very paranoid about applications calling home, especially applications that I need like Real Player. In Windows it tries to call home every 10 minutes, I don't think it does it in Linux but I'd just like to be sure and only open it when it needs access for streaming content.

Real Player is only one though. There are others.

- Trip
 
Old 08-15-2005, 03:25 PM   #5
plapla
LQ Newbie
 
Registered: Jul 2003
Distribution: Mandrake
Posts: 10

Rep: Reputation: 0
Then if you are paranoid I would recommend you to implement a tighter security schedule than only filtering known apps.

Block everything by default, open needed ports and apps and then log any suspicious activity so you can open other needed ports/apps if need be.
Sure this requires more work than the default setting of a shorewall but it would ensure a more secure and private box.

To alleviate the management of these rules it would be quite useful to emulate the 'A new app tries to access the Net' warning of Kerio and others by filtering the firewall log, displaying new apps trying to open a connection in a little console somewhere on your screen.
If you are proficient in Gnome/KDE programmation you can even think of a real mini-app dockable in the mini icon bar that would manage these warnings, displaying them when you want them.

Happy paranoia !
 
Old 08-16-2005, 08:50 AM   #6
axobeauvi
Member
 
Registered: Apr 2003
Posts: 128

Rep: Reputation: 16
here is an example of how to stop doom3 from checking web
iptables -I OUTPUT -d 192.246.40.244 -j DROP
when a program calls out ,find out what it's doing and make a script to have it start with your network
 
Old 08-16-2005, 12:15 PM   #7
JaxŚn
Member
 
Registered: Apr 2005
Location: Sweden
Distribution: Debian
Posts: 142

Rep: Reputation: 15
You could always use xconsole or something to look at log files that kernel writes log messages about iptable. I use a terminal window (gnome-terminal) and write sudo tail -f /var/log/syslog /var/log/kern.log etc when I want to see what happening.
 
Old 08-16-2005, 12:21 PM   #8
marvelito
LQ Newbie
 
Registered: Jul 2005
Posts: 6

Rep: Reputation: 0
all in all linux is not so advanced in apps as windows so it cant offer such cool programs. if you find something similar to zonealarm in linux plz post link.
 
Old 08-16-2005, 01:21 PM   #9
plapla
LQ Newbie
 
Registered: Jul 2003
Distribution: Mandrake
Posts: 10

Rep: Reputation: 0
The only missing thing is a neat interface sitting in the icon tray.
But then this is not terrible to program
And then I hate the flurry of icons in the Windows systray so not having one in Linux is not a great miss

The solution proposed by Jaxan is simple and quite flexible since you could add a grep in the middle to display only the firewall messages of interest to you.
Only the first blocked connexion attempt from an app for example.
But some uses could require a special logging rule.
 
Old 08-16-2005, 04:26 PM   #10
bigdogg
Member
 
Registered: Oct 2003
Distribution: Fedora Core 1
Posts: 80

Rep: Reputation: 15
Ahh what a good topic!! Iím still one of the many struggling Linux newbieís who want to switch over but still can get a firm hold on things such as this. Itís nice to right mouse click on the systray and go to task manager and see whatís running even do a netstat and see your open connections are but then you have an easy GUI firewall such as Zone Alarm to help you see what is going out to the internet. I too enjoy easy GUI programs and for us guys who are converting over it would be great to have an app like Zone Alarm ported over to Linux. Iím paranoid too because I really donít have a firm grasp on Linux yet it takes time and patience which most of the time I have neither:-) But thanks for creating the rules for allowing out bound traffic!! I only use 22, 80, 443 and I could create a few rules for those!! Thanks!!

Some paranoid commands you can run:

ps aux
netstat -an | grep LISTEN
lsof -i -n
lsof -i -n | grep <some port>

Granted I donít know the full meaning of them but they do help you with paranoid feelings!

-BiG
 
Old 08-17-2005, 02:31 AM   #11
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,604

Rep: Reputation: 47
bigdogg there is guarddog

www.simonzone.com/software/guarddog

I could not resist, if you are looking for a firewall with gui
(plenty more out there)
 
Old 08-17-2005, 05:21 AM   #12
plapla
LQ Newbie
 
Registered: Jul 2003
Distribution: Mandrake
Posts: 10

Rep: Reputation: 0
bigdogg :

netstat list the connection on your machine, both local (UNIX sockets) and remote (network ones).
netstat allows many filter options so your use to catch all listening inet serveurs could be acheived with a simple netstat -l which is more efficient.
You could also add the -tu filter to select only the network sockets. t is for TCP connections and U for UDP.
So with a netstat -tul you get all network listening sockets.
Add the -p flag and you get the name of the process owning the socket.

Then about GUIs, the issue here is not a configuration GUI but a monitoring one.
There was some over there a while ago but with an outdated interface and I am not even sure they were upgraded to the 2.6 kernel.
 
Old 08-17-2005, 08:28 AM   #13
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
Don't forget to pipe your commands through an appropriate less:
Code:
ps aux | less -S#21
The "-S" option keeps the output lines from folding, the "#21" part adjusts the horizontal scroll to 21 cols. per tap on an arrow key. I chose "21" because 3 presses of <Right_arrow> brings me to the beginning of the "COMMAND" field on my display. "32" will do the same in 2 keystrokes. These #'s were empirically determined. I learned the options by R'gT(F)M. Once you have one you like, consider aliasing it. Hint -- When using ls -l the following is very nice:
Code:
ls -la --color=always | less -RS#15
Here, the "--color=always" & the "-R" work together to preserve the ls color coding in the less display. Again, I R'edT(F)M's.

Last edited by archtoad6; 01-16-2006 at 08:41 AM.
 
Old 08-19-2005, 01:53 AM   #14
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,604

Rep: Reputation: 47
DTE and Medusa

Trip in VA, Marvelito

[edit: I thought these below were all good ideas, but maybe not:
too old for current kernel, difficult to install?, this a newbie perspective]

This might help your paranoia ;-). Medusa looks good.
(I have no experience with those, do not even know if they are still alive.
I stumbled accross these yesterday)
[edit http://freshmeat.net/projects/medusads9/ kernel <2.6 apparently and development stopped apparently]

medusa: This is a security system that causes the kernel to query a user daemon before letting any process on the system do anything. It is the most ubiquitous security
system out because it is entirely configurableóyou can make the user daemon
restrict anything however you like.

DTE: Domain and Type Enforcement works like this: When a program is executed, it is
categorized and only allowed to do certain things even if it is running as root.
These limitations are extended to child processes that it may execute. This is real
security; there are kernel patches to do this. The National Security Agency (of
the U.S.) (NSA) actually has a LINUX distribution built around DTE.

Paragraph quoted from
LINUX: Rute Userís Tutorial and Exposition by Paul Sheer
(I hope he does not mind...)

[edit addition - I cross referenced my search
and found http://www.linsec.org/
bit woaaw it is rather old and would it work with kernel 2.6?
<<IP Labeling lists enable restriction on allowed network connections on per program basis. From now on, you may configure your policy so that no one except your favorite MTA can connect to remote port 25>>
]



Last edited by Emmanuel_uk; 08-19-2005 at 02:51 AM.
 
Old 08-19-2005, 09:21 AM   #15
plapla
LQ Newbie
 
Registered: Jul 2003
Distribution: Mandrake
Posts: 10

Rep: Reputation: 0
Sems like Medusa could have a severe performance impact...

Designing a feature like this is a real challenge and must be thought system wide.

Speaking of hardened Linux kernel and the NSA, have a look at SELinux(http://www.nsa.gov/selinux), an hardened kernel used in firewalls and other security devices, which was spinned of by the NSA computer research team.

Beware though that this is not for the faint of heart.
Deploying and using such a kernel have real functionnal impacts on your system and requires to think about what you do and be prepare to act accordingly to the security scheme you deploy.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking specific websites, but allowing internet access poiuytrewq Linux - General 6 09-01-2006 12:45 AM
Blocking access to specific Websites and IP Ports fieldyweb Linux - Newbie 3 12-02-2005 06:32 AM
Allowing specific programs access to needed ports The MCP Linux - Security 5 03-31-2005 06:21 PM
how to block selected programs from access to network red11 Linux - Software 0 03-28-2004 10:08 PM
Blocking ports for a specific IP Shrimpy Linux - Networking 1 12-23-2002 12:48 PM


All times are GMT -5. The time now is 05:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration