Hello:

I was trying to figure out how to block particular programs from accessing the internet via a firewall, like ZoneAlarm does in Windows. I've seen tons of information about blocking and unblocking whole ports and IPs, which I've already been able to do, but I want to block some specific PROGRAMS in case I'm not catching everything. Is there a program and/or configuration that will help me?

Fedora Core 4 Kernel 2.6.11-1.1369

- Trip

I can't profess to have the answer to your question, as I am unaware of any program that offers such features. I would think that such support for program specific blocking would need to be included in the Kernel, and I am fairly sure that it isn't there.

However I would ask why you want to block specific programs? There may be a better more elegant solution to your problem.

You can setup firewall rules that deny access based on ports - for example you could configure your firewall to only allow outgoing connections to port 80 so that only web browsing is permitted. Similar idea for other functions.

Linux is generally unaffected by the common Windows problem of spyware, adware, anti-piracy tools and other general nasty software 'features' that make tools like ZoneAlarm useful for Windows. In Linux this isn't normally a problem, since the programs written for linux have a dedicated task and won't access the network/internet unless it is part of their task.

So I would really like to know what programs you are trying to block (do they offer an option/configuration perhaps) and why you want to block them.

The paradigm in Linux kernel for controlling network access is the standard source IP, destination IP and port filtering.
This one is inherited from the dedicated firewalls that sits on the edge of a network and thus don't know which process is running on a particular machine.

Since most programs use only a specific port or range of port to function this works fine. Instead of blocking a program, you block the port(s) it uses to access the Net.

Unfortunately if you have to deal with malicious programs that may be able to switch ports until they find one open, even using standard ports like http, this strategy is unsufficient.
Fortunately there is plenty of advanced features in 2.6 kernels firewall and yes gazazmop, there is provision to set rules using caracteristics of the originating process like its PID, UID, GID, SID and even process name (this requires that the feature was compiled in the kernel).
The respective filters are : --pid-owner, --uid-owner, --gid-owner, --sid-owner and --cmd-owner

So you can control finely at program level, user, group or session level what access you want to allow to your linux programs.

But then I don't know what was your specific need since to block access to a particular program, you need to know it and then you most probably know the ports it uses and it if it is maligne then you don't want to keep it on you system !
The problem when defending against mailicious activity is that you don't even know they are there. And even if you know a process name, this is not useful since a program can easily launch another copy of itself with a new, random, process name, thus defeating your rules based on name...

The real usefullness of using process name-based access control would be the opposite approach : Blocking all access except to some specific programs launched by specific trusted users. Using the full command path would also help in running a tight ship.
But as usual to have to plan well your security to avoid gets you stuck behind a locked system

Hope this helps.

If you must know, I am very paranoid about applications calling home, especially applications that I need like Real Player. In Windows it tries to call home every 10 minutes, I don't think it does it in Linux but I'd just like to be sure and only open it when it needs access for streaming content.

Real Player is only one though. There are others.

- Trip

Then if you are paranoid I would recommend you to implement a tighter security schedule than only filtering known apps.

Block everything by default, open needed ports and apps and then log any suspicious activity so you can open other needed ports/apps if need be.
Sure this requires more work than the default setting of a shorewall but it would ensure a more secure and private box.

To alleviate the management of these rules it would be quite useful to emulate the 'A new app tries to access the Net' warning of Kerio and others by filtering the firewall log, displaying new apps trying to open a connection in a little console somewhere on your screen.
If you are proficient in Gnome/KDE programmation you can even think of a real mini-app dockable in the mini icon bar that would manage these warnings, displaying them when you want them.

Happy paranoia !

here is an example of how to stop doom3 from checking web
iptables -I OUTPUT -d 192.246.40.244 -j DROP
when a program calls out ,find out what it's doing and make a script to have it start with your network

You could always use xconsole or something to look at log files that kernel writes log messages about iptable. I use a terminal window (gnome-terminal) and write sudo tail -f /var/log/syslog /var/log/kern.log etc when I want to see what happening.

all in all linux is not so advanced in apps as windows so it cant offer such cool programs. if you find something similar to zonealarm in linux plz post link.

The only missing thing is a neat interface sitting in the icon tray.
But then this is not terrible to program
And then I hate the flurry of icons in the Windows systray so not having one in Linux is not a great miss

The solution proposed by Jaxan is simple and quite flexible since you could add a grep in the middle to display only the firewall messages of interest to you.
Only the first blocked connexion attempt from an app for example.
But some uses could require a special logging rule.

Ahh what a good topic!! I’m still one of the many struggling Linux newbie’s who want to switch over but still can get a firm hold on things such as this. It’s nice to right mouse click on the systray and go to task manager and see what’s running even do a netstat and see your open connections are but then you have an easy GUI firewall such as Zone Alarm to help you see what is going out to the internet. I too enjoy easy GUI programs and for us guys who are converting over it would be great to have an app like Zone Alarm ported over to Linux. I’m paranoid too because I really don’t have a firm grasp on Linux yet it takes time and patience which most of the time I have neither:-) But thanks for creating the rules for allowing out bound traffic!! I only use 22, 80, 443 and I could create a few rules for those!! Thanks!!

Some paranoid commands you can run:

ps aux
netstat -an | grep LISTEN
lsof -i -n
lsof -i -n | grep <some port>

Granted I don’t know the full meaning of them but they do help you with paranoid feelings!

-BiG

bigdogg there is guarddog

www.simonzone.com/software/guarddog

I could not resist, if you are looking for a firewall with gui
(plenty more out there)

bigdogg :

netstat list the connection on your machine, both local (UNIX sockets) and remote (network ones).
netstat allows many filter options so your use to catch all listening inet serveurs could be acheived with a simple netstat -l which is more efficient.
You could also add the -tu filter to select only the network sockets. t is for TCP connections and U for UDP.
So with a netstat -tul you get all network listening sockets.
Add the -p flag and you get the name of the process owning the socket.

Then about GUIs, the issue here is not a configuration GUI but a monitoring one.
There was some over there a while ago but with an outdated interface and I am not even sure they were upgraded to the 2.6 kernel.

Don't forget to pipe your commands through an appropriate less: The "-S" option keeps the output lines from folding, the "#21" part adjusts the horizontal scroll to 21 cols. per tap on an arrow key. I chose "21" because 3 presses of <Right_arrow> brings me to the beginning of the "COMMAND" field on my display. "32" will do the same in 2 keystrokes. These #'s were empirically determined. I learned the options by R'gT(F)M. Once you have one you like, consider aliasing it. Hint -- When using ls -l the following is very nice: Here, the "--color=always" & the "-R" work together to preserve the ls color coding in the less display. Again, I R'edT(F)M's.

Trip in VA, Marvelito

[edit: I thought these below were all good ideas, but maybe not:
too old for current kernel, difficult to install?, this a newbie perspective]

This might help your paranoia ;-). Medusa looks good.
(I have no experience with those, do not even know if they are still alive.
I stumbled accross these yesterday)
[edit http://freshmeat.net/projects/medusads9/ kernel <2.6 apparently and development stopped apparently]

medusa: This is a security system that causes the kernel to query a user daemon before letting any process on the system do anything. It is the most ubiquitous security
system out because it is entirely configurable—you can make the user daemon
restrict anything however you like.

DTE: Domain and Type Enforcement works like this: When a program is executed, it is
categorized and only allowed to do certain things even if it is running as root.
These limitations are extended to child processes that it may execute. This is real
security; there are kernel patches to do this. The National Security Agency (of
the U.S.) (NSA) actually has a LINUX distribution built around DTE.

Paragraph quoted from
LINUX: Rute User’s Tutorial and Exposition by Paul Sheer
(I hope he does not mind...)

[edit addition - I cross referenced my search
and found http://www.linsec.org/
bit woaaw it is rather old and would it work with kernel 2.6?
<<IP Labeling lists enable restriction on allowed network connections on per program basis. From now on, you may configure your policy so that no one except your favorite MTA can connect to remote port 25>>
]

Sems like Medusa could have a severe performance impact...

Designing a feature like this is a real challenge and must be thought system wide.

Speaking of hardened Linux kernel and the NSA, have a look at SELinux(http://www.nsa.gov/selinux), an hardened kernel used in firewalls and other security devices, which was spinned of by the NSA computer research team.

Beware though that this is not for the faint of heart.
Deploying and using such a kernel have real functionnal impacts on your system and requires to think about what you do and be prepare to act accordingly to the security scheme you deploy.