personal firewall that supports "ask me first"
 

I'm dual booting XP pro and Kubuntu on a PC thats connected using a router that has a firewall. I'm running kerio personal firewall 2.1.5 under windows, which supports a "ask me first" mode. If it runs into something thats not covered by the rules it denies it while prompting me for permission. This displays a prompt that gives me details about what application is trying to make what type of connection, and also has a checkbox to create a rule. This means I don't have to research what a application connects to and how.

I use it mainly for managing applications that call home (not to deal with malware). What is a good equivalent under Linux?

I've read about Firestarter and FW-builder. While they allow you to control what applications can make outbound connections they don't seem to support a "ask me first' feature. They also appear to have a default policy of enabling the firewall host to establish new connections to anything, which I interpret as meaning they're not as personal as windows based personal firewalls.

Suggestions?

that kind of firewall is very useful in windows, some apps you want to not call home at all-understandable. but why in linux? if you're worried about personal data leakage- 1st the apps probably don't have it and 2nd they don't send out anything private. conclusion: windows stuff is proprietary, so you might not want microsoft or some other company getting your info, but linux stuff is free by default and secure by default. no worries

Linux kernel has modules (called iptables) that can, among other things, be used to create a firewall. In addition to these kernel modules there needs to be a userspace program called iptables that controls the modules. When both of these are present, a firewall can be built using iptables command; often this job is done by writing a script that, when run, sets the firewall rules (it's easy to modify and re-run to "update" the firewall configuration). The rules are usually forgotten during reboot, so this script that creates the rules is usually set to run during boot process (as an init script) so that the rules are created at every boot. Read
for more information, and the iptables website.

With iptables one can create a powerful firewall (and much more). However it's an "invisible" firewall, in the sense that it doesn't pop up any questions to ask if you want this or that program go trough or not; it shouldn't, because it's not sure if the user has an environment that can show the popups, and it's not even sure there is somebody answering the questions - still the firewall has to run, even on headless machines. This is a different approach from most Windows firewalling programs, but in my opinion much more powerful, and if the system is configured sensibly, a very well working solution. I'm not sure if there are such firewalls for Linux that ask per-program if they can access; in my opinion it would just be a mess.

All these "graphical firewall programs" like FWbuilder or Firestarter, or at least all that I know of, are not firewall programs themselves. They are merely nice front-ends for iptables. It means that you can create the rulesets in a graphical environment, click buttons and have smilies all around the place, and when you "save" the configuration, the program produces a script file that runs the needed iptables commands to create a firewall setup that you wanted, and places that file into a place where it gets executed during boot process. Shortly said, you can't do anything more with those programs that you can with iptables. Learning iptables syntax is a good idea in my opinion. The basics are easy and quick to learn, but it doesn't mean iptables would be "easy as in can't-do-complex-things".

Instead of having a false feeling of security while answering "yes/no" questions about program this or that, and not noticing if some program actually got pass the check, and getting mad at answering those numerous questions, you should re-think how the whole process works. It's not that difficult. Then think of a ruleset that would keep you as secure as you want. Then just do it. Most people start off with a set that follows the "UNIX policy" of denying and then accepting: flush every rule and chain, to make a fresh start - then deny (DROP is the right word in this case) everything, and after that allow some specific things I really need. That's easier, a lot easier, than the Windows way of "allow anything possible that I don't explicitly tell you to deny". Less questions, less holes.

ubuntora:

Not everything I run will necessarily be open source. It could be something like Adobe Flash player or something I'm running under WINE. I've even had a few Firefox extensions call home.

b0uncer:

I'm basically just trying to stay in control of my PC, without going to a lot of work. I'm not trying to lock it down. Otherwise I'd have run the Commodo firewall (which does a excellent job of leak detection) or something like DiamondCS ProcessGuard (which controls what programs can run) under Windows rather than a lean firewall thats been obsolete for over four years.

I fully understand how FireStarter etc. leverage iptables. But my goal is ease of use, not maximum security. I want to use some sort of tool that supports the "ask me now" behavior that I'm used to. Sure I'd learn more and be more secure if I learned how to write iptable scripts rather than using some front end. But I don't want to spend a lot of time figuring out what protocols an application uses or what address it calls under different circumstances since the downside of something slipping past me is not that big a deal.

For the same reason I don't want to use something like AppArmor. Thats nuclear overkill.

I HATE that (the amount of applications i've had crash because there's an interuppt in it trying to establish a network connection).

You could try guarddog, whilst it doesn't nag you like a wife on a power trip, it can be used to control access through the network interface.

It's configured for most COMMON applications, so you can simply allow/block what you want.

However i cant understand why you wouldn't just block everything (as a lot of distros do anyhow) and then allow only what you need. I balked at facign iptables at first, but once you see some example firewall rules it's not too bad.

As for working out what ips/protocols need allowing. You can check the iptables logs to see what it denied.

Not too difficult.

Iptables is far from obsolete, and in my holy opinion the best you can get to run on your PC without buying a specialized, external firewall unit (that could still run iptables in it without telling you). The basic iptables usage works for most users: drop everything, allow connections started by me or those that are related to such connections, and if there are some special cases, state them. It's a few short easy lines, and everything should work: from outside your box can't be connected to, you can connect anywhere you want, and connections that you start can connect back if needed (like IRC, some IM programs) because iptables does connection tracking and knows what is related to what (-m state --state ESTABLISHED,RELATED is usual).

An overkill in your case, if you just want it easy and don't care about being well secured, is to buy an external firewall or start making a bullet-proof, per-port-per-ip-per-mac-per-etc script. Doing a quick five-second search here at LQ for a basic firewall script, viewing it trough, running it and making it run at bootup is not an overkill and not difficult. And you don't get disturbed by questions, which just eat up your precious time (you can read the logs later).

Of course there are people who don't actually have anything to do, and just like it when they can all the time answer "yes" or "no" when a nice coloured pop-up jumps to their screen, asking if the browser could again access LQ site, tenth time this hour. But that's another story.

I find with Kerio I can usually make a decision quickly enough when it asks for permission that it doesn't cause a problem.

"It's configured for most COMMON applications, so you can simply allow/block what you want."
Applications, or protocols? I browsed the GuardDog online documentation and it seems for example that while I could enable POP, IMAP and SMTP protocols (and see what ports were used) to a server I couldn't specify whether just Thunderbird could use them. Or did I misunderstand the documentation?

"However i cant understand why you wouldn't just block everything (as a lot of distros do anyhow) and then allow only what you need."
Thats what I want to do. The difference is that I don't want to have to explore log files afterwards and figure out what rules to create. I want something user friendly.