Recommendation for an Application Firewall (open source or commercial)
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Philip,
Thanks for pointing out that there are links above. I missed that.
The MS!=LNX blog was hilarious and very good in explaining that MS concepts need to be dropped and some ways of thinking need to be yanked.
I also read through the chapter 9 - linux firewall. Apart from the mechanics of the configuration, the packet processing rules were quite familiar to me.
brebs
This is exactly what happens, every time I updated chrome I was required to reconfigure the FW rules because it was recognized as a new application.
guys,
I still have a question un-answered.
If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
every time I updated chrome I was required to reconfigure the FW rules because it was recognized as a new application.
For me, that would be a big annoyance
Quote:
Originally Posted by gabyz
can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
What you can do is run apps forcing a particular group or user, and then the iptables rule can use that group/user as a filter, with --uid-owner and --gid-owner.
Thanks for the idea of using the user/group filter. Didn't know it existed.
I was thinking of defining an internet user for each user and then write a script that will run the browsers as the internet user.
This way even if the user goes to a malicious site, the damage is limited to the browser space, as it won;'t have access to the user space.
Still need to find a script that changes uid transparently. I'll solve this when I get to it.
I still have a question un-answered. If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
Gaby - Turning the problem "upside-down", I obtained a possible solution by combining iptables rules, a proxy software like Squid and individual configuration of the browser I wanted to allow to the Internet. I did this by using a dedicated box for the firewall and proxy, while connecting from a separate machine on the internal net. I used iptables on the filtering box to drop everything coming to the internal interface, except hosts I wanted to allow on the port where the proxy was listening. Of course NAT rules allowing direct Internet access from the LAN were disabled. Then I configured the browser I wanted to use, by telling it to go through the proxy. This way all other applications were blocked by default. One might also restrict write permissions on configuration files, so that users will not manipulate them, and set user/group ownerships as brebs suggested. This configuration was very straightforward, but Squid has lots of options and allows for complex authentication rules which I didn't investigate, but seem interesting. I didn't check if this can be set up on a stand-alone machine as well.
Last edited by Philip Lacroix; 04-03-2014 at 09:14 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.