LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-31-2004, 10:44 PM   #1
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
Question Blocking Software


How do I block access to the internet for a particular software on the network? E.g. I wish to block Internet Explorer accessing the web but allow Mozilla, etc.

Thanks
 
Old 06-01-2004, 05:54 AM   #2
Technonotice
Member
 
Registered: Mar 2004
Location: UK
Distribution: Debian Unstable
Posts: 58

Rep: Reputation: 15
Crikey... that's rather difficult. The only way you can distinguish between the two is the User-Agent header that web browsers send. For IE it's something like:

Mozilla/4.0 (compatible; IE 6.0; Windows NT 5.1)

for IE 6 on Win XP. The (real) Mozilla on Linux:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv 0.9.2) Gecko/20010726 Netscape6/6.1

but that varies. Also, Mozilla has a plugin available that allows the user to fake their user agent (as some sites still refuse access to non-IE browsers) - the same with Opera.

The best way I can see of doing it is using Squid (proxy server) - I expect it can be configured to scan for certain text in the request and act on it. I don't have any more details on Squid though, not very familiar with it.

I know you can set up rules based on remote hosts, ports, the web address and all the rest so I expect it could scan the headers for similar text and filter it.

HTH.
 
Old 06-01-2004, 03:18 PM   #3
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
How do software like Symantec firewall resolve this as on Windows I am able to block a particular software and allow another using products such as Symantec Firewall? Are there similar products in Linux?
 
Old 06-01-2004, 11:16 PM   #4
prosonik
LQ Newbie
 
Registered: Mar 2004
Location: Canada
Posts: 1

Rep: Reputation: 0
Hi,

Unfortunately, I'm not a 100% familiar with Symantec firewall, however, i'm use to a lot of Soho and personal firewalls.. What you are talking about, is not really cutting off IE, and Letting Moz through, but more limiting a service, based on port number. With products like Symantec firewall, you can do really blocking like "ALLOW FTP Traffic" or "Allow Web Traffic". I'm not sure what your knowledge is of TCP, but basically, with every service (Ie, FTP, Web, MSN, Unreal Tourney), there is an associated port number or range of port numbers. When you use a consumer level product like Symantic firewall, you generally are just allowing traffic to flow in and out of the ports you specfiy... So you are able to generically block all web traffic, but still not block JUST IE or Moz traffic.

On the topic of blocking a specific application under windows, i'm going to talk generically. Without being familiar with the product, i can still make the assumption that Symantic Firewall, like every good Norton product, infests (intergrates) itself on your system like a bad disease, and therefore might block the application from accessing the TCP/ip stack at the winsock level (or whatever they are calling it these days) Winsock is an API, or an interface to the ip based network services on your PC. To put this simply, Symantic MIGHT, replace or add some code to of the default winsock to do some basic applciation authenication.. So that only "ALLOWED" apps, can actually talk to the winsock api, and the rest are simply ignored..

If you are trying to block use of an application locally (I'm not sure why you would be since, IE without wine, doesn't run on linux), then consider just changing the application permissions., so the person simply can't execute the app..

How does this help you?.. Well, investage what you truly looking to do.. I'm assuming, you are talking about a personal firewall, that sits on the same computer as what your actually using. if you are talking about an environment where one PC acts as a router, and the rest of the computers on the network access the net through it, refer to the previous post about using squid.


I hope this helps abit

Ian Jackson

Quote:
Originally posted by Obie
How do software like Symantec firewall resolve this as on Windows I am able to block a particular software and allow another using products such as Symantec Fwall? Are there similar products in Linux?
 
Old 06-02-2004, 03:51 PM   #5
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
prosonik,

Thank you for your post. I wish to run a Linux Firewall on my home network which also comprises of 2 Windows machines. I wish to control via the Linux Firewall what software from the Windows machines can access the Internet as in my example, I wish to disallow Internet Explorer and allow Mozilla. I understand from your post that each software has a port it would utilise to access the Internet.

1) How do I find more information on these ports?
2) How do I block them?

I gather that from the past 2 posts I should use SQUID however would it work with what I wish to achieve? Also where can I download SQUID from?

Thanks
 
Old 06-03-2004, 06:08 PM   #6
Robert G. Hays
Member
 
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157

Rep: Reputation: 30
OK, first, comments on other info here -- Norton Personal Firewall definitely can control individual apps by name-&-location, *and* it can provide whole-computer rules for all programs that NPF is not specifically told about; I know, I use it on my (eek!) W98se boot.

Linux:

The usual (underlying) firewall in Linux is iptables.

Second, there are several firewall/helper/&c apps for Lunix. The only one I know at all right now is ShoreWall (Shoreline Firewall). This seems to offer to set up both of coverages that NPF offers Win-victims.

At the risk of providing info that is too advanced, modern iptables has an ability to use loaded kernel modules to "do things" with packets; accept, reject, rdirect, *modify*, etc. These modules can be written by (you) if-&-as desired, via gcc or equivalent. I will soon be adding some of these to my own computers & the servers I maintain. Sorry, I haven't started this yet, so I can't yet give any better details, but it is something to think about, if you know C-programming & know-or-can-find IP-packet details.

Good luck however you do it!

 
Old 06-03-2004, 10:44 PM   #7
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Robert G. Hays,

Thank you for your help and advice.
 
Old 06-03-2004, 11:08 PM   #8
Robert G. Hays
Member
 
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157

Rep: Reputation: 30
Smile Blocking software

You're Welcome!

(& I hope it helped or even better yet that you already got it solved, given the age!

Robert.
 
Old 06-04-2004, 05:48 PM   #9
frogman
Member
 
Registered: Sep 2003
Distribution: Mandrake, Slack, Debian and PicoBSD
Posts: 181

Rep: Reputation: 31
If you're running an NT based (2k / XP) OS, you can disallow user access to IE through group or system policies ( Start > Run > gpedit.msc ). If you're using NT4, Start > Run > Poledit. Google and take your time when changing stuff in gpedit.msc / poledit.

IIRC for Win98 / 95 you can rename or move the IE executable so it can't be run normally.

Depends if your concern is users using an unpatched IE installation / crap browser or the system diallling out through IE.

Anyway, enough w32 stuff.

Pete
 
Old 06-07-2004, 05:23 AM   #10
Technonotice
Member
 
Registered: Mar 2004
Location: UK
Distribution: Debian Unstable
Posts: 58

Rep: Reputation: 15
The only way you're going to be able to block it is to either run a program on the local machine (if you have access) to kill off I.E. processes or to run the filtering through a proxy such as Squid.

As both Moz and IE are web browsers - they use the same ports and so a firewall will be no good to you (lower level) - the only way in which is would is as Robert suggested, there *may* be a module available for scanning of the passing packets but as with setting up a proxy, you'll have to know about TCP/IP and the networking that's going on.

The only other thing I will point out is that Windows Explorer will use the same "User-agent" field when it makes HTTP requests - so there would be know access from that either. I don't know what the windows update system does so you'd have to either packet sniff it first or whatever to make sure you don't take out services you want!
 
Old 06-07-2004, 10:52 AM   #11
Ciccio
Member
 
Registered: Nov 2002
Location: Paraguay
Distribution: Mandrake 10
Posts: 573

Rep: Reputation: 30
well, symantec works locally, so it can use an upgraded version of netstat -o + checking PIDs to see what program is using what socket, and then allow or deny it.

Perhaps a well (very well) written squid ACL could do that... but not really usefull. The best way there would be to either deny access based on IP (or mac) or to configure a proxy and deny all other acces. Thus allowing mozilla but not IE (local configs both). But that won't work with smart users... :-)

anyway, my personal policy is to try and educate the users... If you tell them: here use MOZILLA because it's better than IE in this and that... then they might just turn to mozilla. And yes! you have mozilla on windows, I use it because I think IE is the biggest abberation in the world. It's like a bicilce by pioneer or B&W.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SquidGuard is not blocking anything vivekthemind Linux - Networking 2 12-05-2005 10:45 PM
Any software for blocking viruses? Thrifty Linux - Software 2 04-28-2004 12:01 PM
IP Blocking Help mortsahl Linux - Security 2 04-26-2004 08:29 AM
Web Blocking Software RanmaPhreak79 Linux - Software 4 01-14-2004 04:46 PM
IP blocking merlin371 Linux - Networking 2 08-04-2003 10:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration