Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm looking for a firewall for an Ubuntu/Gutsy laptop that will not only firewall connections, but allow restrictions on individual applications for connections to a particular port, or address.
I'm not sure - if yes, a web search should give you a few dozen pay-for applications, or probably nothing. The Linux "built-in" firewall, called iptables in nowadays kernel series, works on basis of per-connection, not per-application basis. Windows firewall software works usually the other way around, and that's how a lot of people expect it to work everywhere. I personally find iptables way more suitable (for me, that is), as it allows for rather easy configuration of things in big scale, and doesn't force the user to ask yes-no-"dunno" questions all the time when an application has been updated, moved, or Windows/the software just feels like it. In Vista it's a real pain (the questions I mean)..
You should create your firewalls so that they restrict anything you don't explicitly allow. Then take a look at the things iptables offers (read the man page and their website), like connection tracking - after reading the documentation (which you need to do, if you want to understand things in order to know how to achieve your goal) you should have a fairly good idea on how to do things.
I feel it's rather dangerous to set firewalling rules on per-application basis. What if one application had "rights" to send/receive things over the network, and some other application didn't - and then somebody camouflaged the applications a bit, so that it looked like some application that shouldn't be able to communicate could do it because it looked like it was the other application?
You will need a plugin for the kernel's netfilter module. There is one that will allow the execution of a user script which is usually done to check the application and the checksum of the application. However, IMHO, logging would be better at determining if you have an ill-behaved program. If you actually managed to install mal-ware, a wiped drive and reinstallation is in order.
You could make the application run as a particular user and then use the --uid-owner option to specify that you want the rules to apply only to packets generated by that user. You could also play with the --cmd-owner option, which lets you match a packet based on the name of the command that created it. These options are part of the owner module.
I would prefer to have a linux laptop with equal representation and ability as a windows counterpart. Firewall rules are are cumbersome and complex on either platform (imho) but it would be great to have for example, an unbuntu-gutsy laptop to;
1. Deny 'all' internet access for a particular application
2. Allow bittorrent traffic for 'only' one application
3. Have a visual pop up warning when someone tries to connect via port 137 IN udp
4. Allow 'only' TCP connections for an application, and 'only' to a particular host.
1. Deny 'all' internet access for a particular application
2. Allow bittorrent traffic for 'only' one application
3. Have a visual pop up warning when someone tries to connect via port 137 IN udp
4. Allow 'only' TCP connections for an application, and 'only' to a particular host.
Well, #1, #2, and #4 should be doable with the owner module.
Not sure how you'd do #3 but it can't be too hard - Ubuntu comes with a desktop notification daemon.
It's frustrating when windows has an advantage. Seems there is not a
parallel method for #1-4 above via firewall, as in windows.
Well, a solution that meets the requirements you've described doesn't sound too difficult to create (assuming one doesn't exist already). Perhaps you could use this as an opportunity to start your own project. I mean, this is how a lot of open source projects get started, someone has an itch to scratch, etc. Apparently not enough developers share this itch of yours at the moment. But it does sound like a pretty cool idea, though. I can imagine some future Ubuntu version spamming us with pop-ups ZoneAlarm style.
Quote:
Thanks for the recommendations.
No problem. BTW, I remember someone asking something like this a couple years ago, and a link was posted to a project which was sort of trying to achieve something like this (using a much more effective method than the iptables owner module). I'm sure if you search a bit you will find said post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.