LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-02-2008, 04:18 AM   #1
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Rep: Reputation: 15
Firewall a single application...


Hi.

I'm looking for a firewall for an Ubuntu/Gutsy laptop that will not only firewall connections, but allow restrictions on individual applications for connections to a particular port, or address.

Does this exist ?

Thank you
Akonbobot
 
Old 03-02-2008, 04:40 AM   #2
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
I'm not sure - if yes, a web search should give you a few dozen pay-for applications, or probably nothing. The Linux "built-in" firewall, called iptables in nowadays kernel series, works on basis of per-connection, not per-application basis. Windows firewall software works usually the other way around, and that's how a lot of people expect it to work everywhere. I personally find iptables way more suitable (for me, that is), as it allows for rather easy configuration of things in big scale, and doesn't force the user to ask yes-no-"dunno" questions all the time when an application has been updated, moved, or Windows/the software just feels like it. In Vista it's a real pain (the questions I mean)..

You should create your firewalls so that they restrict anything you don't explicitly allow. Then take a look at the things iptables offers (read the man page and their website), like connection tracking - after reading the documentation (which you need to do, if you want to understand things in order to know how to achieve your goal) you should have a fairly good idea on how to do things.

I feel it's rather dangerous to set firewalling rules on per-application basis. What if one application had "rights" to send/receive things over the network, and some other application didn't - and then somebody camouflaged the applications a bit, so that it looked like some application that shouldn't be able to communicate could do it because it looked like it was the other application?
 
Old 03-02-2008, 05:56 AM   #3
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
You will need a plugin for the kernel's netfilter module. There is one that will allow the execution of a user script which is usually done to check the application and the checksum of the application. However, IMHO, logging would be better at determining if you have an ill-behaved program. If you actually managed to install mal-ware, a wiped drive and reinstallation is in order.
 
Old 03-02-2008, 11:07 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
You could make the application run as a particular user and then use the --uid-owner option to specify that you want the rules to apply only to packets generated by that user. You could also play with the --cmd-owner option, which lets you match a packet based on the name of the command that created it. These options are part of the owner module.
 
Old 03-02-2008, 12:24 PM   #5
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
Thanks all.

I would prefer to have a linux laptop with equal representation and ability as a windows counterpart. Firewall rules are are cumbersome and complex on either platform (imho) but it would be great to have for example, an unbuntu-gutsy laptop to;

1. Deny 'all' internet access for a particular application
2. Allow bittorrent traffic for 'only' one application
3. Have a visual pop up warning when someone tries to connect via port 137 IN udp
4. Allow 'only' TCP connections for an application, and 'only' to a particular host.

Are any of the above possible ?

Thank you
Akonbobot
 
Old 03-02-2008, 04:39 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by Akonbobot View Post
1. Deny 'all' internet access for a particular application
2. Allow bittorrent traffic for 'only' one application
3. Have a visual pop up warning when someone tries to connect via port 137 IN udp
4. Allow 'only' TCP connections for an application, and 'only' to a particular host.
Well, #1, #2, and #4 should be doable with the owner module.

Not sure how you'd do #3 but it can't be too hard - Ubuntu comes with a desktop notification daemon.
 
Old 03-03-2008, 10:58 AM   #7
Akonbobot
Member
 
Registered: Nov 2004
Distribution: Debian, Fedora, Puppy
Posts: 43

Original Poster
Rep: Reputation: 15
It's frustrating when windows has an advantage. Seems there is not a
parallel method for #1-4 above via firewall, as in windows.

Thanks for the recommendations.
Akonbobot
 
Old 03-03-2008, 12:31 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by Akonbobot View Post
It's frustrating when windows has an advantage. Seems there is not a
parallel method for #1-4 above via firewall, as in windows.
Well, a solution that meets the requirements you've described doesn't sound too difficult to create (assuming one doesn't exist already). Perhaps you could use this as an opportunity to start your own project. I mean, this is how a lot of open source projects get started, someone has an itch to scratch, etc. Apparently not enough developers share this itch of yours at the moment. But it does sound like a pretty cool idea, though. I can imagine some future Ubuntu version spamming us with pop-ups ZoneAlarm style.

Quote:
Thanks for the recommendations.
No problem. BTW, I remember someone asking something like this a couple years ago, and a link was posted to a project which was sort of trying to achieve something like this (using a much more effective method than the iptables owner module). I'm sure if you search a bit you will find said post.

Last edited by win32sux; 03-03-2008 at 12:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Single sign on with AD in php application with apache tanveer Linux - Server 0 11-01-2007 03:07 AM
Creating Single Instance linux application praj_linux Programming 2 11-19-2004 04:06 AM
Firewall (Single Host) R4z0r Linux - Security 4 10-24-2004 03:15 PM
Printing is not possible for a single application using Samba and Cups SKH Linux - Software 0 01-29-2004 08:09 AM
Application to place single space with % between each line MasterC Linux - General 2 05-18-2003 01:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration