LeopardFlower: APPLICATION-based Firewall for Linux

verdaz · 12-27-2011, 12:58 AM

I recently discovered this "Leopard Flower" firewall app hosted at SourceForge.

Quote:

LeopardFlower APPLICATION-based Firewall for Linux:
http://sourceforge.net/projects/leopardflower/

Personal firewall for Linux OS (based on libnetfilter_queue) which handles allow or deny Internet access
on a per-application basis rather than on a port/protocol basis.

from the README file:

----Leopard Flower 0.4 (released Oct 2011)----

Leopard Flower (LPFW) gives the user control over which applications are allowed to use the network. It consist of a backend/daemon and a graphical frontend.

These instructions apply specifically to Ubuntu 10.10 but are very likely to work on other Linux distributions.

The following packaged must be installed for lpfw to work:
libnetfilter-queue
libnetfilter-conntrack
libnfnetlink

SIMPLE CONFIGURATION:
1. Make sure files lpfw and lpfwgui are in the same folder
2. In a terminal window launch "lpfw" as root
3. In a terminal window of an X session launch "lpfw --gui" as a regular user (not root). You will see the graphical frontend.
4. Is you prefer to use a command line frontend instead of the graphical one, issue "lpfw --cli" in a terminal window of an X session.

ADVANCED CONFIGURATION:
1. If you don't want lpfw to look for lpfwcli/lpfwgui in the same folder, you can pass to lpfw a command line option --cli-path=/--gui-path= followed by a path to lpfwcli/lpfwgui
2. If you want lpfw to start upon system boot-up, lpfw.conf is an upstart script which should be placed into /etc/init.(If your distro doen't use upstart, then the script should be adjusted to your distro's needs). This script expects to find lpfw in /usr/sbin
3. 30-lpfw.conf can be placed into /etc/rsyslog.d if you want logs to go to syslog
4. Assuming lpfw was launched either by upstart or manually as root, in a terminal window of an X session launch "lpfw --cli"/"lpfw --gui" as a regular user (not root). You will see an ncurses-based/graphical frontend.(By default lpfwcli uses zenity popups. If you don't want to use zenity run ./lpfw --cli --no-zenity)

COMMANDLINE ARGUMENTS:
These can be also seen with "lpfw --help".

--rules-file=
File to which rules are commited (default: /etc/lpfw.rules)

--logging_facility=
Where to write logs. Possible values stdout(default), file, syslog

--log-file=
If --logging_facility=file, then this is the file to which to write logging information. Default /tmp/lpfw.log

--pid-file=
Pidfile which prevents two instances of lpfw being launched at the same time. Default /var/log/lpfw.pid

--cli-path=
Path to lpfwcli ncurses frontend. It will be launched in xterm window. Default: in the same folder as lpfw

--gui-path=
Path to a standalone graphical frontend. Default: in the same folder as lpfw

--guipy-path
Path to python-based graphical frontend lpfwgui.py. It will be launched in python. Default: in the same folder as lpfw

--log-info=
--log-traffic=
--log-debug=
Enables different levels of logging. Possible values 1 or 0 for yes/no. Default: all three 1.

To invoke a frontend, issue the following;
lpfw --cli Ncurses
lpfw --gui Standalone
lpfw --guipy Python-based

KNOWN ISSUES:
1. lpfwcli can be invoked only from within X session, it can't work under pure tty(for security reasons).
2. Only one program can send ICMP packets simultaneously, if more than one does, LPFW blocks both.
3. Only IPv4 is supported, IPv6 support is underway.
4. A combination of exceptionally large executables(20Mb+) + slow CPU may result in a 2+ seconds delay when an application connects to the web for the first time, due to heavy calculations performed by sha512 checksumming function.
5. Only TCP, UDP, ICMP (partly, see above) protocols are supported. If your system happens to use any other transport protocol besides TCP/UDP/ICMP and you don't want those packets discarded by lpfw, consider adding a rule to iptables something like: >>> iptables -I OUTPUT 1 -p udplite -j ACCEPT <<< This rule should preceed NFQUEUE rule.
6. Access to network filesystems like NFS, CIFS, SMB an others or to in-kernel servers like khttpd will not be detected by LPFW since such access doesn't create user-space sockets. You will have to manually add iptables rules for such services.
7. If LPFW crashes, the user will have to issue "iptables -F" as root to be able to access the internet without restarting computer.
8. After going to sleep and waking up the PC, LPFW doesn't work properly, it has to be restarted.
9. Albeit lpfwgui is a simple frontend, it consumes 30+ Mb of memory. An attempt to reduce memory consumption is underway.

THE REST OF THIS FILE'S CONTENTS IS TECHNICAL INFORMATION FOR SYSTEM ADMINISTRATORS AND ADVANCED USERS:

HEADLESS MODE - WITHOUT FRONTEND:
If you want to run LPFW without the frontend, you may want to edit the rulesfile manually
By default rules are written to /etc/lpfw.rules in the following blocks of text:

full path to the executable file <new line character>
ALLOW ALWAYS or DENY ALWAYS <new line character>
executable file's size in bytes <new line character>
executable file's sha512 sum in hexadecimal representation <new line character>
(optional line) additional options like [CPUHOG] <new line character>
the block ends with a <new line character>

Example:
--------------------------------------------------
/usr/bin/wget
ALLOW ALWAYS
333356
083c1c88f8ded3cc1d6f83687e3092efab938d6a18ad5f95728189861e9d7bb145651a3a0b7846df69f02f10c50e45361880 d4ea2549615a655643ed0bd20fa9
[CPUHOG]

/home/wwwwww/apps/browsers/opera-11.10-2048.i386.linux/lib/opera/opera
ALLOW ALWAYS
16634040
7c4f6bd7c742c4bb8096e18fea5f92c6eade14152cf0ccdd36934b61ce1f578553e65be377408d34727c9aabed4ab3842f8c bbe776cd156d75f160925bea8c9f

---------------------------------------------------------

ARCHITECTURE

LeopardFlower (LPFW) utilizes a facility provided by netfilter whereby all outgoing and incoming packets which initiate a new connection are delivered to LPFW for decision on whether to drop them or accept them. LPFW sets up a rule with iptables similar to
iptables -A OUTPUT -j NFQUEUE --queue-num 11220
and installs a callback (using libnetfilter_queue) which is notified whenever a packet hits the NFQUEUE (NFQ). The fact that LPFW doesn't need to process every single packet but only those which initiate new connections, significantly decreases LPFW's CPU consumption.

Upon start up, LPFW read a rules file (if any was created in the previous session) which contains internet access permissions per application. Based upon these rules, whenever a new packet hits NFQ, LPFW decides whether to allow or deny internet access or whether to ask the user what to do if no rule for the application in question has yet been defined.

In order to establish a correlation between a packet which hit nfq and the application which sent it, LPFW does the following:
1. for an outgoing packet - extract source port (for an incoming packet - extract destination port) and look up in /proc/net/tcp to see which socket corresponds to the port.
2. Having found the socket, scan /proc/<PID>/fd to see which process owns the socket
3 Finally extract the application name from /proc/<PID>/exe

LPFW sets a unique netfilter mark on all connections of a specific app. This enables LPFW to instantly halt all app's internet activity if user chooses so. In order to set such a netfilter mark, LPFW uses libnetfilter_conntrack library.

.

On a related note:
I'm still searching for a linux analogue to the Proxomitron (for browser-agnostic, on-the-fly, blocklist maintenance)
this --------} http://findik.sourceforge.net/d/?q=node/4 seems to the the best (only) candidate