LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-30-2014, 05:07 AM   #1
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Rep: Reputation: 0
Recommendation for an Application Firewall (open source or commercial)


Hi all,
Can anyone recommend an application firewall with gui.
Mandatory feature, query user on first occurrence, and built-in configurations for known software.
Under windows the Symantec Firewall has built in rules for known applications. In addition, I have it configured that anything new that attempts to access the internet has to be approved first. This way I caught some trojans on my computer.
This, for me, is a serious hurdle to switching to Linux.
My new PC will be arriving next week, and I would really like to start using Linux on my home PCs regularly.

Can anyone recommend such a firewall?

thanks
Gaby

Last edited by gabyz; 03-30-2014 at 05:07 AM. Reason: firewall, application
 
Old 03-30-2014, 08:09 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 9,391
Blog Entries: 4

Rep: Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829
Note that the Linux kernel has built-in firewall capability called iptables.

The firewall is not something you have to add. Whether or not firewall capability is turned on at install depends on the distro.

Linux firewall programs, both command line and GUI, are generally front-ends for configuring iptables--they are not firewalls in the sense that Zone Alarm is--a completely stand-alone program. For ease of GUI use, I would recommend gufw. It's in most distros' repositories.

As for the "query user on first occurrence," that's not something I've seen with Linux, though I am not a firewall expert, just a user. Linux firewalls focus on ports and services, not on websites.

Note that viruses and trojans are not the problem on Linux that they are in Windows. There are currently no active Linux viruses in the wild. There is malware that targets Linux, but it depends primarily on "social engineering" (that is, fooling users into installing something they shouldn't). Many experienced Linux users do not even run an antivirus program (I'm an exception, because I trust no one, no one, I tell you, no one!).

About dot com has a good article about security and Linux: http://linux.about.com/od/lna_guide/a/gdelna72.htm

Hope this helps.

Last edited by frankbell; 03-30-2014 at 08:17 PM.
 
1 members found this post helpful.
Old 03-31-2014, 12:32 PM   #3
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0
Thanks for your reply.
Quote:
fooling users into installing something they shouldn't
This is exactly what I'm talking about. Most malware without internet connection is sort of harmless IOM (unless they ruin your HD or HW). And this is what I'm talking about. Such malware presence will be made noticeable immediately if a firewall e.g. Symantec was running and capturing anything trying to access the net.

I've read about iptables. I'm looking for an application firewall. I don't want to close/open ports without specific assignment to application. If for example a web browser uses report TCP port 80, I'll keep it open only for the browsers I'm using. If another application tries to access remote port 80, it will not get access.

I'm familiar with the Linux concept, don't need av/fw.
Personally, I've been using FW since '98 in Windows.

I find it real strange that there are no active FW in Linux. Linux is gaining serious popularity and with it the same problems as Win will come. I think it's stupid to react instead of applying preemptive measures.

If you hear of anything, I'd appreciate the heads up.

Gaby
 
Old 03-31-2014, 02:37 PM   #4
brebs
Member
 
Registered: May 2013
Posts: 61

Rep: Reputation: Disabled
AppArmor has e.g.:

Code:
network inet stream,
To control whether a program can use the network.
 
Old 03-31-2014, 02:41 PM   #5
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0
brebs,
It will not capture a program that is not configured when it access the internet.
 
Old 03-31-2014, 02:54 PM   #6
brebs
Member
 
Registered: May 2013
Posts: 61

Rep: Reputation: Disabled
Correct.

However, your plan falls down when the bad guys get tricky and *amend* a previously-marked-as-trusted-by-you program to send out the data from

I do recommend you investigate AppArmor. If that fails to satisfy, try SELinux.
 
Old 03-31-2014, 04:12 PM   #7
jefro
LQ Guru
 
Registered: Mar 2008
Posts: 13,345

Rep: Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691Reputation: 1691
Wonder if something like Untangle might work?
 
Old 03-31-2014, 04:34 PM   #8
Philip Lacroix
Member
 
Registered: Jun 2012
Posts: 276

Rep: Reputation: Disabled
Quote:
Originally Posted by gabyz View Post
Most malware without internet connection is sort of harmless (...) Such malware presence will be made noticeable immediately if a firewall e.g. $yman7ec was running and capturing anything trying to access the net.
While I understand your point, it seems to me that you are considering the problem from a genuine wind0w$-user perspective. While there still might be issues, with a GNU/Linux operating system you don't have to deal with a sort of odd-behaving entity, which tries all the time to elude your control and to sneak out through the network, maybe with your data in its pockets. You don't have browsers that navigate on their own, or a little zoo of worms, troyans and backdoors fighting against each other, trying to be the first one to go outside. Honest distributions will not include malware and untrusted software. Of course you are free to do it yourself, but it is your decision, and you take the risk consciously.

Quote:
Linux is gaining serious popularity and with it the same problems as Win will come.
They will not, at least not the way you think, because GNU/Linux systems are different, and you have the control. If you don't like or don't trust a program, don't use it, uninstall it and it won't leave anything harmful on your system. If you like the program, but you want it to behave differently, then configure it accordingly. If you really need to, or you are paranoid, then tell your preferred applications and daemons to use unconventional ports, and use iptables to close everything else that is not needed, in- and outwards. One might also point you to network monitoring tools, and so on.

It seems that there are a few GNU/Linux distributions out there that are actually trying to become more wind0w$ than wind0w$ itself. The point is, when "user-friendliness" entails ĢI can't understand what's happening even if I want toģ, then you might be in the wrong place. For these reasons I would not choose a hypothetical distribution for its "user-friendliness", "point-and-click" and "GUI-all-the-time" claims.

Last edited by Philip Lacroix; 03-31-2014 at 05:11 PM. Reason: a few edits and adds
 
Old 03-31-2014, 05:12 PM   #9
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,068

Rep: Reputation: 321Reputation: 321Reputation: 321Reputation: 321
gabyz - You are thinking "like Windows". Trying to apply a Windows security model to Linux doesn't gain you anything. Consider this, when you think of Symantec's Windows firewall as having rules for different application network access, what it really is doing is poking holes in the firewall to let "exceptions" in and out. In your scenario, these exceptions are programs it "trusts". Or more technically correct, programs it "thinks it trusts", which can be fooled as brebs has already said in one of his responses. So what Symantec is doing for you in Windows is providing a swiss-cheese firewall - a bunch of holes have been poked in it for all these exceptions. That is not the epitome of security.

Quote:
Originally Posted by gabyz
This way I caught some trojans on my computer.
You are assuming that "trojans on your computer" are a given. In Windows, possibly so, but in Linux, not so much. You have to change the way you are thinking. How did you get those trojans on your Windows computer in the first place? Symantec didn't protect you from that, now did it? What if one of your trojans happened to be a disk-destroying trojan, not a network-accessing trojan? How would Symantec's swiss-cheese firewall have helped you there?

Quote:
Originally Posted by gabyz
Linux is gaining serious popularity and with it the same problems as Win will come.
You are "thinking Windows" again. Just because Windows is a security nightmare does not mean that other operating systems are. And Windows users switching to Linux are not going to cause that to change. Sure, if you don't know what you are doing and don't bother to learn, you can easily compromise your new Linux system. However, just because ex-Windows users have decided that now is a good time to switch to Linux due to XP going out of support, does not mean that Linux will magically become the security nightmare that they are used to from their previous OS choice. You will "see the light" soon enough. In the meantime, it is a waste of time to try to "make Linux just like Windows". Believe me, if Linux would benefit from having a Symantic style swiss-cheese firewall, somebody would have built that by now.
 
1 members found this post helpful.
Old 03-31-2014, 08:19 PM   #10
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 9,391
Blog Entries: 4

Rep: Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829
I mentioned the possibility of social engineering only because this has been in the news lately, so I felt the possibility should be mentioned.

In the real world of day-to-day home computing with Linux, the closest you are likely to come to "social engineering" malware is the Nigerian email scam or one of those phony Windows web virus scanners that pretends to find viruses so as to convince you to install malware masquerading as an AV. It's quite entertaining to watch one of those pretend the scan the C:\ drive, which doesn't exist in a Linux file structure, and report gazillions of baddies which also don't exist.
 
Old 03-31-2014, 11:30 PM   #11
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0
berbs,
Quote:
bad guys get tricky and *amend* a
Symantec for example checks the signature of the program before allowing it access.

Philip,
Quote:
You don't have browsers that navigate on their own
Yet!
 
Old 04-01-2014, 12:59 AM   #12
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0
hertig,
Quote:
if Linux would benefit from having a Symantic style swiss-cheese firewall, somebody would have built that by now.
I agree. And this is what puzzles me. Apparently I don't understand. Don't get hooked to the Symantec example.
Quote:
What if one of your trojans happened to be a disk-destroying trojan
This is what an AV is for, and if it was -- can't be helped.
Quote:
Symantic style swiss-cheese firewall
Can you please explain the difference between Windows FW e.g. Symantec and a Linux one? Can you point me to a tutorial on the subject?
I don't understand the swiss-cheese. With Symantec I have nothing goes in nor out until I explicitly approve the process[+process signature]-[remote/local]port-[remote/local]IP-[in/out] combination. Hacking the process most likely will not work since it will change its signature.

frankbell, hertig,
the trojan I caught entered via flash drive that was connected to an (apparently) infested work laptop.
the weakest point is always the user.
and I'm an aware user. But my home computer will be used also by less aware users.
A user running a web browser that enters a site with malware, according to my understanding cannot destroy the system, but can still destroy his own data.
How about new applications. you can always try them in a VM system and then decide if to install. It's a bit tedious isn't it? If they are open source, most likely they have already been vetted. But what about commercial ones?

I know that I have much to learn, and I will learn. First on my list is Apparmor.
Can anyone point to a newbies tutorial on Linux Firewall principals and how to use Apparmor?

I think that our discussion doesn't start from the same assumptions (most likely, if not definitely, mine are incorrect). I'll try list my understandings and what I'm aiming for.
1. A non-root user cannot harm the system, but can still harm his own data.
2. Browsing to malware infested site or installing a user local application (is this at all possible?) can potentially harm the user's data, or fish out hist information. Can I prevent if from accessing the internet? (naturally, rules must be applied prior to installation)
3. If I run a Win application under Wine, how can I prevent if from accessing the internet? Keep in mind, that it may have several processes and I may not be aware of all.
4. If I run a Linux application (install as root), how can I prevent it from accessing the internet? Again, I may not be aware of all the daemons it installed. Again rules must be applied prior to installation.

Thank you for the help.
 
Old 04-01-2014, 09:47 AM   #13
Philip Lacroix
Member
 
Registered: Jun 2012
Posts: 276

Rep: Reputation: Disabled
Quote:
Originally Posted by gabyz View Post
Can you please explain the difference between Windows FW e.g. Symantec and a Linux one? Can you point me to a tutorial on the subject? (...) Can anyone point to a newbies tutorial on Linux Firewall principals and how to use Apparmor? (...) the trojan I caught entered via flash drive (...)
You have been given names and even links, so I guess that I would read that material first. Besides, a quick google search will give you other results about the mentioned topics. That said, application-layer filtering may be needed in some particular cases, however it doesn't make much sense to insist in spreading FUD about how Linux systems might, one day, become sort of informatical zombies, interacting with (hypothetical) "malware-infested" web sites. If you like $ymantec's approach, then boost your hardware and go with the latest redmond product. However, some of us have already suggested that you switch your forma mentis, instead of improperly applying wind0w$ categories to Unix-like systems. That's why some reading will help.

Quote:
1. A non-root user cannot harm the system, but can still harm his own data.
As root I can wipe out my own HD partitions and data if I want. As a normal user I can wipe out my own documents. No application-layer-something will prevent that, and that's why one should have working backups.

Quote:
2. Browsing to malware infested site or installing a user local application (is this at all possible?) can potentially harm the user's data, or fish out hist information. Can I prevent if from accessing the internet?
3. If I run a Win application under Wine, how can I prevent if from accessing the internet?
I don't understand the "malware infested" thing. Disable java and javascript. Regarding harmful applications, it should be your responsibility (as the sysadmin of your own machine) to check if the application you want to install can be trusted or not. If it cannot be trusted, then you should not install it, as relying on application-layer firewalls while deliberately installing malicious software would not be, in my humble opinion, the best approach to the problem.

Quote:
4. If I run a Linux application (install as root), how can I prevent it from accessing the internet?
Configure it appropriately. If you can't do that, and if you don't like what it does, well, personally I wouldn't use it. If you want to use it anyway, even if you don't trust it, then the responsibility is yours. Examine one of the possible solutions exposed by other members, document yourself, then please inform us of the results.

A few other interesting sources:
The Linux Documentation Project
Introduction to Linux - A Hands on Guide
The Linux System Administrators' Guide
Securing & Optimizing Linux: The Ultimate Solution (PDF)
The Linux Network Administrator's Guide, Second Edition

Last edited by Philip Lacroix; 04-01-2014 at 04:28 PM. Reason: other sources added
 
Old 04-01-2014, 08:28 PM   #14
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 9,391
Blog Entries: 4

Rep: Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829Reputation: 1829
Also, remember that almost all viruses and Trojans--especially the kind that can be transmitted from a USB stick--are written to run on Windows, partly because Windows has historically been an easy target and partly because it has ginormous market share.

Windows programs will not run on Linux.
 
Old 04-02-2014, 12:36 AM   #15
brebs
Member
 
Registered: May 2013
Posts: 61

Rep: Reputation: Disabled
Quote:
Originally Posted by gabyz View Post
Symantec for example checks the signature of the program before allowing it access.
The "signature" of my files probably changes every time I compile them, with with a slightly updated gcc.

You're falling for the PR of the anti-virus companies, who need to sell their product, despite it not helping much
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Open Source Support: When Should You Go Commercial? LXer Syndicated Linux News 0 01-17-2008 02:10 AM
LXer: Breach Security's ModSecurity Open Source Web Application Firewall LXer Syndicated Linux News 0 12-06-2007 08:20 PM
LXer: Global Summit of Open Source Leaders Releases Free Online Report on State of Commercial Open Source LXer Syndicated Linux News 0 05-04-2007 08:46 AM
LXer: Open source vs commercial software - is there a third way? LXer Syndicated Linux News 0 02-02-2007 12:21 AM
Open SOurce Vs Commercial Software dai General 6 05-01-2004 04:11 PM


All times are GMT -5. The time now is 09:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration