Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-30-2014, 06:07 AM
|
#1
|
LQ Newbie
Registered: Oct 2006
Posts: 21
Rep:
|
Recommendation for an Application Firewall (open source or commercial)
Hi all,
Can anyone recommend an application firewall with gui.
Mandatory feature, query user on first occurrence, and built-in configurations for known software.
Under windows the Symantec Firewall has built in rules for known applications. In addition, I have it configured that anything new that attempts to access the internet has to be approved first. This way I caught some trojans on my computer.
This, for me, is a serious hurdle to switching to Linux.
My new PC will be arriving next week, and I would really like to start using Linux on my home PCs regularly.
Can anyone recommend such a firewall?
thanks
Gaby
Last edited by gabyz; 03-30-2014 at 06:07 AM.
Reason: firewall, application
|
|
|
03-30-2014, 09:09 PM
|
#2
|
LQ Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,661
|
Note that the Linux kernel has built-in firewall capability called iptables.
The firewall is not something you have to add. Whether or not firewall capability is turned on at install depends on the distro.
Linux firewall programs, both command line and GUI, are generally front-ends for configuring iptables--they are not firewalls in the sense that Zone Alarm is--a completely stand-alone program. For ease of GUI use, I would recommend gufw. It's in most distros' repositories.
As for the "query user on first occurrence," that's not something I've seen with Linux, though I am not a firewall expert, just a user. Linux firewalls focus on ports and services, not on websites.
Note that viruses and trojans are not the problem on Linux that they are in Windows. There are currently no active Linux viruses in the wild. There is malware that targets Linux, but it depends primarily on "social engineering" (that is, fooling users into installing something they shouldn't). Many experienced Linux users do not even run an antivirus program (I'm an exception, because I trust no one, no one, I tell you, no one!).
About dot com has a good article about security and Linux: http://linux.about.com/od/lna_guide/a/gdelna72.htm
Hope this helps.
Last edited by frankbell; 03-30-2014 at 09:17 PM.
|
|
1 members found this post helpful.
|
03-31-2014, 01:32 PM
|
#3
|
LQ Newbie
Registered: Oct 2006
Posts: 21
Original Poster
Rep:
|
Thanks for your reply.
Quote:
fooling users into installing something they shouldn't
|
This is exactly what I'm talking about. Most malware without internet connection is sort of harmless IOM (unless they ruin your HD or HW). And this is what I'm talking about. Such malware presence will be made noticeable immediately if a firewall e.g. Symantec was running and capturing anything trying to access the net.
I've read about iptables. I'm looking for an application firewall. I don't want to close/open ports without specific assignment to application. If for example a web browser uses report TCP port 80, I'll keep it open only for the browsers I'm using. If another application tries to access remote port 80, it will not get access.
I'm familiar with the Linux concept, don't need av/fw.
Personally, I've been using FW since '98 in Windows.
I find it real strange that there are no active FW in Linux. Linux is gaining serious popularity and with it the same problems as Win will come. I think it's stupid to react instead of applying preemptive measures.
If you hear of anything, I'd appreciate the heads up.
Gaby
|
|
|
03-31-2014, 03:37 PM
|
#4
|
Member
Registered: May 2013
Posts: 89
Rep:
|
AppArmor has e.g.:
Code:
network inet stream,
To control whether a program can use the network.
|
|
|
03-31-2014, 03:41 PM
|
#5
|
LQ Newbie
Registered: Oct 2006
Posts: 21
Original Poster
Rep:
|
brebs,
It will not capture a program that is not configured when it access the internet.
|
|
|
03-31-2014, 03:54 PM
|
#6
|
Member
Registered: May 2013
Posts: 89
Rep:
|
Correct.
However, your plan falls down when the bad guys get tricky and *amend* a previously-marked-as-trusted-by-you program to send out the data from
I do recommend you investigate AppArmor. If that fails to satisfy, try SELinux.
|
|
|
03-31-2014, 05:12 PM
|
#7
|
Moderator
Registered: Mar 2008
Posts: 22,176
|
Wonder if something like Untangle might work?
|
|
|
03-31-2014, 05:34 PM
|
#8
|
Member
Registered: Jun 2012
Distribution: Slackware
Posts: 441
|
Quote:
Originally Posted by gabyz
Most malware without internet connection is sort of harmless (...) Such malware presence will be made noticeable immediately if a firewall e.g. $yman7ec was running and capturing anything trying to access the net.
|
While I understand your point, it seems to me that you are considering the problem from a genuine wind0w$-user perspective. While there still might be issues, with a GNU/Linux operating system you don't have to deal with a sort of odd-behaving entity, which tries all the time to elude your control and to sneak out through the network, maybe with your data in its pockets. You don't have browsers that navigate on their own, or a little zoo of worms, troyans and backdoors fighting against each other, trying to be the first one to go outside. Honest distributions will not include malware and untrusted software. Of course you are free to do it yourself, but it is your decision, and you take the risk consciously.
Quote:
Linux is gaining serious popularity and with it the same problems as Win will come.
|
They will not, at least not the way you think, because GNU/Linux systems are different, and you have the control. If you don't like or don't trust a program, don't use it, uninstall it and it won't leave anything harmful on your system. If you like the program, but you want it to behave differently, then configure it accordingly. If you really need to, or you are paranoid, then tell your preferred applications and daemons to use unconventional ports, and use iptables to close everything else that is not needed, in- and outwards. One might also point you to network monitoring tools, and so on.
It seems that there are a few GNU/Linux distributions out there that are actually trying to become more wind0w$ than wind0w$ itself. The point is, when "user-friendliness" entails ĢI can't understand what's happening even if I want toģ, then you might be in the wrong place. For these reasons I would not choose a hypothetical distribution for its "user-friendliness", "point-and-click" and "GUI-all-the-time" claims.
Last edited by Philip Lacroix; 03-31-2014 at 06:11 PM.
Reason: a few edits and adds
|
|
|
03-31-2014, 06:12 PM
|
#9
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
gabyz - You are thinking "like Windows". Trying to apply a Windows security model to Linux doesn't gain you anything. Consider this, when you think of Symantec's Windows firewall as having rules for different application network access, what it really is doing is poking holes in the firewall to let "exceptions" in and out. In your scenario, these exceptions are programs it "trusts". Or more technically correct, programs it "thinks it trusts", which can be fooled as brebs has already said in one of his responses. So what Symantec is doing for you in Windows is providing a swiss-cheese firewall - a bunch of holes have been poked in it for all these exceptions. That is not the epitome of security.
Quote:
Originally Posted by gabyz
This way I caught some trojans on my computer.
|
You are assuming that "trojans on your computer" are a given. In Windows, possibly so, but in Linux, not so much. You have to change the way you are thinking. How did you get those trojans on your Windows computer in the first place? Symantec didn't protect you from that, now did it? What if one of your trojans happened to be a disk-destroying trojan, not a network-accessing trojan? How would Symantec's swiss-cheese firewall have helped you there?
Quote:
Originally Posted by gabyz
Linux is gaining serious popularity and with it the same problems as Win will come.
|
You are "thinking Windows" again. Just because Windows is a security nightmare does not mean that other operating systems are. And Windows users switching to Linux are not going to cause that to change. Sure, if you don't know what you are doing and don't bother to learn, you can easily compromise your new Linux system. However, just because ex-Windows users have decided that now is a good time to switch to Linux due to XP going out of support, does not mean that Linux will magically become the security nightmare that they are used to from their previous OS choice. You will "see the light" soon enough. In the meantime, it is a waste of time to try to "make Linux just like Windows". Believe me, if Linux would benefit from having a Symantic style swiss-cheese firewall, somebody would have built that by now.
|
|
1 members found this post helpful.
|
03-31-2014, 09:19 PM
|
#10
|
LQ Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,661
|
I mentioned the possibility of social engineering only because this has been in the news lately, so I felt the possibility should be mentioned.
In the real world of day-to-day home computing with Linux, the closest you are likely to come to "social engineering" malware is the Nigerian email scam or one of those phony Windows web virus scanners that pretends to find viruses so as to convince you to install malware masquerading as an AV. It's quite entertaining to watch one of those pretend the scan the C:\ drive, which doesn't exist in a Linux file structure, and report gazillions of baddies which also don't exist.
|
|
|
04-01-2014, 12:30 AM
|
#11
|
LQ Newbie
Registered: Oct 2006
Posts: 21
Original Poster
Rep:
|
berbs,
Quote:
bad guys get tricky and *amend* a
|
Symantec for example checks the signature of the program before allowing it access.
Philip,
Quote:
You don't have browsers that navigate on their own
|
Yet!
|
|
|
04-01-2014, 01:59 AM
|
#12
|
LQ Newbie
Registered: Oct 2006
Posts: 21
Original Poster
Rep:
|
hertig,
Quote:
if Linux would benefit from having a Symantic style swiss-cheese firewall, somebody would have built that by now.
|
I agree. And this is what puzzles me. Apparently I don't understand. Don't get hooked to the Symantec example.
Quote:
What if one of your trojans happened to be a disk-destroying trojan
|
This is what an AV is for, and if it was -- can't be helped.
Quote:
Symantic style swiss-cheese firewall
|
Can you please explain the difference between Windows FW e.g. Symantec and a Linux one? Can you point me to a tutorial on the subject?
I don't understand the swiss-cheese. With Symantec I have nothing goes in nor out until I explicitly approve the process[+process signature]-[remote/local]port-[remote/local]IP-[in/out] combination. Hacking the process most likely will not work since it will change its signature.
frankbell, hertig,
the trojan I caught entered via flash drive that was connected to an (apparently) infested work laptop.
the weakest point is always the user.
and I'm an aware user. But my home computer will be used also by less aware users.
A user running a web browser that enters a site with malware, according to my understanding cannot destroy the system, but can still destroy his own data.
How about new applications. you can always try them in a VM system and then decide if to install. It's a bit tedious isn't it? If they are open source, most likely they have already been vetted. But what about commercial ones?
I know that I have much to learn, and I will learn. First on my list is Apparmor.
Can anyone point to a newbies tutorial on Linux Firewall principals and how to use Apparmor?
I think that our discussion doesn't start from the same assumptions (most likely, if not definitely, mine are incorrect). I'll try list my understandings and what I'm aiming for.
1. A non-root user cannot harm the system, but can still harm his own data.
2. Browsing to malware infested site or installing a user local application (is this at all possible?) can potentially harm the user's data, or fish out hist information. Can I prevent if from accessing the internet? (naturally, rules must be applied prior to installation)
3. If I run a Win application under Wine, how can I prevent if from accessing the internet? Keep in mind, that it may have several processes and I may not be aware of all.
4. If I run a Linux application (install as root), how can I prevent it from accessing the internet? Again, I may not be aware of all the daemons it installed. Again rules must be applied prior to installation.
Thank you for the help.
|
|
|
04-01-2014, 10:47 AM
|
#13
|
Member
Registered: Jun 2012
Distribution: Slackware
Posts: 441
|
Quote:
Originally Posted by gabyz
Can you please explain the difference between Windows FW e.g. Symantec and a Linux one? Can you point me to a tutorial on the subject? (...) Can anyone point to a newbies tutorial on Linux Firewall principals and how to use Apparmor? (...) the trojan I caught entered via flash drive (...)
|
You have been given names and even links, so I guess that I would read that material first. Besides, a quick google search will give you other results about the mentioned topics. That said, application-layer filtering may be needed in some particular cases, however it doesn't make much sense to insist in spreading FUD about how Linux systems might, one day, become sort of informatical zombies, interacting with (hypothetical) "malware-infested" web sites. If you like $ymantec's approach, then boost your hardware and go with the latest redmond product. However, some of us have already suggested that you switch your forma mentis, instead of improperly applying wind0w$ categories to Unix-like systems. That's why some reading will help.
Quote:
1. A non-root user cannot harm the system, but can still harm his own data.
|
As root I can wipe out my own HD partitions and data if I want. As a normal user I can wipe out my own documents. No application-layer-something will prevent that, and that's why one should have working backups.
Quote:
2. Browsing to malware infested site or installing a user local application (is this at all possible?) can potentially harm the user's data, or fish out hist information. Can I prevent if from accessing the internet?
3. If I run a Win application under Wine, how can I prevent if from accessing the internet?
|
I don't understand the "malware infested" thing. Disable java and javascript. Regarding harmful applications, it should be your responsibility (as the sysadmin of your own machine) to check if the application you want to install can be trusted or not. If it cannot be trusted, then you should not install it, as relying on application-layer firewalls while deliberately installing malicious software would not be, in my humble opinion, the best approach to the problem.
Quote:
4. If I run a Linux application (install as root), how can I prevent it from accessing the internet?
|
Configure it appropriately. If you can't do that, and if you don't like what it does, well, personally I wouldn't use it. If you want to use it anyway, even if you don't trust it, then the responsibility is yours. Examine one of the possible solutions exposed by other members, document yourself, then please inform us of the results.
A few other interesting sources:
The Linux Documentation Project
Introduction to Linux - A Hands on Guide
The Linux System Administrators' Guide
Securing & Optimizing Linux: The Ultimate Solution (PDF)
The Linux Network Administrator's Guide, Second Edition
Last edited by Philip Lacroix; 04-01-2014 at 05:28 PM.
Reason: other sources added
|
|
|
04-01-2014, 09:28 PM
|
#14
|
LQ Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,661
|
Also, remember that almost all viruses and Trojans--especially the kind that can be transmitted from a USB stick--are written to run on Windows, partly because Windows has historically been an easy target and partly because it has ginormous market share.
Windows programs will not run on Linux.
|
|
|
04-02-2014, 01:36 AM
|
#15
|
Member
Registered: May 2013
Posts: 89
Rep:
|
Quote:
Originally Posted by gabyz
Symantec for example checks the signature of the program before allowing it access.
|
The "signature" of my files probably changes every time I compile them, with with a slightly updated gcc.
You're falling for the PR of the anti-virus companies, who need to sell their product, despite it not helping much
|
|
|
All times are GMT -5. The time now is 10:03 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|