LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-03-2014, 01:39 AM   #16
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0

Philip,
Thanks for pointing out that there are links above. I missed that.
The MS!=LNX blog was hilarious and very good in explaining that MS concepts need to be dropped and some ways of thinking need to be yanked.
I also read through the chapter 9 - linux firewall. Apart from the mechanics of the configuration, the packet processing rules were quite familiar to me.

brebs
This is exactly what happens, every time I updated chrome I was required to reconfigure the FW rules because it was recognized as a new application.

guys,
I still have a question un-answered.
If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
 
Old 04-03-2014, 01:50 AM   #17
brebs
Member
 
Registered: May 2013
Posts: 89

Rep: Reputation: Disabled
Quote:
Originally Posted by gabyz View Post
every time I updated chrome I was required to reconfigure the FW rules because it was recognized as a new application.
For me, that would be a big annoyance

Quote:
Originally Posted by gabyz View Post
can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
What you can do is run apps forcing a particular group or user, and then the iptables rule can use that group/user as a filter, with --uid-owner and --gid-owner.
 
Old 04-03-2014, 02:31 AM   #18
gabyz
LQ Newbie
 
Registered: Oct 2006
Posts: 21

Original Poster
Rep: Reputation: 0
brebs,
Our needs and uses are different.

Thanks for the idea of using the user/group filter. Didn't know it existed.
I was thinking of defining an internet user for each user and then write a script that will run the browsers as the internet user.
This way even if the user goes to a malicious site, the damage is limited to the browser space, as it won;'t have access to the user space.
Still need to find a script that changes uid transparently. I'll solve this when I get to it.
 
Old 04-03-2014, 09:50 AM   #19
Philip Lacroix
Member
 
Registered: Jun 2012
Distribution: Slackware
Posts: 441

Rep: Reputation: 574Reputation: 574Reputation: 574Reputation: 574Reputation: 574Reputation: 574
Quote:
Originally Posted by gabyz View Post
I still have a question un-answered. If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
Gaby - Turning the problem "upside-down", I obtained a possible solution by combining iptables rules, a proxy software like Squid and individual configuration of the browser I wanted to allow to the Internet. I did this by using a dedicated box for the firewall and proxy, while connecting from a separate machine on the internal net. I used iptables on the filtering box to drop everything coming to the internal interface, except hosts I wanted to allow on the port where the proxy was listening. Of course NAT rules allowing direct Internet access from the LAN were disabled. Then I configured the browser I wanted to use, by telling it to go through the proxy. This way all other applications were blocked by default. One might also restrict write permissions on configuration files, so that users will not manipulate them, and set user/group ownerships as brebs suggested. This configuration was very straightforward, but Squid has lots of options and allows for complex authentication rules which I didn't investigate, but seem interesting. I didn't check if this can be set up on a stand-alone machine as well.

Last edited by Philip Lacroix; 04-03-2014 at 10:14 AM.
 
Old 04-03-2014, 10:31 AM   #20
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: NOVA
Distribution: Debian 12
Posts: 1,071

Rep: Reputation: 497Reputation: 497Reputation: 497Reputation: 497Reputation: 497
Why not just sand box your browsers and use iptables for the rest of your needs?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Open Source Support: When Should You Go Commercial? LXer Syndicated Linux News 0 01-17-2008 03:10 AM
LXer: Breach Security's ModSecurity Open Source Web Application Firewall LXer Syndicated Linux News 0 12-06-2007 09:20 PM
LXer: Global Summit of Open Source Leaders Releases Free Online Report on State of Commercial Open Source LXer Syndicated Linux News 0 05-04-2007 09:46 AM
LXer: Open source vs commercial software - is there a third way? LXer Syndicated Linux News 0 02-02-2007 01:21 AM
Open SOurce Vs Commercial Software dai General 6 05-01-2004 05:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration