Unix-Based Application Specific Firewalls? 29
tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"
ZoneAlarm (Score:2)
You said you have the hardware firewall/NAT solution -- well, you've probably multiple boxes on the network. Why not make one of those the "zonealarm" passthru box, and control all packets in and out through there? (afterwhich, you could place the hardware firewall to protect this box....) Seems like the easiest solution to me.
And yes, I know, some people probably don't have the spare hardware to do this.....
Re:ZoneAlarm (Score:1)
Re:ZoneAlarm (Score:1)
For example, if you want to allow that, you have to configure zoneAlarm with "low" security settings, wich opens up way too much holes to be of any usefulness security-wise.
It's still going to block the trojan on the machine it runs, tough., but not much else
Unless you just really want IE... (Score:3, Insightful)
Systrace (Score:3, Informative)
I've thought of making something like ZoneAlarm on Linux myself, but felt it was more of a novelty than something useful, since I find my applications pretty trustworthy as it is.
Re:Systrace (Score:1)
iptables can do some (Score:5, Informative)
Re:iptables can do some (Score:2, Interesting)
I'm sure if you were really interested, you could create another module that would pop up a window to prompt you if you wanted to allow the traffic through.
Just stick a rule with it at the end of your OUTPUT chain. It would catch all new application traffic and you could use that to set up new rules to be inserted above this rule.
Re:iptables can do some (Score:5, Informative)
Also nice for proxies and network daemons too.
--
"... Microsoft software and other trojans..." (Score:3, Interesting)
"... Microsoft software and other trojans..."
Well, not trojans, just dependency: Windows XP Shows the Direction Microsoft is Going. [hevanet.com].
Re:"... Microsoft software and other trojans..." (Score:1)
Unfortunately, no... (Score:4, Informative)
A more realistic alternative in the short term might be subterfugue [subterfugue.org], which allows you to intercept any system call, and make a configuration file for each program, to see which system calls they are allowed to perform. It is also a lot slower than a uml sandbox would be.
But both are at the moment probably best described as hackers tools. They are not in any way comparably in convenience to windows application firewalls, but they have functionality that extends them. I'd be interested to hear about anyone with real experience in using any of these (or other tools) for similar purposes.
Use the source, luke (Score:3, Funny)
Change all these lines to "!access internet"
You can't not trust apps - use a separate user ID (Score:4, Informative)
ZoneAlarm's niche doesn't seem to exist on Linux. The assumption is that you just don't run programs you don't trust - if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?) and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.
Yes, in the Real World(tm) where companies are willing to be extremely unethical but unwilling to actually break the law or suffer the backlash from taking over people's computers, ZoneAlarm has its uses, but you can't really rely on it that heavily.
iptables on the client doesn't have any specific protection against malicious apps, but you can constrain individual users' network access, and if you're running programs you're that paranoid about, you should probably be using a separate user ID for them anyway. (I keep meaning to set up one or more separate uids for WINEified games).
Incidentally, I've heard Explorer/Internet Explorer is a bad thing to run under WINE, since it has been known to damage the fake Windows folder WINE uses (that, and it probably uses more undocumented API calls than most third-party Windows apps). Anyone care to confirm or deny this?
Re:You can't not trust apps - use a separate user (Score:2, Informative)
Re:You can't not trust apps - use a separate user (Score:1)
That's fair enough if you are running a locked-down server, but this is a replacement for my desktop machine - which means I'll have a fair number of programs on it (none which I'll specifically distrust). Zone Alarm turns up some odd stuff even with programs I'd be fairly confident about - for instance its just reported that Netscape 7 has asked to be a server (seems to be something to do with DNS in this case, so it may be innocuous).
if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?)
Well I'm sort of assuming I'll exercise reasonable care in not leaving root access that easily available
and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.
For my own desktop use, I'm more inclined to go for the ssh approach - accept some limits in security to allow it to be used more situations.
Using a separate user ID is a good point - I'll just have to make sure it can't read outside it's own area (chroot should do).
use a virtual machine (Score:1)
iptables ownercmd match (Score:3, Interesting)
For applications running on the box itself, the "ownercmd" module in the patch-o-matic may be useful for matching the name of the process. Unfortunately there is no guarantee that an app just hasn't changed it's process name to fake a more "trusted" app, but the base functionality is there.
I know this isn't exactly what you were looking for, as it uses iptables, but these are what I see as the options. Others may exist of course.
overkill? (Score:1)
you already got a hw firewall. and want to police the the network activities of linux?
Redhat has builtin firewalling to choose what can get accessed from out side. And a few other tools that you can download as well. Lets not forget config files that we can modify so they only listen to specif interfaces (127.0.0.1) etc...
I know being secuurity minded isn't a bad thing but this seems over the top...
Re:overkill? (Score:1)
No, not overkill. A hardware firewall (and NAT) is almost useless as a defence against something on your system calling out. Also I don't mind trusting Linux per se, but I don't want to place unnecessary trust in applications running under Linux.
Whoa (Score:1)
Don't use MS products. Don't execute trojans. Don't run an application you don't "trust." Don't accept HTML mail, or don't click on the links.
If your security is that crucial--that you have to allow your Internet browser ask permission to use the INTERNET, just unplug your network cable.
Simplicity is nice.
Re:Whoa (Score:1)
This isn't going to be a server - it's a desktop machine. As such I'll run a fair amount of stuff, some of it for fun, some to get a job done. It's not practical to skry the source, even it it's available: as you know, there have been a few Trojans imbedded in open source software recently which remained hidden for quite some time.
If your security is that crucial--that you have to allow your Internet browser ask permission to use the INTERNET
I probably wasn't clear on that. I only use IE for a few sites where I have to use it (yep, I've tried altering the UA string on other browsers). I normally use Opera and Netscape, and allow those free access. Given that IE seems responsible for half the security holes on the net, this doesn't seem overly paranoid!
Re:Whoa (Score:1)
Other than that sense you do not want to use iptables on the client where it would be able to do what ZoneAlarm/BlackIce does. You can create a seperate acount to where the app will not be able to mess with things.
Iptables could be used to block everything to every port and then open the ports for app. that you want to have access.
Good enough? (Score:3, Interesting)
by Daniel Robbins of Gentto fame over at Developerworks that discusses scripts for dynamic firewalls. The focus is on inbound blocks but it should be easy enough to block outbound as well. You could also use Win4Lin or VMWare for your windows stuff and then you would get another network device which would allow you to at least see what from what OS the request came from.
Actually what I like best about Zone Alarm is the ability to lock down a system and then peal back the port restrictions as requests are made. It's a great way to make a firewall for those who don't want to deal with iptables (Yea, I'm sure it's flawed from an absolute security perspective but it's better that no firewall). I seem to remember a project similar to this for Linux from a few years ago but I can't remember what it was called...