| View previous topic :: View next topic |
| Author |
Message |
haarp
Guru
Joined: 31 Oct 2007
Posts: 535
|
 Posted: Wed Jun 03, 2009 2:41 pm Post subject: Firewall to block SOFTWARE |
 |
|
Greetings.
First off, yes, I know all about iptables. I also know there exist GUIs for it like Firestarter. That's not what I need here.
This may be only a minor issue on Linux systems, but I'm still curious, especially since I often use Wine:
Is there a software firewall for Linux that does block certain APPS from accessing the web? I'm not talking about ports or services, but binaries. There's plenty of such programs for Windoze, but I've never seen something like that on any Linux platform. I'm beginning to think that this is not even possible/has never been done before.
Does anyone know more about this? |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Wed Jun 03, 2009 2:49 pm Post subject: |
|
|
you can limit network access with iptables based on user- and/or process ID; alternatively you can have a look at l7filter
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
haarp
Guru
Joined: 31 Oct 2007
Posts: 535
|
| Posted: Wed Jun 03, 2009 2:55 pm Post subject: |
|
|
| Think4UrS11 wrote: | | you can limit network access with iptables based on user- and/or process ID; alternatively you can have a look at l7filter |
Yea, l7filter is pretty cool.
PID you say? Now that's a start. Next requirement would be an app that tracks the relationship between PIDs and their corresponding binary and puts a GUI on top of that 
Needless to say, only whitelisting would work in that manner, since newly-started binaries (that are yet to get tracked with their PID) could send off a few packets until the fw gets ahold of them in blacklisting mode.
But it's an interesting start nonethless, thanks. Question still stands - does anyone know software that does this? |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Wed Jun 03, 2009 3:11 pm Post subject: |
|
|
you can also filter on cmd-owner. With that you can e.g. restrict the user in a way that he can go to internet with firefox but not with thunderbird. But that only checks the name, not the binary itself...
Whats missing though is afaik something which creates a 'known-good'-database of applications with checksums over the binaries or alike and creates/enforces fw-rules based on that.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
malern
Apprentice
Joined: 19 Oct 2006
Posts: 170
|
| Posted: Wed Jun 03, 2009 3:13 pm Post subject: |
|
|
| SELinux will allow you to restrict the network capabilities of specific apps. I don't have any experience with any GUI's for it, so I can't comment on that. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Wed Jun 03, 2009 3:22 pm Post subject: |
|
|
NuFW might also be interesting to you.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
haarp
Guru
Joined: 31 Oct 2007
Posts: 535
|
| Posted: Thu Jun 04, 2009 1:21 am Post subject: |
|
|
Hi, thanks for the info.
I was actually looking for simpler solutions. While both SELinux and NuFW look promising, they require a lot of work being put into setting it up and learning how to use it. Not really something poor haarp wants to do for just simple personal firewall needs :]
| Think4UrS11 wrote: | | you can also filter on cmd-owner. With that you can e.g. restrict the user in a way that he can go to internet with firefox but not with thunderbird. But that only checks the name, not the binary itself... |
How exactly would that work? This and PID both looks promising. In the worst case, I could probably hack some whitelisting-fw up in bash (only language I'm fluent in)
Checking binaries for changed checksums shouldn't be hard and comparing PIDs to binary would be pretty easy aswell. I'd just have to keep a list with binary, checksum and state (allow/deny), then dynamically check PIDs and modify the iptables rules accordingly...
The hard part would be to determine whether an app -attempted- to connect to the net and pop a message box to the user querying what to do. Maybe this can be done by getting iptables to log unsuccessful connection attempts?
Meh, this is getting out of hand pretty quickly. MY knowledge of iptables is extremely limited anyway 
Alternatively, I just found this:
http://tuxguardian.sourceforge.net
Looks very simple, yet promising. Also is in Sunrise repo. On the downside, it hasn't been updated since 2006...opinions?
edit: well, it's dead and won't even work. |
|
| Back to top |
|
|
|
Networking & Security
