erm4gh
join:2003-08-04
Santa Clara, CA
| Managing outgoing connections under linux?
I'm currently running XP and am going to install Ubuntu on another partition in a couple of days. I'm currently using a router with a built-in firewall for incoming connections plus kerio personal firewall 2.1.5 to manage outgoing connections.
What can I use to manage outgoing connections under linux? I'm looking for something GUI based that supports a "ask me first" model and application specific rules. That rules out ipchains. The closest I've been able to find is firestarter, which doesn't seem to support application specific rules. I've heard about chroot jails but they seem more appropiate when you're worried about an application trashing your system (and don't seem as easy / convenient). |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| You may be better off posting this over in the Linux/Unix forum. For your answer, Mo0nwall and Smoothwall will work for maintaining Outbound & Inbound connections.
--
I threw out the map a long time ago. Now I follow my own direction! |
|
erm4gh
join:2003-08-04
Santa Clara, CA
| Thanks for the suggestion but my impression is that Smoothwall includes a subset of Linux, and m0n0wall is based on a bare-bones version of FreeBSD. I don't understand how either of those would meet my needs.
Somebody appeared to have moved this thread from the security forum to the all things unix forum. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
1 edit | said by erm4gh  :Thanks for the suggestion but my impression is that Smoothwall includes a subset of Linux, and m0n0wall is based on a bare-bones version of FreeBSD. I don't understand how either of those would meet my needs. Somebody appeared to have moved this thread from the security forum to the all things unix forum. I asked for it to be moved to All Things Unix, due to it fits in here better. As for both versions, they are good for what they do. With IPChains, you need a version of Linux in order to use them.
IPChains is the basis for Firewalls with Linux. As for the GUI interface, most linux users, do not make changes in the Gui. If unfamiliar with Linux, you really need to obtain some books on Linux and IPChains.
--
I threw out the map a long time ago. Now I follow my own direction! |
|
erm4gh
join:2003-08-04
Santa Clara, CA
| I don't care how usefull something is on a seperate dedicated PC, I'm looking for an add-on for ubuntu. I specificly said I didn't want to use ipchains and why. I read the how-to guide. Telling me to buy a book on ipchains doesn't tell my why my impression that it couldn't meet my needs is wrong. It would only be usefull if it appeared to meet my needs and I needed more info on how to use it (and couldn't find the info on the net). Giving me some hint why it could meet my needs would be helpfull.
"Clarkconnect is a Linux distro built to run as a firewall/router". I'm looking for an add-on for Ubuntu, I already have a perfectly good firewall/router.
Its not clear that you understand what I want to do. I really wish you hadn't asked the moderator to move the thread. |
|
rotty97
join:2005-06-30
Australia
| I think what you are after is what most Windows firewalls do and that is ask you if a program is trying to access the internet, or a process is trying to talk to another process to access the internet ETC. THings like program rules and stuff?
I believe IP chains and Monowall are really good firewalls but this person wants something that will allow internet access on application based access.
Am i correct?
cheers, rotty |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| said by rotty97 :I think what you are after is what most Windows firewalls do and that is ask you if a program is trying to access the internet, or a process is trying to talk to another process to access the internet ETC. THings like program rules and stuff? I believe IP chains and Monowall are really good firewalls but this person wants something that will allow internet access on application based access. Am i correct? cheers, rotty Yes, but you cannot do that with Linux, due to IPChains works with the ports, not specific applications. Also, placing the distro on a seperate partition will not allow windows to benefit from the Firewall, due to you would need to still use a specific box for just the Linux Firewall product, or use just Ubuntu to work in all the time.
--
I threw out the map a long time ago. Now I follow my own direction! |
|
erm4gh
join:2003-08-04
Santa Clara, CA
| reply to rotty97
said by rotty97 :I believe IP chains and Monowall are really good firewalls but this person wants something that will allow internet access on application based access. Am i correct? Yes. I already have a D-Link DI-604 router which can manage incoming connections regardless of what operating system I'm running. |
|
longtimelurker
@swbell.net
| reply to erm4gh
First, a minor correction. The last kernel to use ipchains was version 2.2. Since that time the kernel has used iptables. I am sure that was just a slip up as I have done these kinds of things too. (Say one word but mean another.) I just wanted to make things clear for any new Linux users that happened to read this thread.
As for the original question I am guessing that you are new to Linux. The reason I say that is that I currently do not see a need for a program that you describe. I think that the use of these programs is to keep "non authorized" programs from getting out to the net. The only non authorized programs that I can think of would be spyware, adware, and viruses. I cannot think of any major spyware, adware, or virus that was targeted at Linux. Therefore I do not see a current need for a program such as this.
Since you did not give us a reason as to why you need/want this program I merely speculated as to why you think you wanted it. If I am off base, please let me know and elaborate on your reasons for wanting a program such as this.
Cheers |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | Thank you. I was trying to think if it was IPTables or IPChains, due to I do not regulary use Linux, with the exception of some testbedding with machines.
--
I threw out the map a long time ago. Now I follow my own direction! |
|
salahx
join:2001-12-03
Saint Louis, MO
| reply to erm4gh
You can acutally pull off the "per-applications" rule part, but not the interactive part - using SELinux. In the soon-to-be-release 2.6.18 will also support labelling individual packets and connections using Netfiler/iptables.
However, SELinux is VERY complicated (even I don't understand it that well!) and distribution support is poor: Fedora Core 5 has good support for it, most others do not: Even Gentoo is lagging behind, with the last SELinux profile being 2005.1 . |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| reply to erm4gh
Out of curiosity, why do you want this sort of application-level filtering? What are you trying to protect yourself from or glean from this?
A simpler policy would probably be to block all outbound traffic by default, and then poke holes for specific users or outbound packets destined for certain ports you want to allow.
But perhaps if you explain why you think you want/need application-level filtering, it'd be easier to help.
--
"Hey honey! Do you think KFC's still open?" |
|
erm4gh
join:2003-08-04
Santa Clara, CA
1 edit | reply to longtimelurker
said by longtimelurker :
As for the original question I am guessing that you are new to Linux. The reason I say that is that I currently do not see a need for a program that you describe. The reason I say that is that I currently do not see a need for a program that you describe. I think that the use of these programs is to keep "non authorized" programs from getting out to the net. The only non authorized programs that I can think of would be spyware, adware, and viruses. I cannot think of any major spyware, adware, or virus that was targeted at Linux. Therefore I do not see a current need for a program such as this. I used Red Hat for a year at work about 5 years ago but haven't used Linux since. I want to use Ubuntu at home.
I'm not concerned about malware, spyware, viruses or unauthorized programs. Under Windows I've found that many applications I've installed "call home" (or some other server) for various reasons. I want the ability to stop that so that I don't have to concern myself with what they're sending, or it timing out on a network connection that doesn't add any value. The only examples that I can think of off the top of my head for Linux would be binaries such as the Adobe Acrobat Reader, Sun's JRE checking for updates, some Mozilla extensions, or windows games that I might run under WINE. I also sometimes install applications via java web start with "trusted signed code" (so that its not limited to the sandbox). I assume I'll run into more cases after I've used Ubuntu a while.
In some cases I assume I could figure out a way to disable it calling home etc, but would probably have to do it again after upgrading the software. I also don't want to go to all of the trouble of setting up chroot jails when I'm not worried about the application messing up my system.
I've found using a personal firewall under XP a very convenient/easy way of managing what applications can connect to, mainly because it has a "ask me first" mode. I'm just looking for an equivalent mechanism under Linux. The problem with every solution (under Linux) I've found so far is its not application specific and/or requires you to spend time figuring out exactly what protocol/ports are used after the fact, and then check it again every time you upgrade the software. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| In Linux, applications do not "Call Home" like they do in Windows. Linux is a safer OS then Windows when it comes to how programs are designed to run. In Windows, applications have all exclusive access to be able to run without Administrator intervention. Whereas in Linux, the Administrator has to have access in order to allow those programs all exclusive access.
I believe that you are taking this farther then you should.
--
I threw out the map a long time ago. Now I follow my own direction! |
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
·Comcast
| reply to deblin
said by deblin :A simpler policy would probably be to block all outbound traffic by default, and then poke holes for specific users or outbound packets destined for certain ports you want to allow. Yep, this is the linux way.
Use iptables - with default rule drop all outbound connections. Open ports for normal outbound traffic (http & https, smtp)
Run apps - when one chokes because it cannot get out, open that port.
Shorewall is a nice front-end to iptables firewalls, and there are tons of sites/pages/info out there on using it.
But usually outbound blocking is only needed if your linux box *is* the gateway/router/firewall for your network.
--
My place : »www.schettino.us |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| reply to erm4gh
Panda DesktopSecure is a commerical (not free) frontend to iptables that supports the type of application-controlling you're speaking of.
But, as others have said, it's really not necessary under Linux, and Linux will soon get other ways (SELinux, AppArmor, etc) of controlling what applications are and are not allowed to do.
--
UbuntuForums Administrator: try Ubuntu Linux |
|
donoreo
Premium
join:2002-05-30
North York, ON
| reply to erm4gh
I will also chime in here and say this sort of thing is not needed. This is carrying a Windows mentality over to Linux and it is not needed. Set your mind free, use the force, Luke 
--
I cannot deny anything I did not say |
|
erm4gh
join:2003-08-04
Santa Clara, CA
| I understand what you're saying about different behavior under Linux, but the examples I gave were for applications that I have no reason to believe will follow the "Linux way". Either because they're Linux ports of something developed for Windows, they're platform independent, or are Windows applications running under WINE.
I suspect I'm out of luck because there is insufficent demand but there is a difference between "its not needed" and its not needed for applications that were originally developed for Linux/UNIX. Give me some credit for understanding that there are cultural differences.
I think the references to SELinux and AppArmor miss the point. They seem to be solutions focused on controlling access to files and processes (to make a more secure system), and don't appear to duplicate what a firewall can do. Ditto for RSBAC (Rule Set Based Access Control). |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| Rule Set based Access control can be done in Linux. And it is a part of the more modern Linux Kernals.
»www.securityfocus.com/tools/731
RSBAC is a flexible, powerful and fast open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused.
The standard package includes a range of access control models like MAC, RC, ACL (see below). Furthermore, the runtime registration facility (REG) makes it easy to implement your own access control model as a kernel module and get it registered at runtime.
»www.rsbac.org/
»search.yahoo.com/search?p=rule+s···ei=UTF-8
--
I threw out the map a long time ago. Now I follow my own direction! |
|
garywk
join:2001-03-06
Clarkston, WA
1 edit | reply to erm4gh
quote:
I understand what you're saying about different behavior under Linux, but the examples I gave were for applications that I have no reason to believe will follow the "Linux way". Either because they're Linux ports of something developed for Windows, they're platform independent, or are Windows applications running under WINE.
I suspect I'm out of luck because there is insufficent demand but there is a difference between "its not needed" and its not needed for applications that were originally developed for Linux/UNIX. Give me some credit for understanding that there are cultural differences.
In Windows Sun's Java runs a background app to check for things like updates. I've never seen such a thing on my Linux box, but I did use make-jpkg and dpkg to install java. There are no startup scripts for such an application in /etc/init.d nor does any such process show up using ps. Sun's Java simply doesn't call home.
As to Adobe, well, the same goes for it. I installed it using unofficial Debian repositories. After reading your post yesterday I fired up ethereal and and opened and closed Reader about a dozen times and opened and closed documents several times. There was no network traffic coming from Reader. And, I use ethereal quite a bit for other reasons so it's up and running at least a day or so a week and I've never found any outbound packets from either program. That being said the open source .pdf readers are getting much better than they were a couple of years ago and you don't need Reader to open .pdf files.
The only proprietary program I've ever had on a Linux box that "calls home" is Skype, but that's to be expected as it must stay in contact with its p2p network by its very nature. As to any Windows games you might install using Wine, well, those games will not be able to start up any background processes on boot. But, once you have them fired up I would imagine it's possible, but I'm no gamer so have no direct experience with it.
I also think you're being a little too Windows-minded, if you want to call it that. It took me quite a while to "come down" from all that necessary paranoia when I first made the switch too. LOL. I was so paranoid when I first switched over I installed ClamAV and ran it as a background process checking each file as it was opened just as I did with Windows.... I have since learned to trust my computer a lot more. I'm still security conscious, but I no longer live in a state of paranoia about every app that runs on my computer. I still check up on any proprietary app when/if I install one, but even those seem to act differently than the Windows versions do. I think it may be because those companies which are beginning to target the Linux marketplace realize that Linux users just won't tolerate that kind of behavior on their machines like Windows users will, and if they want their apps on Linux machines they have to change the way their apps behave. There may be some company out there that will change that some time, but that's been my experience with proprietary apps up to now.
--
“We will bankrupt ourselves in the vain search for absolute security.”
Dwight David Eisenhower |
|
