Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Van Chocstraw on 28 Dec 2009 09:06 On 12/27/2009 11:59 PM, Stephen Horne wrote: > On Mon, 28 Dec 2009 04:05:29 +0000 (UTC), Paul J Gans > <gansno(a)panix.com> wrote: > >> I think that the basic thing to remember is that in Linux FEW PROGRAMS >> goe off and connect to the internet by themselves[1]. In general >> NOTHING connects to the internet without you telling it to do that. > > The trouble is, it only takes one exception to that rule. > > The scenario I have in mind is a trojan. I download it, mess around > with it within a user account, and don't realise that it has (e.g.) > scanned the files in my user account, spotted some passwords/bank > details/personal info, and phoned home. > > If you have the habit of messing around with random programs, one day, > something like this is bound to happen. It doesn't matter whether you > download binaries or build from source - unless you inspect that > source line by line, the possibility still exists that there is an > undocumented nasty lurking within. > > *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone > home, and so the security issue is minimised. Being told that the > program tried to phone home even gives you the warning that it is / > may be a trojan, or spyware or whatever. > > True - the Linux environment and culture makes this kind of thing less > likely. But IIRC, someone actually managed to get a trojan included in > one of the major distros repositories (briefly) a while back. Don't > think it was anything serious, but the point is that *any* operating > system has vulnerabilities. Even if you could engineer a perfect O/S, > there's always the fallible human element. > > I don't claim to be perfect. Since I am not perfect, I'd like my > software to warn me about that fatal error when I make it, and > hopefully prevent the "fatal" aspect of it. > What makes you think a virus or Trojan can't be written to ignore, bypass or fool Zonealarm? Firewalls are broken into daily. This sounds like a 'feel good' firewall. Makes you think you are in control.
From: Stephen Horne on 28 Dec 2009 09:24 On Mon, 28 Dec 2009 13:42:12 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >Stephen Horne wrote: >>>But you are able to identify all programs out there? I doubt it. >> >> I am able to identify those that I have chosen to download and run, at >> least well enough to decide whether I trust them to have internet >> access, with the default being "no". > >OK, so if you start vuze, which application will be asking for the >access? I have not tested it, but it could be fuze, java, azureus or >vuze-bin or even something else. Quoted from my original post, starting this thread... """ With a few exceptions (e.g. all Java applications appear to be the same application as far as ZoneAlarm is concerned), it works very well. """ But then again, I *never* said "Windows good Linux bad" or "ZoneAlarm good Linux bad". I had no intention of triggering a crusade when I asked my question. >> Guess what I'm doing right now ;-) > >No idea. Probably confusing admin tasks with user tasks. Search carefully through my posts. Identify the point where I said that deciding which apps should be whitelisted is a user rather than admin task. That's right - it never happened - it's just a conclusion that everyone jumped to because I happened to mention a Windows app as part of asking a question. Guess what - if I ask how to move my files to Linux, and happen to mention that those files are on my C:\ drive, that doesn't mean I'm demanding that Linux use DOS-style drive letters and backslashes either. It just happens that I know Windows, and therefore my explanations are very likely to use Windows examples. Sorry if no-one can cope with that. >> Of course not. Amazingly, it is possible to have a Linux distro with a >> working web browser (and thus an open port) which is *NOT* a magnet >> for every passing virus. > >A working browser has nothing to do with access to the internet. While there are obviously local-only uses for a web browser, this is pedantic to say the least. Most people would understand, esp. given the context, that by "working web browser" I'm referring to one which can access the web, which implies internet access. >I am not talking about being a Linux expert. I am saying you must take a >step back and try to look at what the real issues are. I know what the real issues are. I didn't know that by using a Windows-based example to explain where I'm starting from, I'd trigger a religious war. >In the end what you want (A zoneWhatever clone for Linux) is not How many times have I said that I *DON'T* want a ZoneAlarm clone? I lost count. This really shows how the driving force in this thread has been people jumping to wrong conclusions and generally going nuts just because I happened to mention a Windows app. >possible, unless you write it yourself. The reason it does not exist is >not because it is impossible, but because many, many, many people who >would be able to do it think it is a useless idea. And maybe that's true. It's certainly a possibility I was open to at the start of the thread. Trouble is, at this point, I don't really think I can bring myself to take any of you seriously. <SNIP> >Give the proper access with 'sudo' or with something else where you are >forced to enter the root password. >Give the ability to that program temporarily or permanent to open ports. > >Not an easy task and a waste of time if you ask me. Wow - genuine practical advice.
From: Stephen Horne on 28 Dec 2009 09:35 On Mon, 28 Dec 2009 15:09:17 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >> Exercise three - point out where I said "ZoneAlarm good Linux bad". > >The fact that you want it the way ZoneAlarn works and keep ignoring the >fact that everybody says it is bad. Except I never said I want things how ZoneAlarm works. I used ZoneAlarm as an example, the key point being that the filtering is based on applications. Funnily enough, I didn't explain things by referring to examples on the Mac. You know why? Is it, for example, because I reject everything a Mac does out of hand? No - it's because I don't know much about the Mac, and thus don't know any Mac based examples that would explain the point. Equally, I didn't write the question in Swahili. That doesn't mean I disaprove of Somalians or whatever, and it doesn't mean I think English is the one true language. It just means that I know English, and I don't know Swahili. Are we understanding this basic principle yet? So far, the best argument against the idea is the masquerading issue, and the same thing applies to anything that asks for a root password. That said, quoting from my original post... """ Or am I too focussed on the Windows way of doing things, and failing to see an obvious (but different) way to achieve what I want? """ My God, how terribly closed-minded I am!
From: J G Miller on 28 Dec 2009 09:46 On Mon, 28 Dec 2009 04:05:29 +0000, Paul J Gans wrote: > In general NOTHING connects to the internet without you telling > it to do that. .... > the updater applet (or YAST) will tell you if updates are > available. Except as you have just pointed out, the updater applet.
From: David Bolt on 28 Dec 2009 09:42
On Monday 28 Dec 2009 12:44, while playing with a tin of spray paint, Stephen Horne painted this mural: > I repeat - I'm not asking to clone ZoneAlarm or the Windows way. I > just want to prevent applications from accessing the internet without > my explicit permission. Here's some steps you can try: 1, create a new table using iptables, maybe calling it allowed_apps; 2, insert a rule that forces all outbound traffic through allowed_apps; 3, insert a rule that blocks all outbound access to the net for GID users in the main table; 4, when starting up a new application, make a note of the PID and add an entry to allowed_apps allowing that particular PID; 5, once you quit the application, remove the rule for the matching PID. For whitelisted applications, I can see one way to do it, but it would require a wrapper shell and some fiddling. Regards, David Bolt -- Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 11.0 32b | | openSUSE 11.2 32b | openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b | TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11 |