Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Death on 28 Dec 2009 11:18 houghi wrote: > Death wrote: >> Its best just to not click on things that are too good to be true. >> the "1000 free wallpapers" link is best left alone. >> But, even if you do click on it, the do you want to run this question is >> dumb...if I didn't want to run it, I wouldn't have clicked on it! > > Are you sure? [Y/n] > I need a Maybe button. { |Yes| |No| |?| } -- Vita brevis breviter in brevi finietur, Mors venit velociter quae neminem veretur.
From: Stephen Horne on 28 Dec 2009 11:25 On Mon, 28 Dec 2009 14:42:05 +0000, David Bolt <blacklist-me(a)davjam.org> wrote: >On Monday 28 Dec 2009 12:44, while playing with a tin of spray paint, >Stephen Horne painted this mural: > >> I repeat - I'm not asking to clone ZoneAlarm or the Windows way. I >> just want to prevent applications from accessing the internet without >> my explicit permission. > >Here's some steps you can try: > >1, create a new table using iptables, maybe calling it allowed_apps; >2, insert a rule that forces all outbound traffic through allowed_apps; >3, insert a rule that blocks all outbound access to the net for GID > users in the main table; >4, when starting up a new application, make a note of the PID and add > an entry to allowed_apps allowing that particular PID; >5, once you quit the application, remove the rule for the matching PID. > >For whitelisted applications, I can see one way to do it, but it would >require a wrapper shell and some fiddling. As in the user thinks he's running the app direct, but he's really running a Bash script/whatever with a nested call to the app? Sounds fragile somehow, but interesting. Wierdly, where I was thinking "OK, maybe it's just not needed" at some stage in all this, I've now got this urge to set something up just out of nonsensical spite.
From: Stephen Horne on 28 Dec 2009 11:44 On Mon, 28 Dec 2009 15:53:58 +0100, J G Miller <miller(a)yoyo.ORG> wrote: >On Mon, 28 Dec 2009 04:59:24 +0000, Stephen Horne wrote: > >> It doesn't matter whether you download binaries or build from source - >> unless you inspect that source line by line, the possibility still >> exists that there is an undocumented nasty lurking within. > >A good example of this is the trojan contained in the Gnome Waterfall >screensaver installation package which was uploaded to the official site >Gnome Look. > ><http://www.zdnet.com.AU/blogs/null-pointer/soa/Carelessness-busts-Linux- >security/0,2001102868,339299939,00.htm> > >> *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone >> home, and so the security issue is minimised. > >As far as I am aware this is not the case. A firewall works by blocking >ports. When Zone Alarm initially asks you if you want to allow an >application to access the internet, it opens the port for that >application. If another application uses the same port, then as far >as I am aware, it will be able to get through the already opened port. You can and do get those popups for one application while another is already happily accessing the internet. For example, you have Firefox browsing a web page, and one of those irritating update programs pops up and tries to display an embedded internet explorer control with a web page trying to tell you how lucky you are to be harrassed by this popup. It can try all it likes - all you'll get is the ZoneAlarm alternative hassle popup while the update thing sits there with an empty/error display. Unless you happen to be pressing space or "Y" just as that ZoneAlarm popup appears, of course.
From: J G Miller on 28 Dec 2009 11:49 On Mon, 28 Dec 2009 16:11:56 +0000, Stephen Horne wrote: > And don't forget - other priviledges are successfully controlled. Have you heard of apparmor? <http://www.novell.COM/linux/security/apparmor//overview.html> Have you looked at the configuration files in /etc/apparmor.d? If you are really paranoid, then you should be considering selinux. <http://selinuxproject.ORG/page/Main_Page>
From: Stephen Horne on 28 Dec 2009 11:53
On 28 Dec 2009 15:41:23 GMT, central <central77(a)fastmailNOSPAM.fm> wrote: >Might be so of the cheapie Zonealarm, but back in the days I used windows >on a regular basis, I used a soft firewall from Sygate, which would only >allow specified apps AND only to specific ports, so, for instance, I >could allow Outhouse pop and smtp but block it from everything else, thus >preventing the vast bulk of emails from collecting images from the web >AND still blocking smtp and pop for anything else. That either beats the free ZoneAlarm or my knowledge of it. If you get that control of which ports each app can access, it's not easily controlled through the GUI, meaning effectively invisible to most users. I have paid for the "Pro" version in the past, too, and don't remember having that level of control. |