Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unix-Based Application Specific Firewalls?

Posted by Cliff on from the which-would-you-recommend dept.

tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"

29 comments

  1. ZoneAlarm by karnal · · Score: 2

    I'm not too familiar with ZoneAlarm, but couldn't you use that as part of your "security" solution?

    You said you have the hardware firewall/NAT solution -- well, you've probably multiple boxes on the network. Why not make one of those the "zonealarm" passthru box, and control all packets in and out through there? (afterwhich, you could place the hardware firewall to protect this box....) Seems like the easiest solution to me.

    And yes, I know, some people probably don't have the spare hardware to do this.....

    --
    Karnal
    1. Re:ZoneAlarm by tengwar · · Score: 1

      Yes, I've got multiple boxes (an alarming number when I count them!) but I don't think this is the solution. The problem is that ZA has to know which application is calling out, and that pretty well means it has to run on the same box as the application. If it's running on another box, I think it would only be able to identify the protocol and ports, and unfortunately many trojans call home on otherwise innocuous ports such as 80/tcp.

    2. Re:ZoneAlarm by pruneau · · Score: 1
      Eaxctly, simply put, zoneAlarm does not allow you do to that kind of "filtering when my box is routing".

      For example, if you want to allow that, you have to configure zoneAlarm with "low" security settings, wich opens up way too much holes to be of any usefulness security-wise.

      It's still going to block the trojan on the machine it runs, tough., but not much else

      --
      [Pruneau /\o^O/\ warranty void if this .sig is removed]
  2. Unless you just really want IE... by MrEfficient · · Score: 3, Insightful
    If your bank's website won't work in Mozilla, then try Konqueror. You'll have to tell Konq to identify itself as IE on Windows for that particular website. I do this for capitalone.com which won't allow access from Mozilla.

    --
    Check out AbiWord.
    1. Re:Unless you just really want IE... by eht · · Score: 0, Flamebait

      this post was more informative than yours

  3. Systrace by sir99 · · Score: 3, Informative
    You could probably hack something together with Systrace. It's a BSD thing, but it looks like they're porting it to Linux as well. There's also Syscalltrack, but it doesn't look as ready yet, and I think it's aimed at Linux 2.5.x.

    I've thought of making something like ZoneAlarm on Linux myself, but felt it was more of a novelty than something useful, since I find my applications pretty trustworthy as it is.

    --
    The ocean parts and the meteors come down
    Laid out in amber, baby.
    1. Re:Systrace by tengwar · · Score: 1

      Hmm, this looks like just the job. I'll have a fiddle with the snapshot and see if I get anywhere.

  4. iptables can do some by ctr2sprt · · Score: 5, Informative
    iptables can do some of what you want, but not all. Still, it may get you close enough to get by (at least until you find a better option). There is an iptables module called "owner" that lets you perform various tests on the owner of a packet, including its "owning command" (creator process) if the kernel supports it. This still doesn't interactively query if you want to pass a connection, but at least you can hardcode in your basic rules:

    # iptables -A OUTPUT -m owner --cmd-owner outlook ! --dport 25 -m state --state NEW -j REJECT
    It's possible that someone has used that functionality, along with userspace iptables packet queueing, to do exactly what you want, but I haven't heard of it.
    1. Re:iptables can do some by DrZaius · · Score: 2, Interesting
      This is the way to do it. IPTables is a very powerful tool.

      I'm sure if you were really interested, you could create another module that would pop up a window to prompt you if you wanted to allow the traffic through.

      Just stick a rule with it at the end of your OUTPUT chain. It would catch all new application traffic and you could use that to set up new rules to be inserted above this rule.

      --
      -- DrZaius - Minister of Sciences and Protector of the Faith
    2. Re:iptables can do some by cowbutt · · Score: 5, Informative
      You could also chown root.outlook the outlook binary, then use iptables' --gid-owner to apply rules to any process spawned by that binary.

      Also nice for proxies and network daemons too.

      --

  5. "... Microsoft software and other trojans..." by Futurepower(R) · · Score: 3, Interesting


    "... Microsoft software and other trojans..."

    Well, not trojans, just dependency: Windows XP Shows the Direction Microsoft is Going..

    1. Re:"... Microsoft software and other trojans..." by tengwar · · Score: 1

      Yup, exactly why I'm changing over. I actually like Win2k for my desktop (of course the One True OS is EPOC!), but I'm not going to put up with call-home - and I can't rely on an application like Zone Alarm if the OS itself can't be trusted.

  6. Unfortunately, no... by joto · · Score: 4, Informative
    However, there exist some alternatives. User-mode linux allows you to sandbox a collection of linux applications in a most efficient way. Effectively, you can restrict access to anything you like. However, it's still very much a work in progress (not actually getting user-mode linux to run, that is fine, but using it as a secure sandbox is).

    A more realistic alternative in the short term might be subterfugue, which allows you to intercept any system call, and make a configuration file for each program, to see which system calls they are allowed to perform. It is also a lot slower than a uml sandbox would be.

    But both are at the moment probably best described as hackers tools. They are not in any way comparably in convenience to windows application firewalls, but they have functionality that extends them. I'd be interested to hear about anyone with real experience in using any of these (or other tools) for similar purposes.

  7. Use the source, luke by PaddyM · · Score: 3, Funny

    grep -i "access internet" *.src
    Change all these lines to "!access internet"

    1. Re:Use the source, luke by Anonymous Coward · · Score: 0

      for text-only searches, you should use fgrep

  8. You can't not trust apps - use a separate user ID by smcv · · Score: 4, Informative

    (Sorry about the cryptic subject line, there's not space)

    ZoneAlarm's niche doesn't seem to exist on Linux. The assumption is that you just don't run programs you don't trust - if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?) and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.

    Yes, in the Real World(tm) where companies are willing to be extremely unethical but unwilling to actually break the law or suffer the backlash from taking over people's computers, ZoneAlarm has its uses, but you can't really rely on it that heavily.

    iptables on the client doesn't have any specific protection against malicious apps, but you can constrain individual users' network access, and if you're running programs you're that paranoid about, you should probably be using a separate user ID for them anyway. (I keep meaning to set up one or more separate uids for WINEified games).

    Incidentally, I've heard Explorer/Internet Explorer is a bad thing to run under WINE, since it has been known to damage the fake Windows folder WINE uses (that, and it probably uses more undocumented API calls than most third-party Windows apps). Anyone care to confirm or deny this?

  9. Re:You can't not trust apps - use a separate user by mauryisland · · Score: 2, Informative

    The latest Crossover Office from Codeweavers supports IE 5.5. I've been running it for a while with fairly good results, and it doesn't seem to have broken anything in the "fake Windows" folder at all.

  10. use a virtual machine by h4mm3r · · Score: 1

    I run linux at home, but the wife and kids still wanted to use windblows apps. instead of dual booting or running wine i use VMWare. It does have some issues, but if you do get a virus on it, remove the vm folder and reinstall from your back-ups.

  11. iptables ownercmd match by MonMotha · · Score: 3, Interesting

    For apps not running on the linux firewall itself, there's not much you can do as it's just network traffic like any other at this point. Any information regarding the app that generated it is only available from the system which created the traffic. However, creative use of the iptables string match may be useful, as could the queue target to queue the packet to userspace for further analysis.

    For applications running on the box itself, the "ownercmd" module in the patch-o-matic may be useful for matching the name of the process. Unfortunately there is no guarantee that an app just hasn't changed it's process name to fake a more "trusted" app, but the base functionality is there.

    I know this isn't exactly what you were looking for, as it uses iptables, but these are what I see as the options. Others may exist of course.

  12. Re:You can't not trust apps - use a separate user by tengwar · · Score: 1
    The assumption is that you just don't run programs you don't trust

    That's fair enough if you are running a locked-down server, but this is a replacement for my desktop machine - which means I'll have a fair number of programs on it (none which I'll specifically distrust). Zone Alarm turns up some odd stuff even with programs I'd be fairly confident about - for instance its just reported that Netscape 7 has asked to be a server (seems to be something to do with DNS in this case, so it may be innocuous).

    if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?)

    Well I'm sort of assuming I'll exercise reasonable care in not leaving root access that easily available

    and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.

    For my own desktop use, I'm more inclined to go for the ssh approach - accept some limits in security to allow it to be used more situations.

    Using a separate user ID is a good point - I'll just have to make sure it can't read outside it's own area (chroot should do).

  13. overkill? by BenTheDewpendent · · Score: 1

    overkill?
    you already got a hw firewall. and want to police the the network activities of linux?

    Redhat has builtin firewalling to choose what can get accessed from out side. And a few other tools that you can download as well. Lets not forget config files that we can modify so they only listen to specif interfaces (127.0.0.1) etc...

    I know being secuurity minded isn't a bad thing but this seems over the top...

    1. Re:overkill? by tengwar · · Score: 1
      overkill? you already got a hw firewall. and want to police the the network activities of linux?

      No, not overkill. A hardware firewall (and NAT) is almost useless as a defence against something on your system calling out. Also I don't mind trusting Linux per se, but I don't want to place unnecessary trust in applications running under Linux.

  14. Whoa by Cokelee · · Score: 1

    Easier solution:
    Don't use MS products. Don't execute trojans. Don't run an application you don't "trust." Don't accept HTML mail, or don't click on the links.
    If your security is that crucial--that you have to allow your Internet browser ask permission to use the INTERNET, just unplug your network cable.

    Simplicity is nice.

    1. Re:Whoa by tengwar · · Score: 1
      Don't run an application you don't "trust."

      This isn't going to be a server - it's a desktop machine. As such I'll run a fair amount of stuff, some of it for fun, some to get a job done. It's not practical to skry the source, even it it's available: as you know, there have been a few Trojans imbedded in open source software recently which remained hidden for quite some time.

      If your security is that crucial--that you have to allow your Internet browser ask permission to use the INTERNET

      I probably wasn't clear on that. I only use IE for a few sites where I have to use it (yep, I've tried altering the UA string on other browsers). I normally use Opera and Netscape, and allow those free access. Given that IE seems responsible for half the security holes on the net, this doesn't seem overly paranoid!

    2. Re:Whoa by 1101z · · Score: 1
      Don't run an application you don't "trust." This isn't going to be a server - it's a desktop machine. As such I'll run a fair amount of stuff, some of it for fun, some to get a job done. It's not practical to skry the source, even it it's available: as you know, there have been a few Trojans imbedded in open source software recently which remained hidden for quite some time.
      We Get that it is a Desktop Machine, still only run things that you trust. You just use a wider definition of trust. Trust that everything from your distro providers is ok. Use things that apear to be widely used, if you are paronoid do a google search to see if anyone has complained. Google searchs lots of mailing lists.

      Other than that sense you do not want to use iptables on the client where it would be able to do what ZoneAlarm/BlackIce does. You can create a seperate acount to where the app will not be able to mess with things.

      Iptables could be used to block everything to every port and then open the ports for app. that you want to have access.

      --
      One day people will learn the folly of Winbloze, Linux Rules!
  15. Good enough? by cornice · · Score: 3, Interesting
    I don't know how to get what you're after and a number of people have already addressed this with either warnings about this (flawed) method or solutions that are currently being developed but aren't quite ready for "The Desktop". Anyway, I think that you could accomplish enough of this with iptables and some scripts. You could lock down the system except when you need a particular service. Make a few icons on your desktop that open ports when you want to browse or send mail and icons that shut down the system when you're done. (You'll have to weigh the convenience of this against the suid exposure.) You could also have a script that scans the logs for outbound requests and flashes Zone Alarm style warnings at you. There is a nice article
    by Daniel Robbins of Gentto fame over at Developerworks that discusses scripts for dynamic firewalls. The focus is on inbound blocks but it should be easy enough to block outbound as well. You could also use Win4Lin or VMWare for your windows stuff and then you would get another network device which would allow you to at least see what from what OS the request came from.


    Actually what I like best about Zone Alarm is the ability to lock down a system and then peal back the port restrictions as requests are made. It's a great way to make a firewall for those who don't want to deal with iptables (Yea, I'm sure it's flawed from an absolute security perspective but it's better that no firewall). I seem to remember a project similar to this for Linux from a few years ago but I can't remember what it was called...

  16. keep your windows, use terminal service from linux by Anonymous Coward · · Score: 0

    run terminal service on your windows box, then use rdesktop to connect to it. I do this since i need to do development on win32 and the emulators ae not really that good.so Terminal services is eally cool , you will feel at home. :)