Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unix-Based Application Specific Firewalls?

Posted by Cliff on from the which-would-you-recommend dept.

tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"

6 of 29 comments (clear)

  1. Systrace by sir99 · · Score: 3, Informative
    You could probably hack something together with Systrace. It's a BSD thing, but it looks like they're porting it to Linux as well. There's also Syscalltrack, but it doesn't look as ready yet, and I think it's aimed at Linux 2.5.x.

    I've thought of making something like ZoneAlarm on Linux myself, but felt it was more of a novelty than something useful, since I find my applications pretty trustworthy as it is.

    --
    The ocean parts and the meteors come down
    Laid out in amber, baby.
  2. iptables can do some by ctr2sprt · · Score: 5, Informative
    iptables can do some of what you want, but not all. Still, it may get you close enough to get by (at least until you find a better option). There is an iptables module called "owner" that lets you perform various tests on the owner of a packet, including its "owning command" (creator process) if the kernel supports it. This still doesn't interactively query if you want to pass a connection, but at least you can hardcode in your basic rules:

    # iptables -A OUTPUT -m owner --cmd-owner outlook ! --dport 25 -m state --state NEW -j REJECT
    It's possible that someone has used that functionality, along with userspace iptables packet queueing, to do exactly what you want, but I haven't heard of it.
    1. Re:iptables can do some by cowbutt · · Score: 5, Informative
      You could also chown root.outlook the outlook binary, then use iptables' --gid-owner to apply rules to any process spawned by that binary.

      Also nice for proxies and network daemons too.

      --

  3. Unfortunately, no... by joto · · Score: 4, Informative
    However, there exist some alternatives. User-mode linux allows you to sandbox a collection of linux applications in a most efficient way. Effectively, you can restrict access to anything you like. However, it's still very much a work in progress (not actually getting user-mode linux to run, that is fine, but using it as a secure sandbox is).

    A more realistic alternative in the short term might be subterfugue, which allows you to intercept any system call, and make a configuration file for each program, to see which system calls they are allowed to perform. It is also a lot slower than a uml sandbox would be.

    But both are at the moment probably best described as hackers tools. They are not in any way comparably in convenience to windows application firewalls, but they have functionality that extends them. I'd be interested to hear about anyone with real experience in using any of these (or other tools) for similar purposes.

  4. You can't not trust apps - use a separate user ID by smcv · · Score: 4, Informative

    (Sorry about the cryptic subject line, there's not space)

    ZoneAlarm's niche doesn't seem to exist on Linux. The assumption is that you just don't run programs you don't trust - if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?) and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.

    Yes, in the Real World(tm) where companies are willing to be extremely unethical but unwilling to actually break the law or suffer the backlash from taking over people's computers, ZoneAlarm has its uses, but you can't really rely on it that heavily.

    iptables on the client doesn't have any specific protection against malicious apps, but you can constrain individual users' network access, and if you're running programs you're that paranoid about, you should probably be using a separate user ID for them anyway. (I keep meaning to set up one or more separate uids for WINEified games).

    Incidentally, I've heard Explorer/Internet Explorer is a bad thing to run under WINE, since it has been known to damage the fake Windows folder WINE uses (that, and it probably uses more undocumented API calls than most third-party Windows apps). Anyone care to confirm or deny this?

  5. Re:You can't not trust apps - use a separate user by mauryisland · · Score: 2, Informative

    The latest Crossover Office from Codeweavers supports IE 5.5. I've been running it for a while with fairly good results, and it doesn't seem to have broken anything in the "fake Windows" folder at all.