Slashdot Mirror
Unix-Based Application Specific Firewalls?
tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"
"... Microsoft software and other trojans..."
Well, not trojans, just dependency: Windows XP Shows the Direction Microsoft is Going..
I'm sure if you were really interested, you could create another module that would pop up a window to prompt you if you wanted to allow the traffic through.
Just stick a rule with it at the end of your OUTPUT chain. It would catch all new application traffic and you could use that to set up new rules to be inserted above this rule.
-- DrZaius - Minister of Sciences and Protector of the Faith
For apps not running on the linux firewall itself, there's not much you can do as it's just network traffic like any other at this point. Any information regarding the app that generated it is only available from the system which created the traffic. However, creative use of the iptables string match may be useful, as could the queue target to queue the packet to userspace for further analysis.
For applications running on the box itself, the "ownercmd" module in the patch-o-matic may be useful for matching the name of the process. Unfortunately there is no guarantee that an app just hasn't changed it's process name to fake a more "trusted" app, but the base functionality is there.
I know this isn't exactly what you were looking for, as it uses iptables, but these are what I see as the options. Others may exist of course.
by Daniel Robbins of Gentto fame over at Developerworks that discusses scripts for dynamic firewalls. The focus is on inbound blocks but it should be easy enough to block outbound as well. You could also use Win4Lin or VMWare for your windows stuff and then you would get another network device which would allow you to at least see what from what OS the request came from.
Actually what I like best about Zone Alarm is the ability to lock down a system and then peal back the port restrictions as requests are made. It's a great way to make a firewall for those who don't want to deal with iptables (Yea, I'm sure it's flawed from an absolute security perspective but it's better that no firewall). I seem to remember a project similar to this for Linux from a few years ago but I can't remember what it was called...