Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unix-Based Application Specific Firewalls?

Posted by Cliff on from the which-would-you-recommend dept.

tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"

13 of 29 comments (clear)

  1. ZoneAlarm by karnal · · Score: 2

    I'm not too familiar with ZoneAlarm, but couldn't you use that as part of your "security" solution?

    You said you have the hardware firewall/NAT solution -- well, you've probably multiple boxes on the network. Why not make one of those the "zonealarm" passthru box, and control all packets in and out through there? (afterwhich, you could place the hardware firewall to protect this box....) Seems like the easiest solution to me.

    And yes, I know, some people probably don't have the spare hardware to do this.....

    --
    Karnal
  2. Unless you just really want IE... by MrEfficient · · Score: 3, Insightful
    If your bank's website won't work in Mozilla, then try Konqueror. You'll have to tell Konq to identify itself as IE on Windows for that particular website. I do this for capitalone.com which won't allow access from Mozilla.

    --
    Check out AbiWord.
  3. Systrace by sir99 · · Score: 3, Informative
    You could probably hack something together with Systrace. It's a BSD thing, but it looks like they're porting it to Linux as well. There's also Syscalltrack, but it doesn't look as ready yet, and I think it's aimed at Linux 2.5.x.

    I've thought of making something like ZoneAlarm on Linux myself, but felt it was more of a novelty than something useful, since I find my applications pretty trustworthy as it is.

    --
    The ocean parts and the meteors come down
    Laid out in amber, baby.
  4. iptables can do some by ctr2sprt · · Score: 5, Informative
    iptables can do some of what you want, but not all. Still, it may get you close enough to get by (at least until you find a better option). There is an iptables module called "owner" that lets you perform various tests on the owner of a packet, including its "owning command" (creator process) if the kernel supports it. This still doesn't interactively query if you want to pass a connection, but at least you can hardcode in your basic rules:

    # iptables -A OUTPUT -m owner --cmd-owner outlook ! --dport 25 -m state --state NEW -j REJECT
    It's possible that someone has used that functionality, along with userspace iptables packet queueing, to do exactly what you want, but I haven't heard of it.
    1. Re:iptables can do some by DrZaius · · Score: 2, Interesting
      This is the way to do it. IPTables is a very powerful tool.

      I'm sure if you were really interested, you could create another module that would pop up a window to prompt you if you wanted to allow the traffic through.

      Just stick a rule with it at the end of your OUTPUT chain. It would catch all new application traffic and you could use that to set up new rules to be inserted above this rule.

      --
      -- DrZaius - Minister of Sciences and Protector of the Faith
    2. Re:iptables can do some by cowbutt · · Score: 5, Informative
      You could also chown root.outlook the outlook binary, then use iptables' --gid-owner to apply rules to any process spawned by that binary.

      Also nice for proxies and network daemons too.

      --

  5. "... Microsoft software and other trojans..." by Futurepower(R) · · Score: 3, Interesting


    "... Microsoft software and other trojans..."

    Well, not trojans, just dependency: Windows XP Shows the Direction Microsoft is Going..

  6. Unfortunately, no... by joto · · Score: 4, Informative
    However, there exist some alternatives. User-mode linux allows you to sandbox a collection of linux applications in a most efficient way. Effectively, you can restrict access to anything you like. However, it's still very much a work in progress (not actually getting user-mode linux to run, that is fine, but using it as a secure sandbox is).

    A more realistic alternative in the short term might be subterfugue, which allows you to intercept any system call, and make a configuration file for each program, to see which system calls they are allowed to perform. It is also a lot slower than a uml sandbox would be.

    But both are at the moment probably best described as hackers tools. They are not in any way comparably in convenience to windows application firewalls, but they have functionality that extends them. I'd be interested to hear about anyone with real experience in using any of these (or other tools) for similar purposes.

  7. Use the source, luke by PaddyM · · Score: 3, Funny

    grep -i "access internet" *.src
    Change all these lines to "!access internet"

  8. You can't not trust apps - use a separate user ID by smcv · · Score: 4, Informative

    (Sorry about the cryptic subject line, there's not space)

    ZoneAlarm's niche doesn't seem to exist on Linux. The assumption is that you just don't run programs you don't trust - if you have firewall-config access, a sufficiently malicious program can always reconfigure it anyway (feeding keystrokes to your logged-in-as-root terminal? inserting a trojaned su or sudo binary into your $PATH?) and presumably the idea is that if a solution is fundamentally flawed, it's not worth implementing in the first place.

    Yes, in the Real World(tm) where companies are willing to be extremely unethical but unwilling to actually break the law or suffer the backlash from taking over people's computers, ZoneAlarm has its uses, but you can't really rely on it that heavily.

    iptables on the client doesn't have any specific protection against malicious apps, but you can constrain individual users' network access, and if you're running programs you're that paranoid about, you should probably be using a separate user ID for them anyway. (I keep meaning to set up one or more separate uids for WINEified games).

    Incidentally, I've heard Explorer/Internet Explorer is a bad thing to run under WINE, since it has been known to damage the fake Windows folder WINE uses (that, and it probably uses more undocumented API calls than most third-party Windows apps). Anyone care to confirm or deny this?

  9. Re:You can't not trust apps - use a separate user by mauryisland · · Score: 2, Informative

    The latest Crossover Office from Codeweavers supports IE 5.5. I've been running it for a while with fairly good results, and it doesn't seem to have broken anything in the "fake Windows" folder at all.

  10. iptables ownercmd match by MonMotha · · Score: 3, Interesting

    For apps not running on the linux firewall itself, there's not much you can do as it's just network traffic like any other at this point. Any information regarding the app that generated it is only available from the system which created the traffic. However, creative use of the iptables string match may be useful, as could the queue target to queue the packet to userspace for further analysis.

    For applications running on the box itself, the "ownercmd" module in the patch-o-matic may be useful for matching the name of the process. Unfortunately there is no guarantee that an app just hasn't changed it's process name to fake a more "trusted" app, but the base functionality is there.

    I know this isn't exactly what you were looking for, as it uses iptables, but these are what I see as the options. Others may exist of course.

  11. Good enough? by cornice · · Score: 3, Interesting
    I don't know how to get what you're after and a number of people have already addressed this with either warnings about this (flawed) method or solutions that are currently being developed but aren't quite ready for "The Desktop". Anyway, I think that you could accomplish enough of this with iptables and some scripts. You could lock down the system except when you need a particular service. Make a few icons on your desktop that open ports when you want to browse or send mail and icons that shut down the system when you're done. (You'll have to weigh the convenience of this against the suid exposure.) You could also have a script that scans the logs for outbound requests and flashes Zone Alarm style warnings at you. There is a nice article
    by Daniel Robbins of Gentto fame over at Developerworks that discusses scripts for dynamic firewalls. The focus is on inbound blocks but it should be easy enough to block outbound as well. You could also use Win4Lin or VMWare for your windows stuff and then you would get another network device which would allow you to at least see what from what OS the request came from.


    Actually what I like best about Zone Alarm is the ability to lock down a system and then peal back the port restrictions as requests are made. It's a great way to make a firewall for those who don't want to deal with iptables (Yea, I'm sure it's flawed from an absolute security perspective but it's better that no firewall). I seem to remember a project similar to this for Linux from a few years ago but I can't remember what it was called...