Welcome to the Linux Foundation Forum!

firewalled applications

Hello I have a simple question that im sure will require a complicated answer. This relates to the way, in which the windows firewall alerts you, and allows you the choice of blocking if applications access the Internet or not. In other words a windows firewall creates firewall rules for the programs themselves. I am aware however, of the security method Linux uses, that is Linux allows you to create firewall rules for ports instead of individual applications. For example if I have HTTP and HTTPS enabled any program will be allowed access to the Internet over those ports.

I want to block individual applications however, such as wine. Because Windows programs contact home I would like to block Internet access to wine all together. Also it would be nice to be alerted when

an application attempts to connect to the Internet and I would like the choice of whether to block it or not. Please let me know if there is a firewall program capable of this with Linux. If not then I suggest that one is created promptly because this situation is ridiculous.

Even in a fairy tail world were no applications communicate maliciously with the Internet in Linux I would still like control over the situation instead of just blocking a port in an arbitrary attempt to block a program. I want to know whats connecting to the Internet and what isn't, I would like such a program to be as simple to use as possible so more windows users will feel safer when switching to Linux.

Comments

  • Goineasy9
    Goineasy9 Posts: 1,114
    Wine doesn't access the internet, the windows programs your running under wine are doing the communicating. In fact, I don't believe that Wine has anything to do with networking at all, it's just acts as a layer between the program and Linux to redirect system commands.
    I'm also not aware of any Open Source programs that access the internet or call home that don't have the option of working offline. I know of some Open Source apps that explicitly ask if you would like to contribute information to help their ongoing projects, but they allow you to opt in or out at any time.
    The problems you are having with Microsoft programs are unique to closed source proprietary software. They want you to have legitimate copies, and, want you to keep paying for their use. I know of no instances where Open Source software needs these methods enabled.
    If you download Open Source software from trusted sources, like your distros repos, it's unlikely that your going to install an app that contains malicious code. Even then, the security structure of Linux prevents said code from affecting your operating system unless you personally give it the permission to do so.
    I feel 100% safer using Open Source and Linux than I ever did using Windows, then again, I don't run Windows apps, so I don't need to feel insecure.
    If you would like to run those apps securely, run Windows in a virtual environment (Virtualbox for example), install those apps you need directly into Windows, then cut off the virtual networking bridge that is used to access the network. I know programmers that need to test how their apps look in Internet Explorer, and they use Windows running in Virtualbox to do their testing. They don't feel safe unless it's segregated by using a virtual environment.
  • Well yes, I didn't explain myself clearly. I understand wine itself does not contact the Internet, and I do understand that most open source programs can be trusted when you get them from the repositories, and I also understand the capabilities and possible use of virtual machines and that I can disable its networking ablilitys. However in order to run a have a legal version of windows inside a virtual machine you must of course pay for it.

    Im not going to give any money to Microsoft, and im also not going to lose my self respect by having to steal either. I guess my real question is I would like a program for Ubuntu 9.10 Linux that alerts me when ANY piece of application and even system software attempts to access some remote node. I know that programs running in Linux do not have control over the entire operating system as they do in windows, I also understand that my privacy could still be compromised by simple programs such as key loggers so go figure.

    I would like to run programs in wine without having to worry about my security and other various things I would not want to “have” to use a virtual machine with some version of windows I would have to pay for. Why do I have to pay for windows just to run a windows executable securely? Shouldn't Linux handle such an easy task as blocking programs just being about to access the Internet without question? If Linux is truly free, we should be allowed to have such a firewall on our computer if we want one?

    I joined Linux because I thought it provided more then Windows, but the firewall programs and stuff seem very simple in Linux. Almost too simple. The reason for most of my complaining relates to when I used the leak tester on www.grc.com
    when I ran this program, it had no problem bypassing the "firewall" and connecting to the internet. I believe it used port 80
    (HTTP) however it is unrealistic to block this port, so I would like to be able to just block a programs attempt itself instead of trying to flip through a bunch of ports. Im not going to say Linux is secure intill I can control everything, and nothing is left up to the operating system to do things behind my back.
  • mfillpot
    mfillpot Posts: 2,177
    To my knowledge there is nothing with a similar application blocking mechanism. The primary reasons for the lack of results are that you must be the administrator to change the firewall, running a service that continuously monitors all attempted connections and modifies the firewall would use unnecessary resources. In addition to that the role of a user on Linux based systems is to only be the user, they should not be concerned about the administration and security, that should be taken care of by the administrator, by taking on the task of firewall modification you then enter the realm of administrator in which there is a lot of potential, but also a lot of research.

    Also as per some of my past reading the Ubuntu network monitor does not work well with firewalls, firewalls and made to limit connectivity which the network manager is make to guarantee complete connectivity.

    However it would be possible to write a comparable script to make that possible, I wouldn't use it personally because I can easily track all of my ports, but never the less it is possible. If you can tell us what application you are attempting to use so I can give you a quick command to modify the firewall rather than developing a while process.

    If you wish to only modify the firewall through whatever firewall app you have installed you can use the output of "lsof -i" to view the applications and associated ports they are using to connect to network services and just block the ports that you do not want used, but you must also keep in mind that the app(s) may be programmed to use whatever port is available to connect to the outside network.
  • I must be sounding like a real pain right now. But that last part you said; "but you must also keep in mind that the app(s) may be programmed to use whatever port is available to connect to the outside network." Is exactly why I feel we should be able to block the individual applications instead of just the ports. I am BTW the administrator of the system which is why I feel I should know these things.

    But w/e, im using firestarter for Ubuntu 9.10 how do I use firestarter to its best use? Also I guess I will have to develop my own program to monitor applications that attempt to access the Internet seeing as how one doesn't exist. I guess I feel that the resources such a program would use are necessary for the greater security of the system, we can see the same principle used in Windows; Windows has so many flaws (such as susceptibility to viruses) that programs that use a lot of resources such as anti-virus are developed to contribute to the greater overall security. I guess the answer to my question was application blocking features don't exist in Linux or at least you guys don't know about them, so I guess my next objective is to ask what should I do for best security configuration using firewall?

    What is iptables and how can I use them? And last but not least, is there a complicated way to manually prevent a program from accessing the Internet besides blocking the port it uses? Thanks for telling me about lsof -i its very useful. My last question is how do you think I should go about creating a program that monitors and blocks applications? How exactly does a windows firewall create application rules?
  • mfillpot
    mfillpot Posts: 2,177
    With Linux based systems all installed programs should have been tested and approved by the administrators and due to stateful packet filtering (allowing only response packets from established communications), we don't worry about bothering the users about each connection since the only ways to compromise them would be by being the intended recipient of communication or through an advanced man-in-the-middle attack. The user-space security has been refined to a level where individual program communications do not need to be monitored by the users.

    I personally do not use any GUI firewall interface applications, I write firewall scripts directly to iptables. iptables is a stateful firewall that is built right into the kernel so that packet filtering is done in the first few layers of the system rather than having the packets travel all of the to the application layer before they are reviewed. This method eliminates some risks in the system and application layers and also speeds up the filtering process, which is why standard network communications seem faster on a Linux based Operating System. For information about using the firestarter GUI you would be best to read their manuals, by what I just looked up on the site that GUI is impressive and allows a lot of functionality, but it cannot replace a good handwritten firewall script.

    To create a program or script to do what you want the following steps will help you to get a direction:[ol][li]default your firewall to block all outbound communications (however you will probably want to leave and opening for dhcp calls)[/li][li]Have one text file to log approved applications, listing approved and blocked apps[/li][li]Have one text file to log the pre-approved ports, listing approved and blocked ports[/li][li]setup a script to actively watch the output of "lsof -i" for applications and ports that have not been defined in your files on the same script have to automatically modify your firewall rules and restart the firewall if a port is opened by an approved application.[/li][li]In the same script setup a function that calls to a GUI when an unapproved application is detected trying to call out, have it give you the option to approve or deny the actions, then have the resulting actions written to the text files with the modified firewall script being reloaded[/li][/ol]

    These steps would be necessary to track and prompt for each revision, additionally you would have to find a way to guarantee security on your system against other things modifying the rules and find a secure way to allow the user actions to be run with root rights.

    With the processes in place and the trust in administrative actions the security is quite robust, as with most things you do not want to have the system prompt for every little communication or the administrator would never rest. I believe in the current security model because it maintains security while reducing administrative actions. I hope that while you were reading my steps you were thinking that that functionality is too repetitive for efficient administration when the administrator already approved the application to function on the system.

    As for the actions that the windows firewall rules take, I do not have much knowledge in the deep process, just the deficiencies in outside protection, but my guess is that most likely they have a networking process that is separate from the application processes and their firewall acts as a bridge between the two processes restricting not the network traffic, but the ability for an application to talk to the networking process. That seems to be the best way to attack that task, but again I think it would add an necessary separation of functions from the kernel that add unnecessarily complicated communications and negatively effects the performance of the system and the applications running on it.

    Now since all of this has been presented, I would like to know what type of program you are wanting to run that you find it necessary to restrict it's communications.
  • mfillpot
    mfillpot Posts: 2,177
    I forgot about this, since your firewall GUI gives good information you can use it to block that app. Run the app once, when you see some type of communication you can write down the destination address, then modify the firewall to block all outbound communications to that destination address. This should work providing that the application does not have too many fall-back destinations built in.
  • Wow, thanks mfillpot you told me exactly what I needed to know. As for the application it was just a leak test that attempts to contact the Internet on port 80 ( its also a windows executable ) but I think I understand know what your saying. From the sounds of it, Linux is more secure and efficient then Windows. I think this thread will clear up my question for any future users quite nicely. Thanks :)
  • mfillpot
    mfillpot Posts: 2,177
    I am not saying that it is necessarily more secure, but as with any system it can only be as secure as the administrator can make it. In my opinion the structure of Linux and Unix based systems have the best potential for higher security, the closed source nature of Windows and Mac leave more questions than answers and I don't think you can confirm or claim heightened security unless you know exactly what your system is doing.

Categories

Upcoming Training