| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 87310 | 2008-02-16 07:35:00 | Linux firewall which blocks applications | Lorcan (12618) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 640897 | 2008-02-16 07:35:00 | Hi, With Linux, is there such thing as a firewall which blocks stuff on an application basis? You know with Windows you get all your various firewalls which can block any application on there from sending and receiving from the internet. Is there a solution for this in Linux? I know there are lots of IPTables based firewalls in Linux, but to be honest you might open up rules on your IPTables and practically any application or service/daemon you've got running can connect to the internet using those ports you've opened if they can't by default. |
Lorcan (12618) | ||
| 640898 | 2008-02-16 07:45:00 | SELinux & AppArmor can both do this. Use of them is not for the faint of heart. What exactly are you trying to achieve? The reason such firewalls exist in the Windows world is because there are so many potential nasties that attempt to contact the outside world by any means possible. With Linux apps, you can usually trust that it will do what the manual says it will do. |
Erayd (23) | ||
| 640899 | 2008-02-16 07:53:00 | Yes you sort of can in that it is open-source. But who has time to read through all the source code and be able to prove without a doubt that it's not doing something untoward? Also the Linux distros and RPMs etc you download are already pre-compiled so it's not impossible for the developer to add some extra code in before it's compiled and release it. Way I see it you've got two options: a) Read through all the source code and understand what it is all doing so you know nothing untoward is happening. Then compile it all from scratch and make yourself a new distro. b) Install an application firewall and block anything you don't want from connecting out. Anyway, was just wondering if there was something out there. Not going to become paranoid and install it. ;) |
Lorcan (12618) | ||
| 640900 | 2008-02-16 08:23:00 | Yes you sort of can in that it is open-source. But who has time to read through all the source code and be able to prove without a doubt that it's not doing something untoward? Also the Linux distros and RPMs etc you download are already pre-compiled so it's not impossible for the developer to add some extra code in before it's compiled and release it. Way I see it you've got two options: a) Read through all the source code and understand what it is all doing so you know nothing untoward is happening. Then compile it all from scratch and make yourself a new distro. b) Install an application firewall and block anything you don't want from connecting out. Anyway, was just wondering if there was something out there. Not going to become paranoid and install it. ;)Whoa, paranoid! Generally speaking it's safe to trust the distro maintainers who compile and release the packages in the first place - by the time the app makes it to your desktop, the source has already been scrutinised by several people who know what they are doing. To extrapolate your point one step further, how can you trust the developers of Windows or of your application-level Windows firewall not to be doing something dodgy? Remember that you don't actually need to see the source of an app to see what it's doing network-wise. Have a look at the 'netstat' command - it's a brilliant tool for figuring out what is connecting to what on a Linux/Unix system. Windows also has a netstat command, but it's rather crippled. |
Erayd (23) | ||
| 640901 | 2008-02-16 08:43:00 | Remember that you don't actually need to see the source of an app to see what it's doing network-wise. Have a look at the 'netstat' command - it's a brilliant tool for figuring out what is connecting to what on a Linux/Unix system. Windows also has a netstat command, but it's rather crippled. Yeah or Wireshark is good for Windows. Whoa, paranoid! Generally speaking it's safe to trust the distro maintainers who compile and release the packages in the first place - by the time the app makes it to your desktop, the source has already been scrutinised by several people who know what they are doing. To extrapolate your point one step further, how can you trust the developers of Windows or of your application-level Windows firewall not to be doing something dodgy? You can't trust Windows or any closed-source software built for it. You know there's always developers that love to build back-doors in their software. In fact I know a few who work for reputable software companies that do it. Anyway, if I was head of the NSA, CIA or FBI, it would be my strategic objective to get some code into the Windows and Linux operating systems. I mean a keystroke logger or ability to remote into any computer system could be very handy to such an organisation. In fact it's probably in there right now. Whether it got in there through extortion, bribery, or getting multiple developers to work on those projects, you'd never know. It would be so easy to hide some malicious code amidst the millions of lines of other code. Obfuscated code isn't hard to create. And you'll inevitably say I'm paranoid... no I'm just a realist. |
Lorcan (12618) | ||
| 640902 | 2008-02-16 08:55:00 | If that is not paranoid I don't know what is... I suggest you remove the network cable from your PC and then disconnect your modem and discontinue your internet plan, that way nobody will be able to get into your PC... Just my :2cents: |
The_End_Of_Reality (334) | ||
| 640903 | 2008-02-16 10:08:00 | If that is not paranoid I don't know what is... I suggest you remove the network cable from your PC and then disconnect your modem and discontinue your internet plan, that way nobody will be able to get into your PC... Just my :2cents: You forgot the tinfoil over the windows and in the room and of course the obligatory that. |
beeswax34 (63) | ||
| 640904 | 2008-02-16 17:36:00 | You forgot the tinfoil over the windows and in the room and of course the obligatory that. :horrified What can I say... :groan: I forgot... | The_End_Of_Reality (334) | ||
| 640905 | 2008-02-16 23:01:00 | Have found guarddog is very easy to set up. I use it with both PCLinuxOS and Klikit. There is an excellent guide on how to set it up. It is too long since I looked at it - I just carry the settings around in my head each time I need to set it up. Another firewall that is popular with Linux users is Firestarter although I have never used it. Jim |
Hhel (8073) | ||
| 640906 | 2008-02-17 00:08:00 | Have found guarddog is very easy to set up. I use it with both PCLinuxOS and Klikit. There is an excellent guide on how to set it up. It is too long since I looked at it - I just carry the settings around in my head each time I need to set it up. Another firewall that is popular with Linux users is Firestarter although I have never used it. JimNeither of these are application-level firewalls, they're simply a nice GUI interface to iptables (and as such, they block ips/ports/protocols, not applications). |
Erayd (23) | ||
| 1 2 | |||||