Guest tekwar Posted October 17, 2005 Report Share Posted October 17, 2005 The single biggest thing keeping me from converting to Linux is the lack of an interactive firewall like Zone Alarm that will detect outgoing programs and ask for permission to connect to the Internet; whereas, I'm not interested in IP chains or rules and I must have control of programs trying to connect to the web. Thanks Tekwar [moved from Software by spinynorman - welcome aboard :)] Quote Link to comment Share on other sites More sharing options...
aioshin Posted October 17, 2005 Report Share Posted October 17, 2005 it has... tho the core is still IP tables or netfilter.... look for Guardog or Firestarter or check this post https://mandrivausers.org/index.php?showtop...262&hl=guarddog Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted October 18, 2005 Report Share Posted October 18, 2005 (edited) it has... tho the core is still IP tables or netfilter.... look for Guardog or Firestarter or check this post https://mandrivausers.org/index.php?showtop...262&hl=guarddog <{POST_SNAPBACK}> Does it? can you block outgoing traffic on a per application basis? That's really what most windows software firewalls are useful for: you let application A access HTTP on the internet on port 80, but you don't let application B have access to an external HTTP server. With IP tables you can block access to port 80 altogether, but then firefox won't work anymore. This is a pretty big security risk the linux community has been ignoring or pretending iisn't there. It's OK as long as you use "safe computing practices", but we all know people don't do that. How do you know that nvidia driver you're downloading from nvidia doesn't email nvidia information about which kernel you're running or which nvidia card you're using? How about this cool software that you built from sources you don't understand because you're not a programmer? How about that linux game you downloaded from bittorrent? Checkout the thread about how much people ignore bad rpm signatures to see how some pretty knowledgeable people can leave their guard down when it comes to getting potential malware. Edited October 18, 2005 by papaschtroumpf Quote Link to comment Share on other sites More sharing options...
daniewicz Posted October 18, 2005 Report Share Posted October 18, 2005 The only linux firewall product I have used is GuardDog, and with regard to this program papaschtroumpf is correct. GuardDog is limited in that it does not allow the blockage of specific programs. Sometimes I miss the capabilities offered by the Kerio 2.1.5 firewall on my MS W2K box. Quote Link to comment Share on other sites More sharing options...
aioshin Posted October 19, 2005 Report Share Posted October 19, 2005 (edited) Does it? can you block outgoing traffic on a per application basis?That's really what most windows software firewalls are useful for: you let application A access HTTP on the internet on port 80, but you don't let application B have access to an external HTTP server. With IP tables you can block access to port 80 altogether, but then firefox won't work anymore. well, its not windows now, its linux... that is why we have users and root, and you dont use your linux desktop as root, that's why its recommended to be as regular user, so it wont be able to harm your system, unlike windows, your always logging on your desktop as root, unless you know what you are doing.. About blocking port 80, in windows, yes it can block particular application to access port 80 while iptables... well you only need to block port 80 (incoming) in your linux if you have a web server running on it and you dont want outsider to access it... Actually, you can manually edit your iptables or shorewall to do a per port blocking, and it does not need to be a programmer to do it, as long as you will take some time on reading the manpage or visit its main website for some usefull info. This is a pretty big security risk the linux community has been ignoring or pretending iisn't there. It's OK as long as you use "safe computing practices", but we all know people don't do that. that's not the fault of linux How do you know that nvidia driver you're downloading from nvidia doesn't email nvidia information about which kernel you're running or which nvidia card you're using? I dont know how that happen unless you have an MTA (sendmail/postfix) running on your linux Box, but you have the option to disable that.. by doing $netstat -an | grep tcp it will show you all tcp ports listening on your machine.. if you have port 80, then you have a webserver running, port 25 for smtp... How about this cool software that you built from sources you don't understand because you're not a programmer? almost all open source software has a README or even a forum How about that linux game you downloaded from bittorrent? is it an Opensource game or not?, if not and you are not sure about it, then dont download it, avoid pirated software to be installed on linux Checkout the thread about how much people ignore bad rpm signatures to see how some pretty knowledgeable people can leave their guard down when it comes to getting potential malware. as I've said, its not the fault of linux Edited October 19, 2005 by aioshin Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted October 19, 2005 Report Share Posted October 19, 2005 aioshin, this is not an attack on you, but your answers examplify what's wrong with the linux attitude towards security in linux today and why linux is in trouble as a "general public OS" unless that attitude changes well, its not windows now, its linux... that is why we have users and root, and you dont use your linux desktop as root, that's why its recommended to be as regular user, so it wont be able to harm your system, unlike windows, your always logging on your desktop as root, unless you know what you are doing.. It's not going to make me feel any better to know that everyone else's account is safe, and the "OS" is safe, when some script runs "rm -rf ~" in my user account. also urpmi must be ran as root, so if I install a rogue rpm, it has root access at leat during the installation process. About blocking port 80, in windows, yes it can block particular application to access port 80 while iptables... well you only need to block port 80 (incoming) in your linux if you have a web server running on it and you dont want outsider to access it... Actually, you can manually edit your iptables or shorewall to do a per port blocking, and it does not need to be a programmer to do it, as long as you will take some time on reading the manpage or visit its main website for some usefull info. You missed my point entirely, I'm not talking about incoming access, but outgoing access. Maybe FTP is a better example. Let's assume that I'm not running an FTP server, so incoming port 21 is closed. I do want to be able as a user to get/put files through FTP, for example to update my web site, so outgoing connections from port XXXX to port 21 on a remote IP must be allowed by IP tables. Now let's assume I donwload and run a rogue program (maybe manually, or the rpm repository I'm using got compromised, with a DNS hijack for example). The program then connects to the ftp server from port YYYYY to port 21 on ftp.baduys.com and uploads the contents of the "my documents" directory, or maybe my ".Mail" directory. In windows, I have the ability to tell it that it's OK for my FTP client to connect to a remote port 21, but that no other application is allowed, or at least that I should be asked about it first. that's not the fault of linux it's not Microsoft's fault that people don't patch their software either. A good security attitude is not to shift blame around, but assume people will do the wrong thing. Especially if my mother in law is expected to be able to use linux some day. I dont know how that happen unless you have an MTA (sendmail/postfix) running on your linux Box, but you have the option to disable that.. by doing $netstat -an | grep tcp it will show you all tcp ports listening on your machine.. if you have port 80, then you have a webserver running, port 25 for smtp... Look at my FTP example above. Again we're talking outgoing traffic, not incoming. almost all open source software has a README or even a forum That's not what I meant. A lot of people say open source is safer because you can always look at the source to see what the program is doing. That's true in the long term, if enough people bother looking at it. I recently install rkhunter on my machine. The Mandrake rpm is outdated, so I downloaded his tarball and installed from source. How do I know that the guy doesn't have something hidden in his perl code that is nefarious? is it an Opensource game or not?, if not and you are not sure about it, then dont download it, avoid pirated software to be installed on linux See previous comment. Open source in itself doesn't guarantee security. See comment about people being stupid: like it ot not people will do things that they shouldn't do. Even if it's not linux fault per-se, linux will get the black eye when their machine gets hijacked for DDOS because they installed something they got on a torrent somewhere. Quote Link to comment Share on other sites More sharing options...
aioshin Posted October 20, 2005 Report Share Posted October 20, 2005 well, I know that you have your point, have'nt tried mandriva2006 yet but it claims that it has an interactive filrewall, maybe this is what we're talking about here... Quote Link to comment Share on other sites More sharing options...
tyme Posted October 20, 2005 Report Share Posted October 20, 2005 papa: if you bothered to look at either of the programs suggested before going off on your completely-irrelevant-to-the-original-question tirade you may have noticed that firestarter lists what program is using what port (where it's going to, etc.), and that it allows you to whitelist/blacklist traffic - which you can see all current connections by program and block those actions if you choose to. It does it by IP address and by port, which gives you more diverse control. Quote Link to comment Share on other sites More sharing options...
daniewicz Posted October 20, 2005 Report Share Posted October 20, 2005 I had a look at the firestarter web page. It looks promising and appears to be similar to my Kerio 2.1.5 windows firewall. Thanks for caling attention to it tyme. Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted October 20, 2005 Report Share Posted October 20, 2005 papa: if you bothered to look at either of the programs suggested before going off on your completely-irrelevant-to-the-original-question tirade you may have noticed that firestarter lists what program is using what port (where it's going to, etc.), and that it allows you to whitelist/blacklist traffic - which you can see all current connections by program and block those actions if you choose to. It does it by IP address and by port, which gives you more diverse control. <{POST_SNAPBACK}> As a matter of act I did look at the firestarter web page, more specifically this page: http://www.fs-security.com/docs/policy-page.php I still see no mention of denying specific applications access, although maybe it's what they mean by "service" but I doubt it. Yes it lists which application is using what port (I can use netstat to do that) but by then it's too late. I will give firestarter a try on my machine to see if I'm missing something. As far as the tirade, I agree that it is one, but I believe it is highly relevant to the conversation since the original posts specifically spells out "outgoing programs" and "Zone Alarm". I am also frustrated at the general "linux guru's" attitude of "you newbie, you don't need a firewall or an antivirus, because linux is so secure". This is not an attack on anyone in particular, more on the community in general. Quote Link to comment Share on other sites More sharing options...
coverup Posted October 20, 2005 Report Share Posted October 20, 2005 I see papa's point. Indeed, the easiest and most natural thing would be to bar the game dshjhdjshdjs from accessing internet, rather then deny outbound trafic on ports aaaa to bbbb. After all, how do I know what ports this cool game uses? There is a big difference between understanding general concepts and need for network security, and understanding outputs of netstat. Windows firewall developers do understand that difference - you won't sell the product if the customer find it confusing. The linux developers attitude changes too, just compare the current version of firestarter with the previous stable version. Quote Link to comment Share on other sites More sharing options...
Leo Posted October 21, 2005 Report Share Posted October 21, 2005 Just to add a further opinion (whilst attempting to stay on topic :D ) I found papaschtroumpf's comments both useful and relevant to the topic as it was about blocking outgoing communications by application rather than as a whole and I am embarrassed to admit that it is something that had not occurred to me and has made me think more about my security setup. It was also a very good point about our attitude to security in that we tend to blame MS for a number of users indiscretions. Leo Quote Link to comment Share on other sites More sharing options...
Guest juanstiller Posted October 21, 2005 Report Share Posted October 21, 2005 (edited) Hi, I´ve read the posts before, and i think both sides are right, linux, has it positives and negative points as all OS´s do. I started using linux something like 3 years ago, and nowadays i m still having problems configuring servers, etc, etc. In respect to securitty issues i´ve to say that i ´ve never have any problem, i administer two networks using linux dedicated firewalls and DMZ servers serving 8 pc for one and 14 pcs one the other, all pcs are windows OS based. For one of the networks, the dedicated server is ussing ipcop OS , wich is a linux os compiled with many little functions to run as a firewall, it can be administered via browser, and it pretty good, BUT as papas said, it doesn´t have the ability to block certain programs to access internet. Another point, that papas analyzed was the atitude of some gurus, that true too, i´ve have to post several times to lists and people who was advanced technicians kinda were arogant, etc, etc. BUT, i still think linux OS its worth that kind of problems, and i can asure, once you finally configured something on linux, it can run and run and run eternally without one single server restart, hang, trap, or whatever malcfunction may appear, its AMAZING, but you have to fight for it, studing, testing, recomiling, basically work. I can say that i´ve been months studding config files, howtos, and writing to mailinglists to solve configuration issues, and after real hard work i configured servers and they work as expected an even better. Linux, is not an OS for people who are really used to windows simplicity, it was born like a server OS all of its functions were concebed for networking servers. Thats why its so complicated, ok it sacrifices simplicity and easy to use for solid and robustness. But its very complicated to configure nad sometimes its really anoying, that things cant be a little more simple. On the other hand microsoft, has one premise, the os must be as simple and easy to use as posible, but in my opinion, its very unsafe, very unstable and every new os version needs nearly a mainframe to be runned with acceptable speed. Yeah its a hell more easy to configure and you ´ve got info on the web everywhere to assist you, but i dont trust it. I use to have one pc petium II with 256 ram, running windows nt4 , as a pdc and it was all the time hunging, trapping and lots of problems, some time ago i´ve installed mandrake 10, that recommends hardware a little more strong, but amazinlgy the pc now its solid, and it servers perfectly as a pdc. I think i´ve gonne a little , but i guess this resumes differences betwen Microsot and Unix based OS. Buy the way, i think its ok, and very usefull that people that use microsoft OS express this kind of concerns when they start using linux OS, as papas, this kind of comments, make linux distros to work on what most users thinks that the OS is missing or that can be improbed. Sorry for being so long , but i think its usefull. Edited October 21, 2005 by juanstiller Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted October 21, 2005 Report Share Posted October 21, 2005 I'm not putting down linux, I am using it daily, on two differnet computers, and it has all the good things you mention going for it. I installed firestarter on my Mandriva 2005 machine and played with it some. As far as a firewall for blocking incoming traffic, it sure beats editing IP tables by hand. It's easy to use and has that user friendly feel that some of the windows products have, with a tray icon that changes when it logs alerts for example (if you so desire). As far as outgoing traffic, it has the control I expected: you can block services (i.e. ports and port ranges) or remote hosts/networks, but not application level control like Z.A. & al do under Windows. In fact under Windows Z.A. is smart enough to see when a rogue application is "controlling" a whitelisted application, for example if the rogue application tries to access the internet through some DLL of Windows Explorer, Zone Alarm will raise an alaert and ask you if it's OK. I suppose a linux equivalent would be to detect a DCOP script trying to drive Konqueror to do bad things. We're a long way from being there. Applying security patches and safe computing practices are still your most efffective security measures in linux. I yes, I absolutely agree, those two things are much more effective than they are in Windows. Quote Link to comment Share on other sites More sharing options...
Rainer Posted October 22, 2005 Report Share Posted October 22, 2005 (edited) As far as outgoing traffic, it has the control I expected: you can block services (i.e. ports and port ranges) or remote hosts/networks, but not application level control like Z.A. & al do under Windows. <{POST_SNAPBACK}> Yep, that's correct Papa - at present Firestarter can't filter by application - however, what users can do to set up a fairly tight/restrictive firewall with Firestarter is to: * Drop all incoming connections * Drop all outgoing connections with the restrictive policy - then - manually augment this outbound policy by explicitly allowing outbound connections to the ports of your choice ie - 21 25 53 80 110 443 etc, etc (for example - obviously you can choose what ports you want here) Obviously - we're not filtering by application here ....... and rogue code could in theory make outgoing connections to those allowed ports......., but it's a good start, and it's certainly something that some desktop Linux users are probably not currently aware of (the concept, that is) BTW - doesn't IPtables itself have a "rarely-used" "rarely heard-of" module/extension that facilitates filtering by application ??? - from what I've heard, it does - it's poorly documented though and there's very little information on it (on the web) from what I've heard - has anyone else heard about this? Edited October 23, 2005 by Rainer Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.