Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Stephen Horne on 27 Dec 2009 21:46 On Windows, I use the free version of the ZoneAlarm firewall. This allows me to control access to the internet and to the "trusted zone" on a per-application basis. When an application first tries to access the internet, ZoneAlarm asks me whether I want to allow access. I can give/refuse access either this time only, or tell ZoneAlarm to apply my choice automatically in the future. I can also view a list of apps that ZoneAlarm knows about so far, and change the choices in there. With a few exceptions (e.g. all Java applications appear to be the same application as far as ZoneAlarm is concerned), it works very well. I know that OpenSUSE includes a firewall, but it doesn't seem to follow this model AFAICT. It seems to filter types of internet traffic, but not to control which applications have access to the internet or other resources. My concern at the moment is running untrusted applications and allowing them to access files in my currently logged in user account only, and in particular, disallowing any internet access - while still allowing trusted applications to access the internet from the same user account at the same time. Is there an equivalent of ZoneAlarm in OpenSUSE? Or am I too focussed on the Windows way of doing things, and failing to see an obvious (but different) way to achieve what I want? Or am I just mistaken about what the OpenSUSE firewall does?
From: Paul J Gans on 27 Dec 2009 23:05 Stephen Horne <sh006d3592(a)blueyonder.co.uk> wrote: >On Windows, I use the free version of the ZoneAlarm firewall. This >allows me to control access to the internet and to the "trusted zone" >on a per-application basis. >When an application first tries to access the internet, ZoneAlarm asks >me whether I want to allow access. I can give/refuse access either >this time only, or tell ZoneAlarm to apply my choice automatically in >the future. I can also view a list of apps that ZoneAlarm knows about >so far, and change the choices in there. >With a few exceptions (e.g. all Java applications appear to be the >same application as far as ZoneAlarm is concerned), it works very >well. >I know that OpenSUSE includes a firewall, but it doesn't seem to >follow this model AFAICT. It seems to filter types of internet >traffic, but not to control which applications have access to the >internet or other resources. >My concern at the moment is running untrusted applications and >allowing them to access files in my currently logged in user account >only, and in particular, disallowing any internet access - while still >allowing trusted applications to access the internet from the same >user account at the same time. >Is there an equivalent of ZoneAlarm in OpenSUSE? Or am I too focussed >on the Windows way of doing things, and failing to see an obvious (but >different) way to achieve what I want? Or am I just mistaken about >what the OpenSUSE firewall does? I'm not a firewall expert and no doubt better informed folks than I will soon respond. I think that the basic thing to remember is that in Linux FEW PROGRAMS goe off and connect to the internet by themselves[1]. In general NOTHING connects to the internet without you telling it to do that. So there is no need for a ZoneAlarm sort of thing. For example if you have a program that was supplied via one of the repositories, the updater applet (or YAST) will tell you if updates are available. Then YOU have to allow the update to take place. If you have a program that you installed outside of the normal install process, YOU have to tell that program to go check for updates. It won't do it by itself. You've hit on one of the legitimate gripes with Windows-type programs. They can run themselves because they can modify the system to do that. This can be a security problem, hence ZoneAlarm that turns off behavior that should have been turned off by the operating system. [1] The network time demon, which can be set up by you using YAST, will, once set up, contact a timeserver on the net to get the correct time. There may be one or two other programs that do this sort of thing. -- --- Paul J. Gans
From: Stephen Horne on 27 Dec 2009 23:59 On Mon, 28 Dec 2009 04:05:29 +0000 (UTC), Paul J Gans <gansno(a)panix.com> wrote: >I think that the basic thing to remember is that in Linux FEW PROGRAMS >goe off and connect to the internet by themselves[1]. In general >NOTHING connects to the internet without you telling it to do that. The trouble is, it only takes one exception to that rule. The scenario I have in mind is a trojan. I download it, mess around with it within a user account, and don't realise that it has (e.g.) scanned the files in my user account, spotted some passwords/bank details/personal info, and phoned home. If you have the habit of messing around with random programs, one day, something like this is bound to happen. It doesn't matter whether you download binaries or build from source - unless you inspect that source line by line, the possibility still exists that there is an undocumented nasty lurking within. *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone home, and so the security issue is minimised. Being told that the program tried to phone home even gives you the warning that it is / may be a trojan, or spyware or whatever. True - the Linux environment and culture makes this kind of thing less likely. But IIRC, someone actually managed to get a trojan included in one of the major distros repositories (briefly) a while back. Don't think it was anything serious, but the point is that *any* operating system has vulnerabilities. Even if you could engineer a perfect O/S, there's always the fallible human element. I don't claim to be perfect. Since I am not perfect, I'd like my software to warn me about that fatal error when I make it, and hopefully prevent the "fatal" aspect of it.
From: Jan Gerrit Kootstra on 28 Dec 2009 01:05 Stephen Horne schreef: > On Mon, 28 Dec 2009 04:05:29 +0000 (UTC), Paul J Gans > <gansno(a)panix.com> wrote: > >> I think that the basic thing to remember is that in Linux FEW PROGRAMS >> goe off and connect to the internet by themselves[1]. In general >> NOTHING connects to the internet without you telling it to do that. > > The trouble is, it only takes one exception to that rule. > > The scenario I have in mind is a trojan. I download it, mess around > with it within a user account, and don't realise that it has (e.g.) > scanned the files in my user account, spotted some passwords/bank > details/personal info, and phoned home. > > If you have the habit of messing around with random programs, one day, > something like this is bound to happen. It doesn't matter whether you > download binaries or build from source - unless you inspect that > source line by line, the possibility still exists that there is an > undocumented nasty lurking within. > > *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone > home, and so the security issue is minimised. Being told that the > program tried to phone home even gives you the warning that it is / > may be a trojan, or spyware or whatever. > > True - the Linux environment and culture makes this kind of thing less > likely. But IIRC, someone actually managed to get a trojan included in > one of the major distros repositories (briefly) a while back. Don't > think it was anything serious, but the point is that *any* operating > system has vulnerabilities. Even if you could engineer a perfect O/S, > there's always the fallible human element. > > I don't claim to be perfect. Since I am not perfect, I'd like my > software to warn me about that fatal error when I make it, and > hopefully prevent the "fatal" aspect of it. > Stephen, Running a VMware, XEN or other hypervisor on top of Linux with a Windows Guest your scenerio becomes even more realistic. An iptables firewall can be configured to block or log outbound traffic. This is normally based on ip-addresses and portnumbers. Do not have the details at the moment. http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Sample_iptables_Scripts This might give you some hints. It is very static, not dynamic like your Windows product. Kind regards, Jan Gerrit
From: Peter Köhlmann on 28 Dec 2009 03:15
Stephen Horne wrote: > On Mon, 28 Dec 2009 04:05:29 +0000 (UTC), Paul J Gans > <gansno(a)panix.com> wrote: > >>I think that the basic thing to remember is that in Linux FEW PROGRAMS >>goe off and connect to the internet by themselves[1]. In general >>NOTHING connects to the internet without you telling it to do that. > > The trouble is, it only takes one exception to that rule. > > The scenario I have in mind is a trojan. I download it, mess around > with it within a user account, and don't realise that it has (e.g.) > scanned the files in my user account, spotted some passwords/bank > details/personal info, and phoned home. Where do you download that type of programs? *Why* do you do that? And why don't you get it from the distro site? > If you have the habit of messing around with random programs, one day, > something like this is bound to happen. It doesn't matter whether you > download binaries or build from source - unless you inspect that > source line by line, the possibility still exists that there is an > undocumented nasty lurking within. > > *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone > home, and so the security issue is minimised. Being told that the > program tried to phone home even gives you the warning that it is / > may be a trojan, or spyware or whatever. Zone-Alarm "firewalls" are not even toys. They are simply garbage of the worst sort. The "Notepad wants to connect to the internet - allow <yes> <sure> <why not> type of "user-interaction" is just silly to the extreme -- I say you need to visit Clues 'R' Us. They are having a special on slightly used clues. |