Desktop Firewall or Application-Packetfilter

Hi,

i am looking for a way to control which application gets access to the
internet under linux. the solution should be very similar to desktop
firewalls under windows. i dont want to close specific ports to the
internet. i want to filter the packets depending on the application name
or the applications process id.

and by the way, i dont want to talk about the sense of desktop
firewalls. i am only looking for a solution under linux (if there is one).

thanks!

Ralf Näke

Ralf Näke wrote:
> Hi,
>
> i am looking for a way to control which application gets access to the
> internet under linux. the solution should be very similar to desktop
> firewalls under windows. i dont want to close specific ports to the
> internet. i want to filter the packets depending on the application name
> or the applications process id.
But there is nothing in a packet that says which application it belongs to.

Could you give an example of what you really need.

Robert
>
> and by the way, i dont want to talk about the sense of desktop
> firewalls. i am only looking for a solution under linux (if there is one).
>
> thanks!
>
> Ralf Näke

Robert Harris schrieb:
> Ralf Näke wrote:
>
>> Hi,
>>
>> i am looking for a way to control which application gets access to the
>> internet under linux. the solution should be very similar to desktop
>> firewalls under windows. i dont want to close specific ports to the
>> internet. i want to filter the packets depending on the application
>> name or the applications process id.
>
> But there is nothing in a packet that says which application it belongs to.
>
> Could you give an example of what you really need.
>
> Robert
>
>>
>> and by the way, i dont want to talk about the sense of desktop
>> firewalls. i am only looking for a solution under linux (if there is
>> one).
>>
>> thanks!
>>
>> Ralf Näke
Hi Robert,

thanks for yor response. i want to take control over the rights of
applications for internet access. i hope i can describe it clearly with
the following example:

imagine you have two internet browsers installed under linux. the first
browser should have the rights to connect to the internet and the second
browser should not have this rights. in reality i want to test this
with ohter applications but i think this is a beautiful example. this is
for the case that i only want to test one application without let them
connect to the internet. but at the same time i want to stay online with
other applications so that i dont want to cut my internet connection.
also i dont want to close specific ports because i dont know what ports
the test-application uses.

i hope this example is a little bit more useful. thank you for your help!

greetings ralf

Ralf Näke wrote:
> Robert Harris schrieb:
>> Ralf Näke wrote:
>>
>>> Hi,
>>>
>>> i am looking for a way to control which application gets access to
>>> the internet under linux. the solution should be very similar to
>>> desktop firewalls under windows. i dont want to close specific ports
>>> to the internet. i want to filter the packets depending on the
>>> application name or the applications process id.
>>
>> But there is nothing in a packet that says which application it
>> belongs to.
>>
>> Could you give an example of what you really need.
>>
>> Robert
>>
>>>
>>> and by the way, i dont want to talk about the sense of desktop
>>> firewalls. i am only looking for a solution under linux (if there is
>>> one).
>>>
>>> thanks!
>>>
>>> Ralf Näke
> Hi Robert,
>
> thanks for yor response. i want to take control over the rights of
> applications for internet access. i hope i can describe it clearly with
> the following example:
>
> imagine you have two internet browsers installed under linux. the first
> browser should have the rights to connect to the internet and the second
> browser should not have this rights. in reality i want to test this
> with ohter applications but i think this is a beautiful example. this is
> for the case that i only want to test one application without let them
> connect to the internet. but at the same time i want to stay online with
> other applications so that i dont want to cut my internet connection.
> also i dont want to close specific ports because i dont know what ports
> the test-application uses.
>
> i hope this example is a little bit more useful. thank you for your help!
>
> greetings ralf
Well, if you have two browsers, there is no filter that will allow one
to reach the internet but not the other: they both generate the same
types of packet. You must build the internet access permissions into the
applications themselves.

Or you could discover what ports your test application uses.

Robert

On Tue, 24 Jan 2006 22:22:08 +0100, Ralf Näke <(E-Mail Removed)>
wrote:

>Hi,
>
>i am looking for a way to control which application gets access to the
>internet under linux. the solution should be very similar to desktop
>firewalls under windows. i dont want to close specific ports to the
>internet. i want to filter the packets depending on the application name
>or the applications process id.
>
>and by the way, i dont want to talk about the sense of desktop
>firewalls. i am only looking for a solution under linux (if there is one).
>
>thanks!
>
>Ralf Näke

Ralf,

To the best of my knowledge, there is nothing in Linux like what you
describe.

A potential alternative may be possible if the program uses wrappers.
Then you could DENY everything except the allowed daemon(s) by
altering /etc/hosts.allow and hosts,deny.

On the other hand, I fail to see why blocking ports won't do. Why are
you specifically saying NO to that?
--
buck

Ralf Näke wrote:
> Robert Harris schrieb:
>
>> Ralf Näke wrote:
>>
>>> Hi,
>>>
>>> i am looking for a way to control which application gets access to
>>> the internet under linux. the solution should be very similar to
>>> desktop firewalls under windows. i dont want to close specific ports
>>> to the internet. i want to filter the packets depending on the
>>> application name or the applications process id.
>>
>>
>> But there is nothing in a packet that says which application it
>> belongs to.
>>
>> Could you give an example of what you really need.
>>
>> Robert
>>
>>>
>>> and by the way, i dont want to talk about the sense of desktop
>>> firewalls. i am only looking for a solution under linux (if there is
>>> one).
>>>
>>> thanks!
>>>
>>> Ralf Näke
>
> Hi Robert,
>
> thanks for yor response. i want to take control over the rights of
> applications for internet access. i hope i can describe it clearly with
> the following example:
>
> imagine you have two internet browsers installed under linux. the first
> browser should have the rights to connect to the internet and the second
> browser should not have this rights. in reality i want to test this
> with ohter applications but i think this is a beautiful example. this is
> for the case that i only want to test one application without let them
> connect to the internet. but at the same time i want to stay online with
> other applications so that i dont want to cut my internet connection.
> also i dont want to close specific ports because i dont know what ports
> the test-application uses.
>
> i hope this example is a little bit more useful. thank you for your help!
>
> greetings ralf

To do this, you would have to do what ZoneAlarm or the other Windows firewalls does by putting a
psuedo driver ahead of the network driver and intercept every outgoing network transaction. AKAIK,
this type of interceptor does not exist in Linux. In addition, it is not needed because it is much
more difficult for spyware to be introduced into a Linux system, particularly if you are almost
never logged in as root. On the other hand, a Windows system barely functions unless you are logged
into an account with Administrative Rights, their nomenclature for root.

Larry

buck schrieb:
> On Tue, 24 Jan 2006 22:22:08 +0100, Ralf Näke <(E-Mail Removed)>
> wrote:
>
>> Hi,
>>
>> i am looking for a way to control which application gets access to the
>> internet under linux. the solution should be very similar to desktop
>> firewalls under windows. i dont want to close specific ports to the
>> internet. i want to filter the packets depending on the application name
>> or the applications process id.
>>
>> and by the way, i dont want to talk about the sense of desktop
>> firewalls. i am only looking for a solution under linux (if there is one).
>>
>> thanks!
>>
>> Ralf Näke
>
> Ralf,
>
> To the best of my knowledge, there is nothing in Linux like what you
> describe.
>
> A potential alternative may be possible if the program uses wrappers.
> Then you could DENY everything except the allowed daemon(s) by
> altering /etc/hosts.allow and hosts,deny.
>
> On the other hand, I fail to see why blocking ports won't do. Why are
> you specifically saying NO to that?
> --
> buck
>

Hi buck,

you wrote:
> On the other hand, I fail to see why blocking ports won't do. Why are
> you specifically saying NO to that?

if i want to test a application i want to block all trafic from this
application to the internet. but in the first moment i do not have any
idea which ports this apllication will use. furthermore i will be shure
that this application not uses the port 80 for exsample to phone at
home. but if i close the port 80 i will not be able to use my browser.

i know that i can change the port for my browser but in general i dont
want to close all my ports for testing a application because at the same
time i want to be able to use other applications which could be using
the same ports.

On Wed, 25 Jan 2006 23:02:27 +0100, Ralf Näke
<(E-Mail Removed)> wrote:
>
> if i want to test a application i want to block all trafic from this
> application to the internet. but in the first moment i do not have any
> idea which ports this apllication will use. furthermore i will be shure
> that this application not uses the port 80 for exsample to phone at
> home. but if i close the port 80 i will not be able to use my browser.
>
> i know that i can change the port for my browser but in general i dont
> want to close all my ports for testing a application because at the same
> time i want to be able to use other applications which could be using
> the same ports.

Maybe what you want is to run the application in a virtual machine or
User Mode Linux.


--
A handful of friends is worth more than a wagon of gold.

Am Mittwoch, den 25.01.2006, 20:26 +0100 schrieb Ralf Näke:

> thanks for yor response. i want to take control over the rights of
> applications for internet access. i hope i can describe it clearly with
> the following example:
>
> imagine you have two internet browsers installed under linux. the first
> browser should have the rights to connect to the internet and the second
> browser should not have this rights. in reality i want to test this
> with ohter applications but i think this is a beautiful example. this is
> for the case that i only want to test one application without let them
> connect to the internet. but at the same time i want to stay online with
> other applications so that i dont want to cut my internet connection.
> also i dont want to close specific ports because i dont know what ports
> the test-application uses.
>
> i hope this example is a little bit more useful. thank you for your help!
>
> greetings ralf

You can do this with LIDS (Linux Intrusion Detection System)
It's configurable to mark packets of a certain process and then you can
filter with iptables in the OUTPUT-Chain.

http://www.lids.org/document/lids_worm-2.html

On Wed, 25 Jan 2006 22:23:34 -0500, Bill Marcum <(E-Mail Removed)> wrote:
> On Wed, 25 Jan 2006 23:02:27 +0100, Ralf Näke
> <(E-Mail Removed)> wrote:
> >
> > if i want to test a application i want to block all trafic from this
> > application to the internet. but in the first moment i do not have any
> > idea which ports this apllication will use. furthermore i will be shure
> > that this application not uses the port 80 for exsample to phone at
> > home. but if i close the port 80 i will not be able to use my browser.
>
> Maybe what you want is to run the application in a virtual machine or
> User Mode Linux.

The grsecurity kernel patches advertise GID based socket restrictions
(http://www.grsecurity.net/features.php). You could make one browser
setgid (with a dedicated group) and deny it the ability to open
network sockets.

Along similar lines, you could probably do what you want with a custom
selinux policy, but I've never heard of anyone getting any joy out of
trying to handcraft a policy.


Mike

--
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University | email: (E-Mail Removed)
Tallahassee, FL 32306-4380 | phone: (850) 644-0069