Dear All
I would like to gain some zonealarm-like functionality for my linux
desktop.
netfilter/iptables provides a great functional firewall and can even
block based on UID and GID ... but I quite like the interactive nature
of zonealarm - where it prompts the user asking whether a particular
application can connect to a network resource (also allowing a
permanent entry for that application).
Does anybody know of a shim for the network stack (or iptables) that
provides this functionality?
I guess it would need to spot an application attempting to use a
'monitored' network resource and then check it's own tables to confirm
that the application is allowed (prompting if it doesn't). If the
table has an entry, or the user confirms that the application can use
the network resource then an entry is made in iptables ... but the
service would also need to spot the application closing and remove the
entry.
The reason I want this may not be valid of course...please let me know
if I'm being too paranoid:
iptables can block based on the usual IP data (src and dst IPaddr and
port ... even flags) so I may have a rule in there allowing outbound
initiated traffic to port 80. Normally this rule would be activated by
my web browser ... but what if I inadvertently install malware
(macro/script virus, trojan) and the malware decides to setup a tunnel
to an attacker host (on port 80). Or maybe the malware initiates a DoS
attack on an external web site...
Clearly, if the malware gains root it can probably bypass the shim,
but unless this feature becomes popular it's unlikely that a scripted
attack will take this into consideration. Anyway, I rarely install
applications as root so I'd hope that the malware may be restricted to
a lower capability UID.
Thanks
|
Similar Threads
Linear Mode
