iptables and path-based outbound rules?

Discussion in 'all things UNIX' started by Gullible Jones, Sep 28, 2012.

Thread Status:
Not open for further replies.
  1. The problem isn't that outbound control is a bad idea, it's that outbound control through iptables alone is conceptually incomplete. A rogue application could just start up some other process to do its dirty work, in theory at least.

    This is what MAC is for, and is one reason why most Windows firewalls implement some form of MAC.

    On Linux, IMO, the real problem is that nobody seems capable of agreeing on a standard MAC system; and what exists is mostly designed for corporate and government environments, and needlessly complicated for desktop use.
     
  2. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    regarding Leopard Flower, my post from back in 2011:
    https://www.wilderssecurity.com/showthread.php?t=314734
    The LF author announced a few month ago that he (has lost the original source code(!) and) plans to release a fully rewritten version of the application.

    regarding Firestarter:
    No, it cannot accommodate per-process nor per-path rules. Further, it is intended for installation to a (separate) server; it is not designed for installation to a client pc.

    (rolleyes)

    @noone ~~
     
    Last edited by a moderator: Feb 13, 2013
  3. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    I was saying that as an additional benefit that a firewall cannot address but execution protection of some kind can.

    And how are they supposed to know which are legitimate (in their mind) or not behaviours whilst they are using the application ?

    I would speculate (I honestly never looked into this in any depth) that its simply historically not needed due to the level of trust Linux users have in the software they install from package mangers and repositories where are are usually tights controls on quality and process that are effect in prevent anything subversive getting to a users machine.


    Maybe you have a problem due to the way you use Linux, that most other Linux user do not have, hence not needing to try and solve it.

    You were the one questioning the freedom, I pointed out that the lack of program X does not imply there is some kind of restriction on the existence of program X, just that there has been no demand for it.
    You could also always pay someone to write the software you need, so having the knowledge is not an issue.

    Someone had to write that code for Windows.
    How many years did Windows exist without a HIPS or outbound firewall.
    What would of you done then ?

    How are "Users who don't have prior experience" going to know what to allow or deny ?

    Which apps on Linux have "that kind of behavior" ?

    Cheers, Nick
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    GJ is, as usual, on the money.

    If you really want to do per application outbound control I suggest you separate the programs into separate users, and then create firewall rules for that user. You can reinforce this wtih apparmor. This will:

    1) Allow 'per program' inbound/outbound firewall control.
    2) Prevent the blatant holes in bypassing this system
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Most every question I asked is answered with a pointless question as a reply. I have better things to waste time on than this. Thanks. You've made my decision.
     
  6. Thanks..

    OTOH, I have point something out here: maintaining separate user accounts for different purposes can take a lot of configuration, and generally be a royal PITA. I'd say it's probably the best way to (ab)use UNIX DAC for desktop security, but the effort may be offputting, especially for new Linux users.

    I can think of a few ways to handle this though. Perhaps I'll post a new thread about it.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I run Pidgin and xchat as separate users. It's pretty simple. I don't bother with iptables because I'm lazy, but it wouldn't be difficult to do.

    If you want to control VLC, running it as a separate user makes sense to me. If you don't run it as a separate user and you don't separate it from other programs, then an outbound Firewall won't be useful anyways.

    Outbound also assumes the attacker has already gotten onto the system, so you're going to want something built in and as deep as possible, so I'd enforce the basic DAC with apparmor/SELinux.
     
  8. On a tangentially related note, I caved in and created an AppArmor profile for Firefox.

    AppArmor basically works like Tomoyo, path based and very easy to use. Me like.
     
  9. jna99

    jna99 Registered Member

    Joined:
    Apr 18, 2012
    Posts:
    94
    Location:
    127.0.0.1, Netherlands
    What I dislike (maybe dislike is a bit strong) about linux is, like Inka has mentioned, that applications seems to 'depend' so much on other installations.
    if an average user does the following:
    Run synaptic package manager for instance and you want to get rid of a installation or program.. you think ok, i want to delete akonadi or whatever... blam, you get a huge list of all other apps that are interconnected to eachother that must be deleted also !
    why can't apps have all what they need in their own folder and run only things from that folder ?
    I think someone must think of a revolutionary way to have everything in its own folder and run from there.. no more huge "bin" or "library" folders where everything is packed together.. no more dependencies. If you want to delete a program it truely ONLY delete that program and not a huge number dependencies or other programs along with it.

    Am I making sense here ? Sorry if I don't and sorry if this just won't work. And again sorry if I'm going offtopic a bit.. it just isn't my day.. *cry*
    I guess I need to get out more often :D
     
    Last edited: Feb 17, 2013
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.