Leopard Flower firewall – Protect your bytes

Discussion in 'all things UNIX' started by Mrkvonic, Mar 16, 2016.

  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
  2. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,128
    Thanks, quite interesting, but ...
    Tesla died in 1943, are you sure he said that ?
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    The article nails it:

    "The sad reality is, if you need, or think you need, security software for Linux, then you have a much bigger problem than the choice of particular programs you will be using. Furthermore, the usage of software mandates knowledge, which on its own, precludes or supersedes the actual need for it. This is the Dunning-Kruger of software.
    Outbound firewall control, especially the per-application concept, has many philosophical and practical issues. There’s the simple matter of containing damage. Which is best contained by avoiding it in the first place. If you don’t land baddies onto your system, there’s no need to fight them."
     
  4. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    408
    surprised to see you agreeing with this, amarildojr.
    "not needed in linux" is wrong, is blind, is ignorant.
    It is NOT necessarily about "malware" -- case in point: your recent battling with geoclue

    You trust your distro maintainers. You only install software (presumably vetted) from your distro's repos...
    and wind up with "overly social" or otherwise "overly trusting" (leaky) applications on your PC.

    In earlier posts here at wilders, I've raised the example of "akonadi"
    (preinstalled by many distros and pre-configured as the default music player)

    https://www.wilderssecurity.com/threads/iptables-and-path-based-outbound-rules.333138/#post-2152665

    https://www.wilderssecurity.com/threads/let-me-put-my-tinfoil-hat-on.352385/page-2#post-2272812

    Even if you visit akonadi's setting dialog today, and deselect "retrieve album art from siteX", "scrobble my goblin lastFM" etc.
    without notice, without opt-in, when KDE devs decided to "partner" with yet another helpful-harriet remote site/server
    and that updated akonadi version get pushed onto your PC via your repo updates...
    a new tickbox, a new pref (oh-so-helpfully preconfigured "enabled" by default) has your copy of akonadi
    silently calling out to the site of the new "partner".

    kernel namespaces. wrapper script, UNSHARE -n
    ...'cept you gotta have root permission to "unshare", and many apps will fail unless you at least permit "socket" network access.
    Non-root linux user is castrated, unable to institute and manage an outbound "default deny" network policy.
    An Apparmor approach is fine, or will be, when every package installed from distro ships with a pre-written policy
    and user can elect at time of install "no, the application I'm installing should not have network access".
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    "Security software" can mean a lot on things. I agree that we don't need AV/AM/etc on Linux, but a good firewall is essential ;) (not the kind of firewall the article presents, though).
     
  6. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Oh boy..finally :)

    I hope they fix those bugs soon and that it will come to the arch repo/AUR !
     
  7. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,128
    bump
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Joxx, I am 100% sure he did not say that, which what makes the quote awesomely witty. Maybe.
    Mrk
     
  9. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,128
    You're a riot.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    More of a protest really.
    Mrk
     
  11. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,128
    laughs
     
Loading...