Outbound Protection Like Comodo Personal Firewall

Discussion in 'all things UNIX' started by artic0, Jul 7, 2016.

  1. artic0

    artic0 Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    6
    Location:
    usa
    I am making a move to Linux from Windows as my primary PC for being on-line. I really liked Comodo's Personal Firewall on Windows where I was given a chance to learn what software on my machine was trying to connect to the internet. Also, it was my understanding that Comodo took extra steps to make sure that software could not trick it's way past the firewall by invoking other processes to mask it's EXE such as Internet Explorer or Run.dll.

    On Ubuntu MATE 16.04 I have gufw protecting against all inbound traffic which I believe is a bit redundant given that Ubuntu apparently has all ports closed by defaults. Outbound traffic, however, is wide open unless I choose to turn it off completely. And at that point I might as well unplug my ethernet cable. So I would like Firefox (running in firejail) and Ubuntu update\software services to be able to get out, but I would like to start checking everything else. For instance, I may wish to use a Jetbrains IDE product that requires license registration on purchase to talk to one of their servers, but after I register the product I don't need it continuing to phone home reporting my usage or whatever.

    Are there are any good open source options out there? Open source is obviously preferable to something like Comodo which may have hidden code phoning home. Hopefully not, but I may have placed too much trust in that company. Thanks in advance!
     
  2. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    The best application I can think of is Douane. Arch linux has it in the AUR, theres an Ubuntu PPA for it if you use Kubuntu, Ubuntu, Xubuntu, or any other distro that uses Ubuntu repos. This does (I think) exactly what you want. Heres a link to the github page so you can get an overview: https://github.com/Douane/Douane

    Now, If *I* wanted to accomplish what you were trying to accomplish, Id use ufw (uncomplicated firewall- cli based) and wireshark (packet sniffer). This way is more stick-shift than automatic, but its another way. Its biggest limitation is not being able to necessarily know which application is attempting to access which IPs. Of course after reverse lookups on the IPs you can pretty easily determine which applications are attempting to access the net.

    Youd fire up wireshark on your wireless device and watch the packets as they leave. Either do reverse lookups on the IPs or refrain from using services (other than the one youre profiling) and watch what IPs are being accessed. The benefit of this approach is you get to see everything coming out or going into your computer, on what port, whether its encrypted or not, etc.

    While I personally dont know of a way to control IP access by program/process (other than Douane listed above) with ufw, who cares? You can explicitly blacklist an IP or IP range with ufw, or block everything out and whitelist IP ranges (not likely feasible on a desktop setup), and since likely only that application is going to try and access that IP, it doesnt really matter if its blocked globally to all apps or only 1 specific app. I *think* unless Im missing something?

    You can also use a simple application called nethogs to see which processes are pulling data from a network device, but its more oriented towards seeing how much bandwidth a process is using- not the IPs it accesses.

    I mention ufw because its a fantastically easy to use interface for a firewall, and very powerful. I should note that ufw is a frontend to iptables, which itself is a frontend to netfilter built into the linux kernel. ufw tries to make configuring a firewall painless, and it does that pretty well, so keep it in mind if Douane wont do exactly what you need.
     
  3. artic0

    artic0 Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    6
    Location:
    usa
    Thanks I haven't heard of this Douane at all. It does look to be a perfect fit for the GUI based application control I was looking for that Comodo provided on Windows. I did a search in apt-cache and it doesn't appear that there is a package for it. Doing a general internet search I came across this http://www.dedoimedo.com/computers/linux-per-application-firewall.html which suggests I have a somewhat tricky build and configuration process ahead with the author of the page suggesting that Douane's creator is probably an Arch Linux guy:

    I have heard about Wireshark and wanted to start playing around with it but it is acting up about security permissions. A simple search found that its a problem that has been going on for years in Ubuntu but the fix just created another security permissions issue which has made the program useless. You mention "wireless device". I'm using it on a computer that isn't using wireless, but direct ethernet cable connection to router. Maybe that is part of the problem?

    Also have looked a bit at ufw and iptables (using gufw which is just a pretty simple gui on top of ufw) but it is was simply going to involve more learning\time than I currently have. Something I'm definitely interested diving into more it just doesn't seem quick and with Wireshark acting up I can't really see what type of traffic is taking place anyway.

    At some point I'm hoping to get a Raspberry Pi that I can actually use as a dedicated firewall (hoping it maybe works well with this Pi-Hole setup that I've heard so much about) instead of the actual computer that I'm using to surf and connect. Currently nothing stands between this computer and my ISP router.

    Appreciate the help.
     
  4. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Its not in the repos- youd need to add a PPA. I should note: the entire PPA process is questionable in the first place from a security standpoint. Looking closer at Douane it doesnt seem to have been actively developed since 2014, so hopefully that doesnt mean it wont work. The good thing is the PPA itself seems to be run by the developer of Douane, so.. Heres a link to the PPA I found: https://launchpad.net/~zedtux/ archive/ubuntu/douane

    I wish I could test for you to see if in fact the PPA listed will work with the latest Ubuntu (or 16.04), but im on Arch and have no available ubuntu install. Most of the packages seem to be packaged for Precise or earlier when I follow the actual http link, but the repo line on the PPA address indicates ubuntu 16.10's codename, so I dunno :/

    Wireshark can be used on anything. It can be used on tun interfaces (like used for VPN use, etc) to see packets before being sent encrypted, on the wireless device itself (to ensure that all packets are encrypted if using VPN), ethernet devices, etc etc. Its a beast :) You can even use Wireshark for scanning packets that come out of a VM via KVM (and prolly virtualbox or whatever.. I use KVM).

    In terms of wireshark's permission issues, have you consulted the Wireshark Arch wiki? Specifically the section about adding a user to the wireshark group? That's what I have setup on Arch and it works for me without having to run it as root. See: https://wiki.archlinux.org/index.php/wireshark

    FYI, the Archwiki is a great resource for any linux related questions regardless of what distro you use.

    Please dont be intimidated by ufw on the cli. A lot of these guides go into very esoteric setups where you see 5001 commands covering every use case and then you think "welp that isnt for me.." But really, its not that bad. I setup the following setup: deny all out, deny all in, deny all routed, allow multicast, allow all out on tun0 (for vpn which is when I use a firewall- otherwise im behind my router at home), and allow out to the specific entrance IP of my VPN service (for authentication), and I did it all with 6 commands that werent even close to hard. Your setup might only differ from mine in that you dont use a vpn (so no need for the tun0 rule), you dont wish to block all out (so no need for that rule either), and maybe you need to block a few IP addys or IP ranges (so add a few rules there). Again, check out the Arch wiki for ufw and it will get you started IF douane doesnt work out for you.

    Finally, and dont take this as me trashing Ubuntu as that is where I got my start in Linux (back on 6.10 Edgy Eft), consider trying another if this one isnt working for you. Perhaps if the wireshark issue remains consider Debian (which Ubuntu is based off of), Mint (though ask here first because some tiers of updates for security need to be enabled), or Fedora. Speaking of Fedora, im pretty sure you could use SELinux to restrict access to specific IPs, but holy hardcakes batman- SELinux is not for the faint of heart. It comes ready to go on Fedora, so if youre brave have at it.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    In iptables, you can control traffic by user. For example, Tor in Debian etc runs as user debian-tor. I presume that you could configure any app to run as a particular user. Maybe something as simple as one user with network access, and another without.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    FWIW, there is a script called Anfd ((Ain't no firewall daemon) on wiki.ubuntuusers.de. The script is at the bottom of the article.


    I've never used it but it might be worth a try.
     
  7. artic0

    artic0 Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    6
    Location:
    usa
    I've got it working now. I'm going to go the route you suggested with ufw. I'll have to spend some time figuring out how to work with Wireshark to track which applications may be trying to phone home and blocking by the IP the application users instead of the app itself. Might as well start learning some of the core of what is going on underneath the hood. Thanks!
     
  8. accessgranted

    accessgranted Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    181
    @ artic0
    Welcome to Linux. I made the move some 3 years ago and never had any regrets. Enjoy yourself.
     
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Nice going artic0.
    I see a 'Must...compile...kernel' joke reference coming up soon.
     
  10. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Excellent! You will get a great picture of what your system is doing this way, and especially what plain-text (non-TLS) data is coming out of your computer.

    Make sure after you do a block of IP you monitor again with wireshark- some apps will use an IP range, and so blocking a single IP can result in the app using another. Note that this is much more of a problem on, for example, windows 10 than it is Linux. But its still a good idea to make sure..
     
Loading...