FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-04-2008, 06:58 AM
frits
 
Default full control of connections

Hello,

I used to run kernel 2.6.13 because it had the old iptables, that
allowed to include the applications in the firewall rules.

Since 2.6.13 is a bit old I decided to leave it behind. However, I like
the functionality. I want to be able to select which applications can
connect to the Internet, preferably controlling address and port too.

You might wonder why. Application running on wine should never connect
anywhere, email spammers use all kinds of tricks to see if I open the
message, some applications call home, etc. I do not want that.

Does Debian have a usable mechanism to control network connectivity on a
per-application base? I looked into selinux once, but that was a real
pain.

Thank you,
F.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-04-2008, 07:28 AM
NN_il_Confusionario
 
Default full control of connections

> * From: frits <frits7@vulkor.net>
>allowed to include the applications in the firewall rules.

man iptables in etch still shows

owner
This module attempts to match various characteristics of the packet creator, for locally-
generated packets.

besides,

grep -i owner /boot/config-2.6.*
/boot/config-2.6.18-nn:CONFIG_IP_NF_MATCH_OWNER=m
/boot/config-2.6.18-nn:CONFIG_IP6_NF_MATCH_OWNER=m
/boot/config-2.6.8-3-powerpc:CONFIG_IP_NF_MATCH_OWNER=m

so both sarge and etch should work with this (however, I do not use it)

>You might wonder why. Application running on wine should never connect
>anywhere,

for using untrusted applications it might be a good idea to use a
_specific_ user. For example, I have a specific user for e-mail, a
specific user for www, a specific user for ssh, all with a private group
and umask which permits the group to read and no else to write; each of
these users is only in its private group. My "regular" user which I use
to manipulate my locally created files (.tex .ly .denemo .mid .wav ...)
is on the contrary in special groups (audio, ...) and in the private
groups of the above users.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-05-2008, 04:00 PM
frits
 
Default full control of connections

On Sun, May 04, 2008 at 09:28:03AM +0200, NN_il_Confusionario wrote:
> > * From: frits <frits7@vulkor.net>
> >allowed to include the applications in the firewall rules.
>
> man iptables in etch still shows
>
> owner
> This module attempts to match various characteristics of the packet creator, for locally-
> generated packets.

On the same page:
NOTE: pid, sid and command matching are broken on SMP

Most modern processors are SMP, and it really appears broken.

The idea of different users is not really usable. I use my systems to
work.

Any idea when --cmd-owner gets fixed?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-05-2008, 06:12 PM
NN_il_Confusionario
 
Default full control of connections

> * From: frits <frits7@vulkor.net>
>The idea of different users is not really usable. I use my systems to
>work.

this is interesting: it is the first time that I hear about unix
multiuser capabilities (to run applications side by side as different
users) being "not really usable". Can you elaborate?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-07-2008, 04:58 PM
frits
 
Default full control of connections

On Mon, May 05, 2008 at 08:12:26PM +0200, NN_il_Confusionario wrote:
> > * From: frits <frits7@vulkor.net>
> >The idea of different users is not really usable. I use my systems to
> >work.
>
> this is interesting: it is the first time that I hear about unix
> multiuser capabilities (to run applications side by side as different
> users) being "not really usable". Can you elaborate?

I read it as role-based internet access. I want application based
access.

F.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-07-2008, 07:12 PM
NN_il_Confusionario
 
Default full control of connections

On Wed, May 07, 2008 at 04:58:08PM +0000, frits wrote:
> On Mon, May 05, 2008 at 08:12:26PM +0200, NN_il_Confusionario wrote:
> > > * From: frits <frits7@vulkor.net>
> > >The idea of different users is not really usable. I use my systems to
> > >work.
> > Can you elaborate?
> I read it as role-based internet access. I want application based
> access.

If you want this,

application based firewall - Google Search
http://www.google.com/search?q=application+based+firewall&num=100

finds inmediately

TuxGuardian - An application-based firewall
http://tuxguardian.sourceforge.net/

But I suspect that this two years old software will not work with the
CONFIG_SECURITY_CAPABILITIES=y
kernel option.

I have abosolutely no experiece in such things, partly because I am
unable to see security advantages of application-based firewalls over
role-based ones.

--
Chi usa software non libero avvelena anche te. Digli di smettere.
Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale.
Informatica=bomba: intelligente solo per gli stupidi che ci credono.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 11:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org