* Control outbound access on a per-application level
@ 2002-10-02 15:46 Gustav Svensson
2002-10-02 15:38 ` Cedric Blancher
2002-10-02 18:51 ` Mitesh P Choksi
0 siblings, 2 replies; 3+ messages in thread
From: Gustav Svensson @ 2002-10-02 15:46 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]
Is it possible to set "outbound" rules based on what binary application it is that
wants to access the Internet?
Just like what I'm used to when I run win32. In every firewall application there, I
get a message when some program is trying to access the internet. Then I can decide
whether to procede the action, or block it. On Linux I see nothing like this.
I'm having a concern with the RealPlayer. I would like to block it to reach any other
addresses but those to my favourite stations.
Sure, I could set up a rule for the port that RealPlayer is supposed to use, but what
guarantee do I have that it isn't capable of using some other port, like 80 for example?
Assume it does use the port 80. Then it would be imposible to stop without a rule like
mentioned here. Because I would want Galeon to have access to any address on port 80,
so I have to leave it wide open. It would be better if I could allow this privilege to
Galeon only, not to any program that uses port 80. Is this feasible, if so how?
Gustav
______________________________________________________
Här börjar internet!
Skaffa gratis e-mail och internet på Spray http://www.spray.se
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Control outbound access on a per-application level
2002-10-02 15:46 Control outbound access on a per-application level Gustav Svensson
@ 2002-10-02 15:38 ` Cedric Blancher
2002-10-02 18:51 ` Mitesh P Choksi
1 sibling, 0 replies; 3+ messages in thread
From: Cedric Blancher @ 2002-10-02 15:38 UTC (permalink / raw)
To: Gustav Svensson; +Cc: netfilter
Le mer 02/10/2002 à 17:23, Gustav Svensson a écrit :
> Is it possible to set "outbound" rules based on what binary application it is that
> wants to access the Internet?
You can use --cmd-owner switch from owner module (lastest patch-o-matic)
which provides you the ability to choose a command name.
But unfortunately, it just match the command name, and does not check
binaries location in the filesystem. If I authorize ping command, anyone
who launch a command called ping will be granted (e.g. ln -s
/usr/bin/ssh ping), whatever it is. Which means it is imho quite
uneffective on systems where users can build and/or install their own
stuff, even if you considerer hardening command filtering with other
stuff :
iptables -A OUTPUT -m owner --cmd-owner ping -p icmp \
--icmp-type echo-request -j ACCEPT
I am still to launch to tool that communicate over ICMP, as an example.
I was considering a device/inode check, but I am afraid it is far over
my skills to add this to that very module. You would give iptables the
complete path and tool will get device ID and inode number for the
binary and store it as match. Then, Netfilter checks the file that owns
the socket, check it device ID and inode number and take the decision.
My 2 cents of euro.
--
Cédric Blancher
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Control outbound access on a per-application level
2002-10-02 15:46 Control outbound access on a per-application level Gustav Svensson
2002-10-02 15:38 ` Cedric Blancher
@ 2002-10-02 18:51 ` Mitesh P Choksi
1 sibling, 0 replies; 3+ messages in thread
From: Mitesh P Choksi @ 2002-10-02 18:51 UTC (permalink / raw)
To: gurra16; +Cc: netfilter
An application in Windoze called Personal Firewall does this. IT somehow
does an checksum on the .exe file and then compares, but it is a user-level
firewall and not kernel level.
Gustav Svensson said:
> Is it possible to set "outbound" rules based on what binary application
> it is that wants to access the Internet?
> Just like what I'm used to when I run win32. In every firewall
> application there, I get a message when some program is trying to
> access the internet. Then I can decide whether to procede the action,
> or block it. On Linux I see nothing like this. I'm having a concern
> with the RealPlayer. I would like to block it to reach any other
> addresses but those to my favourite stations.
> Sure, I could set up a rule for the port that RealPlayer is supposed to
> use, but what guarantee do I have that it isn't capable of using some
> other port, like 80 for example? Assume it does use the port 80. Then
> it would be imposible to stop without a rule like mentioned here.
> Because I would want Galeon to have access to any address on port 80,
> so I have to leave it wide open. It would be better if I could allow
> this privilege to Galeon only, not to any program that uses port 80. Is
> this feasible, if so how?
>
> Gustav
> ______________________________________________________
> Här börjar internet!
> Skaffa gratis e-mail och internet på Spray http://www.spray.se
Regards,
Cyberdude Murli
The Earth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-10-02 18:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-02 15:46 Control outbound access on a per-application level Gustav Svensson
2002-10-02 15:38 ` Cedric Blancher
2002-10-02 18:51 ` Mitesh P Choksi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.