You are not logged in.

#1 2017-09-29 20:10:38

coolguy21
Member
Registered: 2016-07-05
Posts: 87

application based firewall

Hi guys,

I have 2 questions for security professionals in linux who can answer the following.

1. Are application/process based firewalls needed in linux as they are needed in windows (the likes of netlimiter which allows you to control and block apps with ease). If so why if not why not.

2. If so what app based firewall is best  use in arch for security.

Thanks.

Offline

#2 2017-09-29 20:56:32

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: application based firewall

Where do these questions come from? Your homework assignment?

Offline

#3 2017-09-29 22:36:28

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: application based firewall

From a teacher that re-uses homeworks since more than a decade ;-)

@coolguy21
I assume you refer to "personal firewalls" here (though netlimiter is afaiu predominantly a traffic shaper) which were esp. popular at a time when "internet" meant "dial up with a modem connected to your windows box".

1. Those "firewalls" have *never* actually provided *any* security against outgoing traffic (though it was probably the main reason to use them, because photoshop tried to figure online tha.. whether you were using an illegal copy)
This idea is fundamentally flawed, because malicious software on your system can deactivate the outgoing "firewall" anytime resp. rotate its fingerprint (usually the process name) pretty much at will. This was especially true on windows and is to a certain degree on linux.
(It worked in the photoshop case, though ;-)

2. Personal firewalls provided usable security against ingoing traffic which was significant at the time: there was no packet filtering router and on top of that windows opens a pleathora of ports by default - iow. windows is/was very vulnerable and there was no difference between WAN and LAN.
This is different today, where you're usually behind some integrated router/switch which provides basic packet filtering of incoming traffic (regardless of NAT)
This feature however is not specific to "application/process based firewalls" but the typical behavior of *any* firewall.
Also, linux will not open anything and the kitchen sink (by default) - at least not on arch.

If you need to setup a high security environment (ie. the security provided by your router is insufficient or there is no consumer router itfp), a local firewall (same machine as the data) is a big no-no.
You need to setup a dedicated firewall. There are suggestions to use a virtual machine for this purpose (to save costs, but lowering security)

So to finally answer your question:
a personal firewall (in terms of security and the general case) is needed on linux as much as on windows. That is: "not at all".

If you still want to control outgoing traffic on a per-process base, the general approach would be a combination of sg and iptables/netfilter - no idea about GUI config tools for this.
Inbound control is not application based by nature and can be achieved by iptables/netfilter alone. It's however not required on a typical network setup unless you have very specific worries/needs (limit inbound traffic to certain IPs etc.)
For traffic shaping see https://wiki.archlinux.org/index.php/Ad … ic_control but many tools have the ability to limit themselves.

Whether you want/need any of the above depends on your scenario and context - what do you *actually* want to achieve on what kind of system and why?

PS: if this is indeed for a school homework, tell your teacher to tidy out his task pile tongue
PPS: this is probably off topic or TGN

Offline

#4 2018-03-16 18:33:52

coolguy21
Member
Registered: 2016-07-05
Posts: 87

Re: application based firewall

@brebs - Nope not an assignment. It was a geniune Q as I'm interested in hardening arch linux as best as possible.
@seth - Thanks for your reply.

What I want to achieve is a totally hardened arch linux system and the firewall is one concern for me as iptables is only port based. I want to be able to block any potential attacks that could occur at the application level and that the firewall may pick up some fishy unsolicited outbound connection somewhere which I can block.

The only option I've found is something called opensnitch.

Last edited by coolguy21 (2018-03-16 18:37:10)

Offline

#5 2018-03-16 19:30:16

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: application based firewall

a totally hardened arch linux system

seth wrote:

a local firewall (same machine as the data) is a big no-no

The answer to this is "downsizing" - what's not there isn't broken or malicious.

This post explains how to run a process with a certain GID and setup iptables to filter that GID.
https://serverfault.com/questions/55027 … s-on-linux

Again: this does NOT protect against malware! If you do not trust software, you'd have to run it in a virtual machine or https://wiki.archlinux.org/index.php/Firejail in order to gain security.

Offline

#6 2018-03-16 19:35:05

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: application based firewall

Have you looked into IDS systems such as snort?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#7 2018-03-17 00:48:46

coolguy21
Member
Registered: 2016-07-05
Posts: 87

Re: application based firewall

Slithery wrote:

Have you looked into IDS systems such as snort?

Snort seems to tick all the boxes for me so far.. but it's owned by Cisco which is a little concerning despite being "open source".

Offline

#8 2018-03-27 01:19:52

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: application based firewall

seth wrote:

If you need to setup a high security environment (ie. the security provided by your router is insufficient or there is no consumer router itfp), a local firewall (same machine as the data) is a big no-no.
You need to setup a dedicated firewall. There are suggestions to use a virtual machine for this purpose (to save costs, but lowering security)

Well, my laptop is often outside 'my' router and I can't very well carry around another machine to run a firewall every time I join a WIFI network (even if I'd be allowed to).

Running iptables locally has always seemed sensible to me - not, of course, for a really high security environment, but as a prudent contribution towards an ordinary-everyday level of security.

Actually, even on a LAN, I run iptables. Either because my router is old and I wouldn't trust it too far, or because the organisational firewall has an awful lot of users *inside* and the chances that they are all trustworthy is essentially zero. (That said, the attacks I see all come from forwarded ssh, so the firewall seems to do a decent job - I just wouldn't trust it to the extent of turning my machine's security off.)

I'm not sure if you're saying that this is wrong-headed and that I might as well save the resources and turn iptables off in one or both cases?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#9 2018-03-27 13:48:01

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: application based firewall

He said

What I want to achieve is a totally hardened arch linux system

and inteded to use an "application/process based firewall".
That's nonsense.
1. local protection is never "totally hardened" - if I execute malicious code on your system, you lost.
2. "process based" implies that the trusted process is trustworthy - what means it cannot be abused/remote-controlled by my malicious code (which should not be running itfp ;-)

Of course there's a benefit in running a (local) IP table / netfilter in a "hostile" environment. If you need to run an ssh daemon and can constrain the access to a more trusted subnet (IP range of your direct co-workers), it helps to drop any inbound traffic to port 22 for other IPs.
Also, if you're not behind a NAT router, https://wiki.archlinux.org/index.php/Si … l_firewall is certainly a very reasonable idea (especially conntrack)

That said, network traffic is no magic: attacks only work because there's some daemon listening to a port. If you don't "need" things like ssh, smb, cups, ftp, http, ... and whatnot: do not run those services. What is not there, is not broken.

Offline

Board footer

Powered by FluxBB