What a fucking disaster.
No per-application rules, no easy-to-use rule toggle, no pop-up about blocked apps so default deny policy is pain in the ass, no "allow once" option.
How come there is no proper application firewall for Linux clients in 2017? If I want to only block the shitty calculator to automatically request currency rates through HTTP, I still can't do that with the firewall.
Other urls found in this thread:
github.com
reddit.com
nbu.gov.sk
trac.torproject.org
selinuxproject.org
twitter.com
So I searched: linux per application firewall
and now I'm going to say; you're a fag.
If you're the author of one of those results, then I apologise and would like to congratulate on your deceitful choice in advertising strategy.
...
man iptables
what's wrong with iptables?
also, firewalld has some neat features, I hear
Iptables has no application specific rules.
To be honest this is a huge problem on Linux desktops. Setting rules for torrenting is like turning off the firewall completely.
OpenBSDs pf is the standard to beat.
You can do application profiles in ufw. I think that's about as easy as it's going to get on Linux.
nftables; iptable's replacement.
...
Not really since you can choose your ports for torrenting.
If you really want per application control, you're supposed to use stuff like firejail --netfilter. The logic is sound, but a GUI taking care of this (firejail) is indeed missing.
Isn't NetBSD's npf supposed to be better?
lol remember when HIPS and HIDS was a meme? wasn't that in 2005 or something?
kys. the rest of your post is just retarded. "host based firewalls" are and always will be easy to bypass.
Neither pf, nor npf, nor netfiler have application based rules.
ufw's profiles are simply predefined iptable rules for those who don't know which application uses which port by default. It is just a FAQ,
The rules are applied system-wide, not per application.
Good luck torrenting with a single outgoing port.
12 years later, and it is still an issue on Linux.
Sure, do it on Windows 7+ with a user account and I'll immediately give you a 5-digit bug bounty.
Loonix does per-user and per-group filtering you dumblebutt. Use something master-tier like Transmission-daemon on an isolated and locked down user account and perform firewall filtering/permitting for that user's apps and use of ports.
So you say you daemonize each app and run them as a different user? How does that apply to all the desktop distributions? Yeah there is Qubes-OS and you can run each app on a different computer too, and there are probably other hackarounds, but that doesn't negate the fact the the Linux world doesn't have an application firewall.
Still just another non-constructive rant thread though...
...the thread
want to help me out?
I'm setting up a nas/router with an old desktop mobo and OpenBSD. I have no idea how to configure pf other than what guides suggest, i'd like to actually understand what the fuck it is im doing.
I'd like an accurate and concise book on home networking/networking in general if anyone knows one.
Douane and Leopard Flower are the two I keep running into in searches. Seems you have to compile either one.
Compartmentalize each access scenario (no access, tor-only transparent access, clear access with firewall filter, clear access with no filter optional) into either users or groups in your firewall rules. Then perform a gksu run-as for the app as that user. The main/desktop user you're running in should have no net access whatsoever.
I see you did. Did it work out for your penis?
Douane is at a terrible state Leopard Flower seems to be a dead project.
They support per-application rules, but they don't support protocol/port rules.
Thank you, this is something I was looking for.
Douane is at a terrible state Leopard Flower seems to be a dead project.
They support per-application rules, but they don't support protocol/port rules.
Thank you, this is something I was looking for.
Douane is at a terrible state Leopard Flower seems to be a dead project.
They support per-application rules, but they don't support protocol/port rules.
Thank you, this is something I was looking for.
Actually Outpost Firewall is the standard to beat.
Nice to see that the Linux world is waking up too.
OpenIndiana solves all your trouble. Get Solaris Trusted Extensions installed. Have comfy multilabel mandatory access control security built right into your CDE (or GNOME).
Correct me if I'm wrong, but Mandatory Access Controls are for denying things, firewall is for filtering.
While the former one can break some applications (for example if a program can't bound a port it may stop or give an error because it is an essential function for it to work), the latter just filters the traffic.
Kinda like denying you to say something versus censoring what you said.
Did you try doing this?
alias calculator="unshare -n calculator"
there's gufw (gui uncomplicated fire wall) for that, for debian based systems
that sounds like unnecessary bloat
I wish Douane would get some attention since this is the perfect example of how something like this should work.
How is this bloat?
I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.
There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.
You don't need a pop-up, because you know in advance which programs are going to run on your computer, and what kind of network connections they need.
If you don't know what software is running on your computer you are not in control of it and should not use it at all. If you run software without knowing what it does you are a retard who should not use computers.
I cant get this work with dbus
Iptables has per application rules
Easy to use rule toggles exist, iptables is ancient and has tons of frontends
Pop ups? Sounds gay but its possible some front end does, I'm not sure. You can definitely write one in zenity in like 2 commandlines
Actually do some research before you come spill your tears and autism into a board
I know you faggots have been moaning about Douane but just try it, its the best fucking thing I have ever used injunction with (G)UFW. If you get any errors being spammed to the TTY just remove the line from its code and recompile it
Douane only works with systemdicks.
As a developer, I say these would be pretty useful features. Especially because Wireshark doesn't have application filter either...
Please show us an example.
Installing Douane adds application rules, but it drops the ability to define interface/protocol/address/port rules rules. It needs more development.
This is another issue that needs to be addressed.
gufw
Thanks for OpenSnitch!
It needs more attention.
Proprietary MacOS software proves itself as the Gold Standard to imitate.
...
...
pf can't tell the difference between process IDs. The Linux/BSD network stacks can't do it in general. Whitelist outgoing tcp port 80/443 and you allow internet access to every leaky software, not just your browser.
Linux is fucking shit
I have per-application firewall on windows since decades
Microsoft Windows beats the shit out of stupid Linux
No, idiot, you don't know when the software will use network and in what way. It's the firewall who should tell you and ask for decision.
Exactly.
Linux is a shithole.
Linux is FUNDAMENTALLY INSECURE. it's a spyware, botnet.
Any software that you run on linux can just connect anywhere and send anything.
Microsoft Windows is light years behind Linux when it goes to security and privacy.
I meant Linux is behind Microsoft Windows
I know exactly when, why and how the software running on my computer needs network access. Your problem seems to be that you are not in control of your own computer, and have no idea what software is running on it or what that software does.
People like you really should not use computers. Especially not with an internet connection.
It sounds like subconsciously you know this to be false.
I guess you're safe on windows where the wifi drivers don't work :^)
Edit the source, nimrod.
firejail /thread
Sure you do. Your software is open-source so it doesn't have any vulnerabilities, you run Gentoo and compile everything yourself, you never make a typo and would never fell for something like this nbu.gov.sk
Typical pampered bitch who doesn't know what it actually takes to make anything. Link your fork or gtfo!
Anyone mentioning ufw, gufw or iptables is a moron.
Now that's something. Thanks.
what the fuck you are still whining? as said in thread, there are multiple easy to use per application firefalls for linux. just put net=none to your shitty calculators firejail config file and your calculator doesn' have network access.
in torrent softwares firejail config you can type more complicated firewall rules. then when you have done all that, write some restrictions what fodlers your calculator and torrent program can access and what not... easy? yes. if not kys yourself microsoft pajeet
Subgraph OS
/thread
I wish I could sweep 30 years of continuous fuckups, worms, viruses, spyware etc under the rug and sound like I know what the fuck I am talking about for muh ahpluccation fuhwull
showing notifications about blocked connections and asking user to open port or not is just false feel of security. same thing than some window$ anti-viruses showing a lot of false positives. how you know is the virus alert real threat or false positive? no way and you just more easily allow real viruses when you get lot of false positives.
If linux was more popular it'd have those too. Nothing prevents a package from running malicious code.
On the other hand, if anything can connect anywhere, you have no security at all.
If you don't have open inbound ports and have servers listening to them, you are very secure already. So in practise some program need to connect to server serving malicious content to get your computer infected. Browsers are the most obivious risk thougj they are sandboxed by default but if you double sandbox/virtualize your browser, you are much safer than with pf lists and maniual allow / disallow. Servers are different case ofc though.
no, just like the other user said, if you think that your problem is that you're using software you have no control over, from untrusted sources, without being able to review it.
do not run malicious software, retard.
even if there were a million linux viruses and malware programs out on the internet, it wouldnt be that fucking hard, given thats not how you install programs. If you do get them from the internet they come as source code you're free to inspect.
no, the people who add packages to the repos prevent that.
It's not just about malicious code. It's about basic privacy for average users.
Most open source project don't really care if they leak a little bit of metadata to the internet.
The calculator is just one good example:
Take Libreoffice's theme picker for example. It downloads themes from the internet.
The dictionary in xfce uses online dictionary. This was the biggest disappointment when I first tried Debian. It was supposed to be privacy friendly but when I opened the dictionary app it didn't say anything about sending every one of my words to an online server unencrypted...
Take Minitube, mpv. or the automatic package updates / ntp sync on many distributions.
Even Tor. What if torsocks has a bug like trac.torproject.org
Or what happens when you accidentally click on your bittorrent app while on a public wifi?
If these things don't affect you, it's ok. But don't be a dick and say it is not a problem. Trusting the operating system to control the network access properly is much better than trusting all the hundreds/thousand of applications and libraries.
Windows and even ReactOS do it much better when it comes to firewalls.
This project maybe the solution, thank you for linking it here!
Damn, fucking CIA niggers are still on this board...
You're not safer by just sandboxing the browser. That only takes care of the browser, and it would be just as much a headache to sandbox it properly than to manage pf lists (which at least enforce the behavior of *everything* on your system, not just some browser).
Sandboxing the browser doesn't help you avoid mistakes like the earlier example (starting your bittorrent client on public wifi). You can try to sandbox every single program, but you might just miss one and that might be all that it takes to leak information. Even programs that you don't normally use can one day be a problem. Maybe a shell script you run one day uses mail/mailx to send stuff. Or a new version of a program starts sending telemetry or query a host for whatever. Are you going to check *every* single program's source code each time you update your system? Who even has time for that? But even if you do, you may well miss something. The OpenBSD project spent a lot of time manually auditing code for years, but that didn't catch everything. There is always something hidding in non-trivial code.
Go ahead and review firefox (and all its libraries) then. Prove that it doesn't contain anything that's malicious or could be used in a malicious way if leveraged properly by a clever hacker or data miner.
Simple:
1.) Has anyone really been far even as decided to use even go want to do look more like?
2.) Layer 3 > Layer 7
Faggot.
sigh
This is an old argument, has been proven wrong many times. You are surrounded by Linux boxes, your argument is invalid.
This is endemic to many of the GUI and desktop environments. If you want more privacy, get away from those. Some alternatives:
bc(1) - arbitrary-precision arithmetic language and calculator
wn(1) - command line interface to WordNet lexical database
I'll also point out that the Lynx browser pretty much avoids all web beacons. No frames, CSS, javascript. You can even turn off the cookies or compile it without cookie support. The only images that get loaded (into external viewer, natch) are the ones you explicitely select. So here you have a browser that pretty much makes only the necessary network connection that you asked it to, and nothing more. This is in stark contrast to everything modern that follows the (((W3C))).
wut?
but ontopic, you can hack iptables into being an outbound firewall by running your processes under different user IDs, then chaining rules to those user IDs that permit specific outbound traffic for each application and default denying the rest.
this
also remember how Ubuntu stole your local search history and sold to advertising companies
open source & linux = botnet
I am staying on Windows
>Even Tor. What if torsocks has a bug like trac.torproject.org
Also this. On windows I don't need to trust my software that it won't have bugs and will connect with Tor when I configure it to. Because if a software will try clearnet connection my firewall will stop it and notice me.
One example is using youtube-dl with Tor. If you use built in proxy settings, and video will need ffmpeg (for hls), youtube-dl will run ffmpeg without Tor/proxy, as ffmpeg doesn't support socks proxies. If I was on Linux, I would be fucked, ffmpeg would make clearnet connection, but because I am on Microsoft Windows, I am safe, my firewall will stop ffmpeg from clearnet connections. That's why Microsoft Windows is superior to Linux when it goes to security and privacy.
8/10 Now this is what a good troll looks like. You're a cut above the rest.
It's like he doesn't even use a terminal.
Hardcore network LARPer here. It's more easy/ROBUST than that, now. You can launch an app in a separate namespace (check ip netns) and put one side of a veth device in the namespace's route table as the default. Then filter on the other side of the veth device on the host. You're guaranteed every packet produced by that program will get filtered even if it does something like make a call to wget. Be sure to use a modern kernel as veth performance used to be shit.
Nice, thanks.
The Book of PF, 3rd Edition, by Peter N. M. Hansteen
How do you figure out it is the legit software tries to connect to tor in legit way instead of just binding a port on remote ip and leaking data in cleartext? Do windows firewalls perform DPI?
Though I agree that Linux needs some sort of permissive gui front-end for firewall in order to teach normies basic networking stuff. Tails has a good and bad example at the same time. It shows all Tor streams in real time but when you pick bridges it refuses to show their IP addresses, same as Tor browser, very cool ha-ha.
...
brainlet freetards cant comprehend this
checkmate payfags
lrn2google faggot
what is sg?
OpenSnitch is no longer maintained. Another one-man project abandoned by its author...
I'm pretty sure Illumos based operating systems have no problem running X applications in separate Zones, and each Zone can get its own net configuration.
I don't understand why people ignore this and say it is not an issue.
I was going to post SELinux, but it explicitly says it is not a firewall: selinuxproject.org
Comparing a sandbox to a firewall is really dumb tbh. Not to mention you can't firejail everything in Linux.
MAC frameworks/ sandboxes are for layer 7