| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: john at johnleach.co.uk (John Leach) Subject: Application level firewall I think calling it "application level firewalling" is complicating the matter. I *think* that you want to be able to restrict what connections a process makes from the machine it's running on (Like Zone Alarm does with the little pop-ups "porn.exe wants to connect to www.worldshariestgirlsoncrack.com with your credit-card details, You sure?") I'm not sure about a nice socially engineerable GUI pop-up, but Netfilter allows you to restrict these connections using the OUTPUT chain on the FILTER table. Combined with the owner matcher you can achieve what you need. iptables -t filter -P OUTPUT DROP (drop by default) iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m owner --cmd-owner webbrowser -j ACCEPT Obviously an attacker could rename their process to get the same access so this isn't perfect, but I expect ZoneAlarm has the same issue. You can limit by owner uid too (--uid-owner) which is handy for ensuring your dns server can only do dns lookups and your smtp server can only do all the crazy things BIND does nowadays (assuming they are running as separate users). "Application layer firewalling" is a different matter (is this tcp port 1433 packet REALLY an SQL server connection? Are they submitting a query I don't like? What the hell are they thinking connecting this to the Internet? Is this thread actually on topic?) I wonder if someone has invented a mailing list topic firewall. listtables -t filter -s goon@...male.com -s "full disclosure" -s ! "porno" -j ACCEPT John. On Fri, 2003-10-17 at 13:02, Jason Freidman wrote: > Is there any sort of application level firewall for linux? Something > like Zone alarm where you can trust an application? I think that > openBSD has something that allows you to choose which system calls a > program can run. > > The idea would be to restrict a bind call and connect call using kernel > modules unless the program is in a config file. It would make it easier > (i would think) to lockdown a computer for outgoing connections as well > as add a new layer of security. -- GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 HTTP: http://www.johnleach.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031017/d7d17231/attachment.bin
Powered by blists - more mailing lists