lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1066398264.1886.20.camel@peppard.dark.lan>
From: john at johnleach.co.uk (John Leach)
Subject: Application level firewall

I think calling it "application level firewalling" is complicating the
matter.

I *think* that you want to be able to restrict what connections a
process makes from the machine it's running on (Like Zone Alarm does
with the little pop-ups "porn.exe wants to connect to
www.worldshariestgirlsoncrack.com with your credit-card details, You
sure?")

I'm not sure about a nice socially engineerable GUI pop-up, but
Netfilter allows you to restrict these connections using the OUTPUT
chain on the FILTER table.  Combined with the owner matcher you can
achieve what you need.

iptables -t filter -P OUTPUT DROP (drop by default)
iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m
owner --cmd-owner webbrowser -j ACCEPT

Obviously an attacker could rename their process to get the same access
so this isn't perfect, but I expect ZoneAlarm has the same issue.  You
can limit by owner uid too (--uid-owner) which is handy for ensuring
your dns server can only do dns lookups and your smtp server can only do
all the crazy things BIND does nowadays (assuming they are running as
separate users).
 
"Application layer firewalling" is a different matter (is this tcp port
1433 packet REALLY an SQL server connection?  Are they submitting a
query I don't like?  What the hell are they thinking connecting this to
the Internet?  Is this thread actually on topic?)

I wonder if someone has invented a mailing list topic firewall.
listtables -t filter -s goon@...male.com -s "full disclosure" -s !
"porno" -j ACCEPT

John.

On Fri, 2003-10-17 at 13:02, Jason Freidman wrote:
> Is there any sort of application level firewall for linux?  Something
> like Zone alarm where you can trust an application?  I think that
> openBSD has something that allows you to choose which system calls a
> program can run.
> 
> The idea would be to restrict a bind call and connect call using kernel
> modules unless the program is in a config file.  It would make it easier
> (i would think) to lockdown a computer for outgoing connections as well
> as add a new layer of security.
-- 
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
   HTTP: http://www.johnleach.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031017/d7d17231/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ