| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <12574260FBFBD411BD4E000102A9123E02D3C26C@gandalf.dilloncs.de> From: Andriy.Bilous at sabre-merlin.de (Andriy Bilous) Subject: Application level firewall Some personal firewalls on windows are using checksums for every application trying to access network device. Yesterday i've upgraded mirc and have got a warning about this. iptables, unfortunately, doesn't provide such a functionality out of the box. luckily, it have an open API and extends well over the kernel modules facility. what you speak about has a different name - "content filtering" Andriy Bilous -system administration- CCNA, CCNP Certified dcs DILLON COMMUNICATION SYSTEMS GmbH & Co. KG Weidestra?e 122 b D-22083 Hamburg phone +49 40 27 83 82 184 fax +49 40 27 83 82 999 mailto:andriy.bilous@...re-merlin.de http://www.sabre-merlin.de > -----Original Message----- > From: John Leach [mailto:john@...nleach.co.uk] > Sent: Friday, October 17, 2003 3:44 PM > To: jason.full-disclosure@...pnski.com > Cc: Full-Disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Application level firewall > > > I think calling it "application level firewalling" is complicating the > matter. > > I *think* that you want to be able to restrict what connections a > process makes from the machine it's running on (Like Zone Alarm does > with the little pop-ups "porn.exe wants to connect to > www.worldshariestgirlsoncrack.com with your credit-card details, You > sure?") > > I'm not sure about a nice socially engineerable GUI pop-up, but > Netfilter allows you to restrict these connections using the OUTPUT > chain on the FILTER table. Combined with the owner matcher you can > achieve what you need. > > iptables -t filter -P OUTPUT DROP (drop by default) > iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m > owner --cmd-owner webbrowser -j ACCEPT > > Obviously an attacker could rename their process to get the > same access > so this isn't perfect, but I expect ZoneAlarm has the same issue. You > can limit by owner uid too (--uid-owner) which is handy for ensuring > your dns server can only do dns lookups and your smtp server > can only do > all the crazy things BIND does nowadays (assuming they are running as > separate users). > > "Application layer firewalling" is a different matter (is > this tcp port > 1433 packet REALLY an SQL server connection? Are they submitting a > query I don't like? What the hell are they thinking > connecting this to > the Internet? Is this thread actually on topic?) > > I wonder if someone has invented a mailing list topic firewall. > listtables -t filter -s goon@...male.com -s "full disclosure" -s ! > "porno" -j ACCEPT > > John. > > On Fri, 2003-10-17 at 13:02, Jason Freidman wrote: > > Is there any sort of application level firewall for linux? > Something > > like Zone alarm where you can trust an application? I think that > > openBSD has something that allows you to choose which system calls a > > program can run. > > > > The idea would be to restrict a bind call and connect call > using kernel > > modules unless the program is in a config file. It would > make it easier > > (i would think) to lockdown a computer for outgoing > connections as well > > as add a new layer of security. > -- > GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 > HTTP: http://www.johnleach.co.uk >
Powered by blists - more mailing lists