Re: application level firewalling in linux?(was:ipchains...masq..spyware)

To: wsa <wsa@hotpop.com>
Cc: debian-user@lists.debian.org
Subject: Re: application level firewalling in linux?(was:ipchains...masq..spyware)
From: P Prince <princep@charter.net>
Date: Sun, 30 Dec 2001 15:49:12 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.43.0112301537370.3019-100000@maximus>
In-reply-to: <[🔎] 5.1.0.14.0.20011230211133.011dc668@pop.hotpop.com>

On Sun, 30 Dec 2001, wsa wrote:

> HI,

Hey,

> Maybe in my original mail i wasn't very clear judging from the
> responses i got...so i'll try one more time.

I don't seem to have your first mailing around, but no worries.

> I wasn't asking what to do in windows...although i did mention
> windows which probably made everyone run for the hills:)

> My question was about linux and how to accomplish security
> on application level, like what happens in windows with a personal
> firewall.

Generally, Linux/Unix doesn't handle firewalling this way, although there is
some measure of it, see below...

> Because i don't understand how i can achieve full security when opening
> ports...like port 80 for the web or 110 and so on.
> Cause as far as i can understand reading all the IPchains documentation
> if i open that port in linux it wil be open for any application which
> uses that port....and i can't specify that only mozzila or netscape
> can use that port and any other app can use that port to transfer
> information.

I shall assume you are setting up a connection tracking firewall, as is the
common practice now.

In this setup, no local apps can bind to ports (see below for exceptions), so
just block all incoming traffic on all ports.

Applications can send outgoing data anywhere (This is the standard, and is not
a security concern.  Windows personal firewalls tend to disagree, and maybe it
really is a concern there...).  Once a connection is made, the connection
tracking firewall will know to allow the reply traffic back to that application.
If you wish, you can block outgoing to traffic in a few ways, for example only
allowing destination ports of 80, or only allowing certain protocols, but this
will probably not enhance your security.

Finally, note that only root can bind to ports lower than 1024.  As long as
port 1025 and above are blocked for incoming connections, you don't have to
worry about users binding things on those ports - it's useless to do so - and
they can't bind to lower ports without root priviledges.

> And if there is no need for security on application level why is that?

You want users to be able to connect to resources over the network.  This is
not usually a security hazard.  I can understand you not wanting users binding
to ports, but I think that's well taken care of.

> Cheers,
> Willem

I hope this helps,
I'm not a writer of any kind and sometimes I find my explainations to be
confusing, and I hope this is not the case here.
-Tech

> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- application level firewalling in linux?(was:ipchains...masq..spyware)
  - From: wsa <wsa@hotpop.com>

Prev by Date: sid - mozilla .97 weirdness?
Next by Date: Re: multiple copies of getty running Newbie #61
Previous by thread: application level firewalling in linux?(was:ipchains...masq..spyware)
Next by thread: Re: application level firewalling in linux?(was:ipchains...masq..spyware)
Index(es):
- Date
- Thread