Re: application level firewalling in linux?(was:ipchains...masq..spyware)

To: debian-user@lists.debian.org
Subject: Re: application level firewalling in linux?(was:ipchains...masq..spyware)
From: Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu>
Date: Sun, 30 Dec 2001 17:55:42 -0600
Message-id: <[🔎] 20011230235542.GB25289@bmrb.wisc.edu>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: dmaziuk@yola.bmrb.wisc.edu
In-reply-to: <[🔎] 5.1.0.14.0.20011230211133.011dc668@pop.hotpop.com>
References: <[🔎] ldu.1009719671.fsf@jens.unfaehig.de> <[🔎] 5.1.0.14.0.20011230131816.0200d4b8@pop.hotpop.com> <[🔎] 5.1.0.14.0.20011230131816.0200d4b8@pop.hotpop.com> <[🔎] 5.1.0.14.0.20011230211133.011dc668@pop.hotpop.com>

* wsa (wsa@hotpop.com) spake thusly:
> HI,
> 
> Maybe in my original mail i wasn't very clear judging from the
> responses i got...so i'll try one more time.
> 
> I wasn't asking what to do in windows...although i did mention
> windows which probably made everyone run for the hills:)
> 
> My question was about linux and how to accomplish security
> on application level, like what happens in windows with a personal
> firewall.
...
> 
> And if there is no need for security on application level why is that?

Because in Windows you (a generic "you") can double-click on an e-mail 
attachment and that will install a trojan server without you knowing
anything about it. Plus, Windows is targeted at users who wouldn't have 
a clue about port numbers, so we better tell them which *application*
is trying to "connect to the Internet".

It doesn't work, BTW: comp.sercurity.misc was full of people who
deleted RPCss.exe because "I didn't install that, and it tried to
connect to the Internet. Must be an Evil Hack(tm)!" But I digress...

A Unix/Linux sysadmin, OTOH, is supposed to know about ports and
how TCP/IP works. For one thing, they understand the difference
between outgoing and incoming connections.

> Because i don't understand how i can achieve full security when opening
> ports...like port 80 for the web or 110 and so on.
> Cause as far as i can understand reading all the IPchains documentation
> if i open that port in linux it wil be open for any application which
> uses that port....and i can't specify that only mozzila or netscape
> can use that port and any other app can use that port to transfer
> information.

Because this is about *incoming* connections. You open port 80 and
start Apache to listen on it. No other application can use the port
now, it's already taken.

Netscape can open any unprivileged port (except those already taken)
for its *outgoing* connection. It will try to talk to port 80 on
remote side (or FTP port, or whatever). So when you set up egress
(outgoing) filtering, you specify what remote services your
applications can connect *to*. Combined with IP/MAC address matching,
this gives you far more flexibility, and probably better security, too.

Anyway, netfilter in 2.4.x kernels comes with user-space hooks,
so implementing per-application tracking shouldn't be too hard.
If anyone really needed it, it'd be there by now.

Read about "stateless vs stateful packet filtering" somewhere
(e.g. IPtables howto). You are reading the docs for stateless
filter (IPchains), and part of your confusion is due to 
limitations of steless filtering.

Dima
-- 
Well, lusers are technically human.                            -- Red Drag Diva

Reply to:

References:
- Re: ipchains...masq..spyware..etc..etc
  - From: "Jens Müller" <jens@unfaehig.de>
- ipchains...masq..spyware..etc..etc
  - From: wsa <wsa@hotpop.com>
- application level firewalling in linux?(was:ipchains...masq..spyware)
  - From: wsa <wsa@hotpop.com>

Prev by Date: Re: Parallelport trouble...?
Next by Date: Re: Securing bind..
Previous by thread: Re: application level firewalling in linux?(was:ipchains...masq..spyware)
Next by thread: Re: application level firewalling in linux?(was:ipchains...masq..spyware)
Index(es):
- Date
- Thread