Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need an application firewall - i.e. interactive software that pauses connections and displays a prompt (for every connection without an existing rule), allowing the user to pick options such as (allow|deny) (port|process) (once|until logout|always), and then either drops or unpauses the connection in accordance with selection (creating a rule if appropriate).
I previously looked into this about a year ago and was disappointed by the results:
Quote:
Originally Posted by boughtonp
Neither of those projects appears in Debian or Arch repos.
* Douane is at https://douaneapp.com/ and that page includes "Warning: unfortunately the project is suffering of a kernel freeze bug that can break your machine!"
* OpenSnitch is at https://github.com/evilsocket/opensnitch and checking a few recent issues, I'm not reassured about that project either.
Well after a bunch more depressing searches, I have come to the conclusion that to get what I want I'll need to write my own. :/
Yet another chore, but at least it shouldn't be too bad - both iptables and nftables have libnetfilter_queue, which queues packets and asks a userspace application to deliver an accept/drop verdict. There's a Python binding, which looks to be straight-forward...
Code:
iptables -A INPUT -j NFQUEUE --queue-num 1
iptables -A OUTPUT -j NFQUEUE --queue-num 1
So I should be able to plug a simple Tk interface to display the relevant information and choices and so on.
(Not sure if nfqueue will provide process names by default, but if not Picosnitch does do that part, so I can use its method.)
Probably unlikely to happen in the next few weeks, but if after a few months someone finds this thread and I haven't posted what I end up with, feel free to prod me.
And I'm still interested if anyone knows of any existing solutions that'll save me the effort - I have more interesting projects I'd rather be progressing.
Probably unlikely to happen in the next few weeks, but if after a few months someone finds this thread and I haven't posted what I end up with, feel free to prod me.
I'm interested, and it's been a few months. Did anything come out of it?
I previously looked into this about a year ago and was disappointed by the results:
It seems Douane still has that bug, Portmaster is still on Electron, I still don't trust OpenSnitch, and no matches in Debian's repos.
So, does anyone know any other interactive firewalls that allow adhoc rules via GUI prompts and which are worth considering?
Douane doesn't work at all for me and I don't think it has been updated in years? I also found OpenSnitch and Portmaster both miss connections such as ICMP and from some appimages, or assigns the connection to the wrong program, and I'm not sure what OpenSnitch does to my iptables but there are a few programs it makes unbearably slow to launch, whether they were allowed or not.
I tried picosnitch and so far have settled on using it for monitoring and setting Firejail to be used by default for some programs to block network access.
It may not have GUI prompts, but so far this setup has been working really well for me so I thought I'd share, and was interested if you had gotten around to making any progress with your idea.
Instead of blocking specific programs with firejail or using a userspace application for prompts, now I drop everything with iptables for my primary user, and created a secondary user with network access. Anything I want connecting to the internet I just run as the secondary user, and have Picosnitch running in the background to verify/alert me of any issues with my setup.
So far this gives me much better performance, and better privacy and usability. I'll report back on this after trying it for a few more weeks or if I change anything.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.