Questions on SuSE firewall and rootkit hunters.

Hi,

I've been using SuSE 9.3 for about 4 months now, (and regard it as superior
to M$ in almost every respect), this, however also means that I'm still
something of a novice Linux-wise, so I hope that you will bear with me on
these questions. Perhaps it is because of my long and arduous experience
with M$ that has made me paranoid about security issues, and I've probably
just not really gathered the security of Linux over M$, but here goes...

1, Is it possible to make the firewall explicitly allow connection to the
internet for some _programs_ and deny it from all others (like in all M$
firewalls)? The SuSE Firewall and e.g.Guarddog allow tweaking only at the
service level (and Guarddog seems to have problems with SuSE in general).
Is this even a thing that one should want to do, or does Linux have a
completely different working philosophy with firewalls altogether, or do I
have to do this sort of tweaking by editing ipchains rules by hand?. I have
not found any answeres to this from any firewall documents that i've been
reading.

2, I read somewhere that rootkit check programs (like "rkhunter") are
intended only for server machines, but are there any practical benefits or
reasons to run them also on normal workstations (or non server machines)
that have a continuous broadband access to the internet. Am i just
overreacting to all sorts of Linux trojans and spy programs?

Many thanks for any replies!

ludvikengelbrekt@yahoo.co.uk adjusted his/her tinfoil beanie to post:

> Hi,
>
> I've been using SuSE 9.3 for about 4 months now, (and regard it as
> superior to M$ in almost every respect), this, however also means that
> I'm still something of a novice Linux-wise, so I hope that you will
> bear with me on these questions. Perhaps it is because of my long and
> arduous experience with M$ that has made me paranoid about security
> issues, and I've probably just not really gathered the security of
> Linux over M$, but here goes...
>
> 1, Is it possible to make the firewall explicitly allow connection to
> the internet for some _programs_ and deny it from all others (like in
> all M$ firewalls)? The SuSE Firewall and e.g.Guarddog allow tweaking
> only at the service level (and Guarddog seems to have problems with
> SuSE in general). Is this even a thing that one should want to do, or
> does Linux have a completely different working philosophy with
> firewalls altogether, or do I have to do this sort of tweaking by
> editing ipchains rules by hand?. I have not found any answeres to this
> from any firewall documents that i've been reading.
>
> 2, I read somewhere that rootkit check programs (like "rkhunter") are
> intended only for server machines, but are there any practical
> benefits or reasons to run them also on normal workstations (or non
> server machines) that have a continuous broadband access to the
> internet. Am i just overreacting to all sorts of Linux trojans and spy
> programs?
>
> Many thanks for any replies!

Answered in reverse order.

2) There are no known trojans, virus or spyware for linux ( there are
exceptions, see "Rootkit" ) unless you have put them on yourself,
changed the permissions to make them executable and then run them
( hence why virus are not common on linux because most need user
intervention to run as root to affect the whole system )

"Rootkit" programs are mostly used for servers but can also be used on
desktops that are open to the net, if there is a vulnerability
discovered in an application then the hackers could get through during
the window of opportunity while the machine has not been patched. On a
desktop they are more for peace of mind than anything, but they can
pick up things that might need further looking at.

1) Outward bound filtering should not be needed, when you look after
linux machines as administrator ( whether one desktop or hundreds with
servers ) *you* have to maintain it and know what is running and what
is open to the net, if you want to allow and dis-allow applications
then that is where proxies and permissions come into force.

Another thing that protects the machine is the fact that the source code
is readable so anything that is running has passed before multiple eyes
and scrutinised to make sure that it is OK, if you are worried about
*closed* apps where there is no source then you have to either trust
that app or sniff the packets to see what is being sent out, all the
tools are there to do this, for example take skype, I doubt very much
that anyone would be using this on linux unless it was "clean", I bet
it has been through a rather vigorous checking to see what has been
sent out ( I know I have monitored what goes on myself to make sure ) i
would suspect that if anything it was doing was slightly iffy then it
would have been all around the net straight off by now.

HTH


--
Mark
Twixt hill and high water
N. Wales, UK
Novell Support Forums SysOp