Application specific firewall?

First of all I’ve to say that it’s only few weeks since I
made my way from Windows.
This might explain my probably strange question(s) :slight_smile:

I wonder why there is no “obvious” application specific (outgoing) firewall
at Linux, at openSUSE.
If I get it right the activated sophisticated firewall system is
for incoming traffic. That’s what I read in books, documentation and all.
Application specific firewalls aren’t even mentioned.

So internet, mail and ftp client etc. may communicate as they want.

If I now install some app from say North Korea,
which shows so cute animal pictures
(beside collects password and login data, to send them home)…
I wouldn’t notice.

You might say that such an app propably won’t make it into a rep…
Yes, but I already made the experience that lots of apps
are not or only in very outdated versions in the reps.
So there’s need to take flats, snaps, appimages, community builds etc.
And if I get it right there’s no guarantee for “nice apps” then?

Building the app myself, the code is open to everyone.
But I wonder if all the code in the world is checked all the time.
I would’t identify the most evil code if I had it in front of me.

And then there are the proprietary apps.

In windows I installed a simple app which informs me about every
outgoing request of an app to decide how to handle now and in future.
I disallowed any app that doesn’t need it for its function.
Check for updates I did by automatic website check.

OK.
Explicitly searching for application specific firewall for Linux
you find something like https://linuxsecurity.expert/compare/tools/linux-application-firewalls/
And then https://software.opensuse.org/package/opensnitch

So my question:
Only few penguins seem to worry about application specific firewall.
Why’s that?

Speaking for myself, I only install applications I have a reason to trust, and I generally only install applications from trusted sources.

If I have an application that I want to run that I don’t know the source of, I sandbox it in a virtual machine, and I look at it with tools designed to help me understand what it does (network traffic analysis tools, if I suspect it might be ‘phoning home’).

But I would never install an application from North Korea that “shows cute animal pictures”. That would fall in the category of “applications from untrusted sources”.

You’re correct - the firewalls in Linux tend to be ingress-only firewalls (ie, inbound), and not egress firewalls (ie, outbound).

2 Likes

So you hate cute animals?
:slight_smile:
You know that I was joking, don’t you?

But as I tried to sketch sometimes you just don’t know.
And at the description of e.g. openSnitch it says that he was surprised
who was “gossiping”.
“Trust is good, control is better” (Lenin)

It may be of your interest.

3 Likes

Of course. But my point was this: Don’t install software from sources you don’t trust. That still holds true.

If you don’t know - ask. From a security standpoint, “assuming” is a bad thing to do.

Using Linux, you will learn a lot about cybersecurity.

This topic belongs to Open Chat, not to technical support section.

Yes, I come to know this now (with the kind help of the forum),
but I didn’t know when I asked about egress firewalls.
As a newcomer I thought there must be a technical reason
why privacy aware penguins don’t seem to need outbound firewalls.

Generally, I agree and am just more strict about the software I install. If it has access to home folder etc… worst case is something like scraping keys or session / csrf and cookie info and sending that somewhere. Even if you locked it down… it could still use a system call and curl command or something to post your info somewhere.
Maybe more knowledgeable people in security would disagree but I see app specific rules almost as theater.

@user42 Because you have to think beyond a computer… I don’t run any firewall internally, that’s what the router is for… I do run pihole which kills off ads/trackers and can blacklist on the fly for everyone on the network… Investigate the likes of https://github.com/AdguardTeam/AdGuardHome or https://github.com/pi-hole

1 Like

Ah, Malcolm, thank you so much for the reassurance! I still have a guilty feeling not bringing up the firewalls in my LAN. But I am very cautious caring about the settings, updating and security of my Fritzbox.