Specifically blocking output traffic

This morning I came to work, made myself a cup of coffee and started my favorite java IDE - netbeans. Initialization went smoothly and then suggested that I should download some updates. I said - yes - and update process started. It was the first time I realized that I am sitting behind two firewall routers and none of them is filtering the output traffic!

I guess that a port for outgoing connection is selected randomly from a range of available ports so you can not close a connection by port number - only by package header.
Nevertheless, is there a ‘Windows way’ to one-click block a program on opensuse 11.0?

Thanks.

Short answer: No.

Longer answer: Nothing that can be easily set up, and used. There was a group working on nufw, a framework that adds authentication to iptables, I don’t know if their work is available or ready for use.

What ken_yap said. Some random thoughts/opinions:

1. Windows’ blocking function isn’t really that effective. It can easily be gotten around (a bad guy can simply pretend to be a program that will almost certainly have access, such as Internet Explorer, for example). Speaking as someone who wrote anti-virus/security software back in the DOS era, name-based blocking is almost worthless against even a modestly-sophisticated attack. Even back then, malware commonly masqueraded as a legitimate program to achieve its ends.

2. Linux’ inherent design is completely different. Your desktop is treated as a terminal … and indeed, could be moved to a completely different machine (part of that 'Nix heritage). In a sense, it’s an isolated subsystem. This (and other) design feature(s) makes it a little more complicated to do things that are quite easy under Windows (speaking as a programmer). This is one reason why so many Linux GUI programs don’t give an obvious error message when they refuse to start, for example. It’s a different philosophy: you, the “end user,” just work with the “terminal” and the system administrator keeps everything running. In the classic, historic case, you’d complain to the SA and he/she would look at the logs and fix what’s wrong.

Linux is far more secure by inherent and internal design. 'Nix started out on large, multi-user systems and was scaled down for PCs. Windows/DOS, conversely, started out on individual PCs and has had klongs and kludges added over the years to make it a multi-user, networked system.

This sounds like a ramble, and a lot of is opinion. But just to ease your mind, I wouldn’t worry too much about your packages looking for their own updates. One nice thing about Open Source is that the community vets anything before including it in a typical distribution. If (in this case) the Net Beans IDE was reading your credit card info and transmitting it somewhere, you’d have long since seen an outcry that would make your hair shrivel.

Two other quick points.

Yes … and no. If you run Wireshark on your machine, you’ll see that many of these update requests simply query a remote server, and often use the standard HTTP port (80). They know that port will be open.

Second, I ignored another point about malware: many Windows viruses and worms are able to set up botnets by simply tunneling past the firewall. Window’s firewall is a lot better now than it used to be, but it still ain’t perfect – which is why I rambled aimlessly about inherent differences in design above.

But I know how you feel – when I first switched to Linux from Windows 98 several years ago, I wondered, “where’s my Zone Alarm!”

Another long-time Linux hack explained things to me back then and calmed me down.

my two cents…

i too have asked about this very subject with the responders reassuring me that with linux that there is no need to have these “type” of controls. you will hear the same attitude about antivirus software.

i listened and tried to understand the philosophy, but frankly i cannot find the logic in the position.

not regulating the outbound traffic allows applications to do things you are not aware of and may not agree with… the term “phone home” comes to mind… and if the answer to that is to review the source code… then I’ll say that computers are my hobby not my profession, no time to do that kind of thing.

another point would be the difference between the difference between being “infected” vs “data-theft”. This is beyond the scope of this discussion, but I wish there were better protections. At one time there was a firewall application that attempted to do some outbound filtering called tuxguardian, but my review of the homepage at sourceforge indicated that it is not currently being developed.

The problem is that in the case of phone home it’s very hard to distinguish between legit traffic and phone home traffic.

So you say only let firefox and system updaters use port 80. Wait, there’s more, how about that tune application, gotta add that to the whitelist. How about that RSS feed aggregator?

How will you distinguish between legit apps and sneaky apps? By process name? Easily spoofed. By digital signatures? Will you sit down and click to approve the Mozilla key and the iTunes key and so forth? You wanted an easy life, but now you have to do some extra work.

The problem with blocking output is that is too late in the game. It’s like letting an intruder into your house and then worrying about whether he can make calls from your phone. It’s better to not get to that point in the first place.

It’s worth more than 2 cents, and I agree with you in principle. I liked Zone Alarm under Windows 98. And as I said above, when I first switched to Linux, I missed it for a while. I wouldn’t mind seeing someone develop a product like that for Linux. I’d probably use it.

But as I also said above, these things aren’t foolproof, and they can easily lead to a false sense of security. That’s a key point that you should consider carefully. There’s plenty of malware out there that can (and has!) set up a complete botnet that spans dozens of machines … and their owners are none the wiser. Why? Because they don’t get a warning.

As for why the community hasn’t pushed for this, I guess it’s a matter of priorities. First, Linux is so much more secure, because F/OSS has been vetted by so many people worldwide; the developers don’t see it as a pressing need. Second, because it ISN’T really that effective against serious malware, they probably figure, “why bother?”

If we’re asking for security-related software for Linux, what I’D like to see is a firewall/NAT/masquerade/etc. package that allows me to configure everything in a point-and-click interface. Yast has good firewall config, but I’d love something completely graphical and intuitive. For example, it might scan the local network, fill a window with icons representing each machine, and then allow me to click on an icon and say, “he can do this, but not that.” All in a point-and-click interface, without cryptic syntax.

Like many businesses, we have trouble with bandwidth hogs – people who want to watch videos and run bit torrents without permission. I’ve been surprised at how difficult it is to set up reliable, real-time per-user bandwidth monitoring. Oh, it can be done, but it’s a pain. (For those who’ve done this and who care, we’ve used both IpCop and pfSense; each has strengths and weaknesses, IMNHO. I’m always open to suggestions.)

Hi
What about firestarer?

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.1 x86 Kernel 2.6.27.7-9-default
up 1 day 10:23, 2 users, load average: 0.52, 0.21, 0.13
GPU GeForce 6600 TE/6200 TE - Driver Version: 180.22

Thanks. Maybe I need to take a new look at it. I tried it a good while back and was totally unimpressed, but from looking at the link, it appears that they’ve been working on it!

Hi
Had a look at the src rpm, need some work to openSUSE-ify it with
respect to the desktop entry and init script. Three extra files from
the selinux repository and it all builds/installs ok.

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.1 x86 Kernel 2.6.27.7-9-default
up 1 day 11:19, 2 users, load average: 0.11, 0.31, 0.44
GPU GeForce 6600 TE/6200 TE - Driver Version: 180.22

Yes, that’s a commonly wanted request. Have you looked at using Linux traffic control to monitor bandwidth usage? Unfortunately I don’t know of any easy to use interfaces.

I think what surprises me is how much work you must do to get the information that you need. This is going to sound like a whine, but here goes anyway.

With pfSense, for example, we use BandwidthD. OK, it comes up with the “top 20” users of bandwidth. They’re identified solely by IP address. We use the captive portal option so that we can (pseudo-)reliably link a log-in name to an IP address (yeah, I know it’s not perfect), but it only displays those people who are currently logged in. Same with the DHCP logs (and there, the user/machine name is often omitted for some reason). Once the user logs out, useful tracking info disappears.

In other words, we’ll see “192.168.100.100 did 300 Megabits last night!” in BandwidthD, but we won’t see a name in either the captive portal or DHCP logs.

So … why can’t BandwidthD pull that info and put it on the log line with bandwidth usage? Better yet, instead of IP address, why not use the MAC? And finally, why not persistent logs on the DHCP and captive portal (maybe there’s a way to set it up, I haven’t found it, but then, I really haven’t had time to look very far) WITH the MAC?

Again, it’s not that these things CAN’T be done at all; of course they can. It’s that they’re surprisingly difficult and clunky to get working, and that the package designers don’t consider them useful defaults.

I think most of the solutions are home grown or in-house and nobody has decided to make a packaged solution public. It’s just that nobody wants to go first.

ISPs do it all the time, after all that’s how they know if a customer has gone over quota. Companies that rent access, like wireless Internet cafes also have something similar.

The closest thing I have heard that’s free is an add-on for IPCop that tracks usage by IP address. This was the one I suggested to a friend when he asked if if they could track down who ran the company account over the quota one month. But it is a small firm so they knew who did it so they probably had a chat with the chap and that was the end of the matter and there was no further interest in deploying a technical solution.

You can eliminate one lookup by assigning a fixed address to each MAC using DHCP. That way, the usage of one particular IP always belongs to that machine. It also allows you to track down infected machines.

Oops, too slow, 10 minutes went past.

Anyway I found that IPCop add-on for counting traffic that I once saw mentioned:

Traffic Control And Report addon for IPCop project. (en)

Thanks. I talked to my assistant Todd today (he’s the one who directly administers the pfSense/IpCop gateway) and he said it looked intriguing.

We had about decided to switch back to IpCop today, anyway. pfSense is good, but wow, it’s nit picky. Too easy to set one thing wrong that crashes the whole system. Too hard to configure, too.

Thanks again for the tip. You may have found the one plugin that we missed!