RE: Application level firewall

[Andriy Bilous <Andriy.Bilous () sabre-merlin de>]

Some personal firewalls on windows are using checksums for every application
trying to access network device. Yesterday i've upgraded mirc and have got a
warning about this. iptables, unfortunately, doesn't provide such a
functionality out of the box. luckily, it have an open API and extends well
over the kernel modules facility. what you speak about has a different name
- "content filtering"

Andriy Bilous 
-system administration- 
CCNA, CCNP Certified
dcs DILLON COMMUNICATION SYSTEMS GmbH & Co. KG 
Weidestraße 122 b 
D-22083 Hamburg 
phone +49 40 27 83 82 184 
fax   +49 40 27 83 82 999 
mailto:andriy.bilous () sabre-merlin de
http://www.sabre-merlin.de


> -----Original Message-----
> From: John Leach [mailto:john () johnleach co uk]
> Sent: Friday, October 17, 2003 3:44 PM
> To: jason.full-disclosure () compnski com
> Cc: Full-Disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Application level firewall
>
>
> I think calling it "application level firewalling" is complicating the
> matter.
>
> I *think* that you want to be able to restrict what connections a
> process makes from the machine it's running on (Like Zone Alarm does
> with the little pop-ups "porn.exe wants to connect to
> www.worldshariestgirlsoncrack.com with your credit-card details, You
> sure?")
>
> I'm not sure about a nice socially engineerable GUI pop-up, but
> Netfilter allows you to restrict these connections using the OUTPUT
> chain on the FILTER table.  Combined with the owner matcher you can
> achieve what you need.
>
> iptables -t filter -P OUTPUT DROP (drop by default)
> iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m
> owner --cmd-owner webbrowser -j ACCEPT
>
> Obviously an attacker could rename their process to get the 
> same access
> so this isn't perfect, but I expect ZoneAlarm has the same issue.  You
> can limit by owner uid too (--uid-owner) which is handy for ensuring
> your dns server can only do dns lookups and your smtp server 
> can only do
> all the crazy things BIND does nowadays (assuming they are running as
> separate users).
>  
> "Application layer firewalling" is a different matter (is 
> this tcp port
> 1433 packet REALLY an SQL server connection?  Are they submitting a
> query I don't like?  What the hell are they thinking 
> connecting this to
> the Internet?  Is this thread actually on topic?)
>
> I wonder if someone has invented a mailing list topic firewall.
> listtables -t filter -s goon () hotmale com -s "full disclosure" -s !
> "porno" -j ACCEPT
>
> John.
>
> On Fri, 2003-10-17 at 13:02, Jason Freidman wrote:
> > Is there any sort of application level firewall for linux?  
> Something
> > like Zone alarm where you can trust an application?  I think that
> > openBSD has something that allows you to choose which system calls a
> > program can run.
> >
> > The idea would be to restrict a bind call and connect call 
> using kernel
> > modules unless the program is in a config file.  It would 
> make it easier
> > (i would think) to lockdown a computer for outgoing 
> connections as well
> > as add a new layer of security.
> -- 
> GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
>    HTTP: http://www.johnleach.co.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html