Full Disclosure mailing list archives
RE: Application level firewall
From: Andriy Bilous <Andriy.Bilous () sabre-merlin de>
Date: Sat, 18 Oct 2003 17:19:14 +0200
Some personal firewalls on windows are using checksums for every application trying to access network device. Yesterday i've upgraded mirc and have got a warning about this. iptables, unfortunately, doesn't provide such a functionality out of the box. luckily, it have an open API and extends well over the kernel modules facility. what you speak about has a different name - "content filtering" Andriy Bilous -system administration- CCNA, CCNP Certified dcs DILLON COMMUNICATION SYSTEMS GmbH & Co. KG Weidestraße 122 b D-22083 Hamburg phone +49 40 27 83 82 184 fax +49 40 27 83 82 999 mailto:andriy.bilous () sabre-merlin de http://www.sabre-merlin.de
-----Original Message----- From: John Leach [mailto:john () johnleach co uk] Sent: Friday, October 17, 2003 3:44 PM To: jason.full-disclosure () compnski com Cc: Full-Disclosure () lists netsys com Subject: Re: [Full-disclosure] Application level firewall I think calling it "application level firewalling" is complicating the matter. I *think* that you want to be able to restrict what connections a process makes from the machine it's running on (Like Zone Alarm does with the little pop-ups "porn.exe wants to connect to www.worldshariestgirlsoncrack.com with your credit-card details, You sure?") I'm not sure about a nice socially engineerable GUI pop-up, but Netfilter allows you to restrict these connections using the OUTPUT chain on the FILTER table. Combined with the owner matcher you can achieve what you need. iptables -t filter -P OUTPUT DROP (drop by default) iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m owner --cmd-owner webbrowser -j ACCEPT Obviously an attacker could rename their process to get the same access so this isn't perfect, but I expect ZoneAlarm has the same issue. You can limit by owner uid too (--uid-owner) which is handy for ensuring your dns server can only do dns lookups and your smtp server can only do all the crazy things BIND does nowadays (assuming they are running as separate users). "Application layer firewalling" is a different matter (is this tcp port 1433 packet REALLY an SQL server connection? Are they submitting a query I don't like? What the hell are they thinking connecting this to the Internet? Is this thread actually on topic?) I wonder if someone has invented a mailing list topic firewall. listtables -t filter -s goon () hotmale com -s "full disclosure" -s ! "porno" -j ACCEPT John. On Fri, 2003-10-17 at 13:02, Jason Freidman wrote:Is there any sort of application level firewall for linux?Somethinglike Zone alarm where you can trust an application? I think that openBSD has something that allows you to choose which system calls a program can run. The idea would be to restrict a bind call and connect callusing kernelmodules unless the program is in a config file. It wouldmake it easier(i would think) to lockdown a computer for outgoingconnections as wellas add a new layer of security.-- GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 HTTP: http://www.johnleach.co.uk
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Application level firewall Jason Freidman (Oct 17)
- Re: Application level firewall Florian Weimer (Oct 17)
- Re: Application level firewall Raj Mathur (Oct 17)
- Re: Application level firewall fg (Oct 17)
- Re: Application level firewall Andreas Gietl (Oct 17)
- Re: Application level firewall John Leach (Oct 17)
- Re: Application level firewall Kevin Currie (Oct 17)
- <Possible follow-ups>
- RE: Application level firewall Andriy Bilous (Oct 17)
- RE: Application level firewall Oliver Heinz (Oct 17)
- RE: Application level firewall Andriy Bilous (Oct 18)
- RE: Application level firewall Adam Lydick (Oct 18)