Andrei Verovski (aka MacGuru)
2006-Jan-02 19:42 UTC
How to log and block specific application activity
Hi, I have quite simple and stupid question I have been unable to solve with googling. I am need to log and block network activity of certain applications on router/firewall level. For example, these programs should be allowed: Mozilla, Safari, KMail, Apple Mail And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS players, in order to prevent them to catch viruses, spyware or download unwanted content like streaming video. Since they are using the same ports one need to filter traffic from/to specific application(s) and not certain ports and/or protocols. Here is a log from /var/log/firewall: Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Unfortunately, there are no information which application(s) have requested certain packets. Thanks in advance for any suggestion(s) Andrei. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Gary E. Terry
2006-Jan-02 20:05 UTC
Re: How to log and block specific application activity
I may be wrong, but I think you are barking up the wrong tree.. Instead of looking to the firewall for your protection you should be looking at the particular machines you need to protect and use some sort of policy on them to prevent the use of IE ans so on. I don''t think there is any way that the firewall can determine what the client software is and block specific titles. ----- Original Message ----- From: "Andrei Verovski (aka MacGuru)" <andreil1@starlett.lv> To: <shorewall-users@lists.sourceforge.net> Sent: Monday, January 02, 2006 2:42 PM Subject: [Shorewall-users] How to log and block specific application activity> Hi, > > I have quite simple and stupid question I have been unable to solve with > googling. I am need to log and block network activity of certain > applications > on router/firewall level. For example, these programs should be allowed: > Mozilla, Safari, KMail, Apple Mail > > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS > players, in order to prevent them to catch viruses, spyware or download > unwanted content like streaming video. > > Since they are using the same ports one need to filter traffic from/to > specific application(s) and not certain ports and/or protocols. Here is a > log > from /var/log/firewall: > > Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Unfortunately, there are no information which application(s) have > requested > certain packets. > > Thanks in advance for any suggestion(s) > > Andrei. > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Andrei Verovski (aka MacGuru)
2006-Jan-02 20:24 UTC
Re: How to log and block specific application activity
Hi, Garry, Thanks for reply. I have seen this tip to block acrobat reader 7 from unwanted requests: iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP I did not tried it, but somehow there is ownerś packet attribute? On Monday 02 January 2006 22:05, Gary E. Terry wrote:> I may be wrong, but I think you are barking up the wrong tree.. Instead of > looking to the firewall for > your protection you should be looking at the particular machines you need > to protect and use some > sort of policy on them to prevent the use of IE ans so on. I don''t think > there is any way that the > firewall can determine what the client software is and block specific > titles. > > ----- Original Message ----- > From: "Andrei Verovski (aka MacGuru)" <andreil1@starlett.lv> > To: <shorewall-users@lists.sourceforge.net> > Sent: Monday, January 02, 2006 2:42 PM > Subject: [Shorewall-users] How to log and block specific application > activity > > > Hi, > > > > I have quite simple and stupid question I have been unable to solve with > > googling. I am need to log and block network activity of certain > > applications > > on router/firewall level. For example, these programs should be allowed: > > Mozilla, Safari, KMail, Apple Mail > > > > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS > > players, in order to prevent them to catch viruses, spyware or download > > unwanted content like streaming video. > > > > Since they are using the same ports one need to filter traffic from/to > > specific application(s) and not certain ports and/or protocols. Here is a > > log > > from /var/log/firewall: > > > > Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 > > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > > ID=38602 > > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 > > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > > ID=38602 > > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > Unfortunately, there are no information which application(s) have > > requested > > certain packets. > > > > Thanks in advance for any suggestion(s) > > > > Andrei.------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Monday 02 January 2006 11:42, Andrei Verovski (aka MacGuru) wrote:> Hi, > > I have quite simple and stupid question I have been unable to solve with > googling. I am need to log and block network activity of certain > applications on router/firewall level. For example, these programs should > be allowed: Mozilla, Safari, KMail, Apple Mail > > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS > players, in order to prevent them to catch viruses, spyware or download > unwanted content like streaming video. > > Since they are using the same ports one need to filter traffic from/to > specific application(s) and not certain ports and/or protocols. Here is a > log from /var/log/firewall: > > Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Unfortunately, there are no information which application(s) have requested > certain packets.As clearly stated at http://www.shorewall.net/Shorewall_Doesnt.html: Shorewall Does not: * Act as a “Personal Firewall” that allows internet access by application. Recently, the ability to match local outgoing traffic by "command" was removed from Netfilter. The Netfilter developers realized that the architecture of Netfilter doesn''t allow it to do this type of filtering. A different architecture is needed whereby filtering takes place in the context of the sending application rather than in the low-level tasklet environment where Netfilter runs. In other words, no Netfilter-based configuration tool (including iptables, itself) is going to do what you want when running under current Linux kernels (2.6.14 and later). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 02 January 2006 12:24, Andrei Verovski (aka MacGuru) wrote:> Hi, Garry, > > Thanks for reply. > > I have seen this tip to block acrobat reader 7 from unwanted requests: > > iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP > > I did not tried it, but somehow there is ownerś packet attribute? >I''ve just told you that the capability you are showing above has been REMOVED from netfilter. Shorewall does support it if your kernel and iptables does but I don''t recommend using it since it will stop working when you upgrade your kernel. Also, it is trivial to outwit the above rule by: ln -s `which acroread` foo ./foo & -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 02 January 2006 12:42, Tom Eastep wrote:> > Also, it is trivial to outwit the above rule by: > > ln -s `which acroread` foo > > ./fooOk -- poor example because `which acroread` returns the name of a shell script that eventually execs /usr/X11R6/lib/Acrobat7/Reader/intellinux/bin/acroread. But the point remains that cmd-owner matches the command used to launch a program and it''s easy to fake that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Andrei Verovski (aka MacGuru)
2006-Jan-02 21:01 UTC
Re: How to log and block specific application activity
On Monday 02 January 2006 22:42, Tom Eastep wrote:> I''ve just told you that the capability you are showing above has been > REMOVED from netfilter. Shorewall does support it if your kernel and > iptables doesSorry, your mail arrived after I have sent reply to Garry. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Cristian Rodriguez
2006-Jan-02 21:32 UTC
Re: How to log and block specific application activity
Andrei Verovski (aka MacGuru) wrote:> Hi, > > I have quite simple and stupid question I have been unable to solve with > googling. I am need to log and block network activity of certain applications > on router/firewall level. For example, these programs should be allowed: > Mozilla, Safari, KMail, Apple Mail > > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS > players, in order to prevent them to catch viruses, spyware or download > unwanted content like streaming video. >then you need to get protection in the workstations. (BTW.. disabling Internet Explorer completely in Windows is a ugly task, and can cause unwanted results ¡¡ :P ) or you can use a proxy/content-filter ( Squid + dansguardian recommended) for this cases : Quciktime/RealVideo/MS : ban mime types ( can be faked) Internet Explorer : Ban the user agent ( easily spoofeable) but I think you need to apply some LART. ;-)
Gary E. Terry
2006-Jan-02 21:37 UTC
Re: How to log and block specific application activity
It may be much easier in the long run to just educate the users who would be effected by this situation that you don''t want them using those apps and why. Set a policy and if they don''t follow that policy then you will have to deal with them. ----- Original Message ----- From: "Andrei Verovski (aka MacGuru)" <andreil1@starlett.lv> To: <shorewall-users@lists.sourceforge.net> Sent: Monday, January 02, 2006 2:42 PM Subject: [Shorewall-users] How to log and block specific application activity> Hi, > > I have quite simple and stupid question I have been unable to solve with > googling. I am need to log and block network activity of certain > applications > on router/firewall level. For example, these programs should be allowed: > Mozilla, Safari, KMail, Apple Mail > > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS > players, in order to prevent them to catch viruses, spyware or download > unwanted content like streaming video. > > Since they are using the same ports one need to filter traffic from/to > specific application(s) and not certain ports and/or protocols. Here is a > log > from /var/log/firewall: > > Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 > SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=38602 > DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Unfortunately, there are no information which application(s) have > requested > certain packets. > > Thanks in advance for any suggestion(s) > > Andrei. > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Cristian Rodriguez
2006-Jan-02 21:55 UTC
Re: How to log and block specific application activity
Andrei Verovski (aka MacGuru) wrote:> Hi, Garry, > > Thanks for reply. > > I have seen this tip to block acrobat reader 7 from unwanted requests: > > iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP > > I did not tried it, but somehow there is ownerś packet attribute? >Don''t use that, IMHO it''s braindead, and is actually a removed netfilter feature. and If you are confused, --cmd-owner is only for applications started _in_the_firewall_ itself, and it is a piece of cake to bypass.