Bulgrien, Kevin
2006-Jan-02 21:34 UTC
RE: How to log and block specific application a ctivity
Have read the comments about Shorewall not being a personal firewall, etc., and am not necessarily advocating such use, but, trying to get into the poster''s head, and doing some creative thinking, thought that possibly some form of EGID rule might help out if there is a reasonable reason behind the question. It is not hard for me to see how something like this could be useful. Personally, I shudder at the thought of unconditionally unblocking all outgoing ports for an application... even on a system where the firewall is tending to act with "personal firewall" characteristics. If a system admin wants to only trust certain executables, perhaps he could control access to the binaries, make them setgid to a special GID used only for filtering purposes (disclaimers abound and care is required, along with special consideration for binaries installed by package managers). Then the traffic is filterable by EGID for the executable on the firewall only. This does not quite do what he asked (because you still have to ID allowed ports) and certainly does not do what was asked and certainly not if he wanted a standalone firewall to filter by app but it might be a way to get to where he was headed if his special circumstances warrant that type of management. This way, even user installed binaries of an approved app would not be allowed because they would not be running with the EGID the admin set up for the approved binary. Ok, I''ll shut up now. This is obviously not a reasonable solution for most firewalls, but the filtering by EGID and EUID is there for a reason. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Bulgrien, Kevin Sent: Monday, January 02, 2006 2:31 PM To: ''shorewall-users@lists.sourceforge.net'' Subject: RE: [Shorewall-users] How to log and block specific application a ctivity> I don''t think there is any way that the firewall can determine > what the client software is and block specific titles.Agree in principle, but will add a comment that this is what software like ZoneAlarm does when the firewall is running on an end-user''s Windows box. Maybe this is why the question was asked, and perhaps if the firewall is on the end-node itself the question is being asked whether there are more options akin to the EGID and EUID rules that can be written. Kevin Bulgrien ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Gary E. Terry
2006-Jan-02 21:41 UTC
Re: How to log and block specific application a ctivity
Still the EGID and EUID blocking you are talking about are specific to a windows firewall? aren''t they? From what I can see netfilter doesn''t know about either. ----- Original Message ----- From: "Bulgrien, Kevin" <Kevin.Bulgrien@GDSATCOM.com> To: <shorewall-users@lists.sourceforge.net> Sent: Monday, January 02, 2006 4:34 PM Subject: RE: [Shorewall-users] How to log and block specific application a ctivity> Have read the comments about Shorewall not being a personal > firewall, etc., and am not necessarily advocating such use, > but, trying to get into the poster''s head, and doing some > creative thinking, thought that possibly some form of EGID > rule might help out if there is a reasonable reason behind > the question. It is not hard for me to see how something > like this could be useful. > > Personally, I shudder at the thought of unconditionally > unblocking all outgoing ports for an application... even > on a system where the firewall is tending to act with > "personal firewall" characteristics. > > If a system admin wants to only trust certain executables, > perhaps he could control access to the binaries, make them > setgid to a special GID used only for filtering purposes > (disclaimers abound and care is required, along with > special consideration for binaries installed by package > managers). Then the traffic is filterable by EGID for the > executable on the firewall only. > > This does not quite do what he asked (because you still > have to ID allowed ports) and certainly does not do what > was asked and certainly not if he wanted a standalone > firewall to filter by app but it might be a way to get to > where he was headed if his special circumstances warrant > that type of management. This way, even user installed > binaries of an approved app would not be allowed because > they would not be running with the EGID the admin set up > for the approved binary. > > Ok, I''ll shut up now. This is obviously not a reasonable > solution for most firewalls, but the filtering by EGID and > EUID is there for a reason. > > -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of > Bulgrien, > Kevin > Sent: Monday, January 02, 2006 2:31 PM > To: ''shorewall-users@lists.sourceforge.net'' > Subject: RE: [Shorewall-users] How to log and block specific application a > ctivity > >> I don''t think there is any way that the firewall can determine >> what the client software is and block specific titles. > > Agree in principle, but will add a comment that this is what > software like ZoneAlarm does when the firewall is running on > an end-user''s Windows box. Maybe this is why the question > was asked, and perhaps if the firewall is on the end-node > itself the question is being asked whether there are more > options akin to the EGID and EUID rules that can be written. > > Kevin Bulgrien > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Monday 02 January 2006 13:41, Gary E. Terry wrote:> Still the EGID and EUID blocking you are talking about are > specific to a windows firewall? aren''t they? > > From what I can see netfilter doesn''t know about either.Check out the USER/GROUP column in several of the Shorewall configuration files (including /etc/shorewall/rules). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key