12
  1. Is it possible to create GUI firewall that works as Windows and Mac counterparts? Per program basis. Popup notification window when specific program want to send\recv data from network.
  2. If no, than why? What Linux kernel lacks to allow existence of such programs?
  3. If yes, than why there aren't such program?

P.S. This is programming question, not user one.

Marko Kevac
  • 2,902
  • 30
  • 47
  • 4
    possible duplicate of [create iptables rule per process/service](http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service) – Brian Roach Mar 27 '11 at 18:19
  • Please use the search before posting a new question. – Brian Roach Mar 27 '11 at 18:19
  • 2
    This isn't a duplicate. The mentioned question asks for ways to setup rules for known processes - this one involves triggers on unknown processes. – Erik Mar 27 '11 at 18:21
  • 2
    "This is programming question, not user one." - I am not sure I can agree. For me it's a typical How Stuff Works computer user question, isn't it? – Grzegorz Oledzki Apr 07 '11 at 20:31
  • 2
    have you seen how Douane works? http://askubuntu.com/a/330259/46437 – Aquarius Power Oct 08 '14 at 04:50
  • I am looking for the same thing (Migrating from a Mac) and found that Douane seems a good place to start. Sadly there is no package ready to be used except from ArchLinux. But i found this explanation which i will eventually try http://www.dedoimedo.com/computers/linux-per-application-firewall.html – Gerhard Jun 22 '16 at 21:59

5 Answers5

5
  1. Yes it's possible. You will need to setup firewall rules to route traffic through an userspace daemon, it'll involve quite a bit of work.
  2. N/A
  3. Because they're pretty pointless - if the user understands which programs he should block from net access he could just as well use one of multiple existing friendly netfilter/iptables frontends to configure this.
Erik
  • 88,732
  • 13
  • 198
  • 189
  • 2
    sorry if I'm wrong, but I disagree with the statement that such programs are pointless. For instance I would like to forbid all processes on my machine to connect to a network by default. But I need to access www, so I must allow 80, 443 and 53 ports. But if I allow them for any process, then the restriction to access the network is pretty pointless, because if I have some malicious program on my machine nothing prevents it to send stolen data to some web server for instance. – d.k Dec 24 '14 at 14:07
  • 3
    So when i want to allow my Webbrowser to connect to http (80) and https (443) but I do not want any other program to "call home" via ports 80 or 443, how would those iptables rules look like? My understanding is that there is no such seperation in iptables. Or is there? – Gerhard Jun 22 '16 at 22:02
5

It is possible, there are no restrictions and at least one such application exists.

I would like to clarify a couple of points though.

If I understood this article correct, the firewalls mentioned here so far and iptables this question is tagged under are packet filters and accept and drop packets depending more on IP addresses and ports they come from/sent to.

What you describe looks more like mandatory access control to me. There are several utilities for that purpose in Linux - selinux, apparmor, tomoyo.

If I had to implement a graphical utility you describe, I would pick, for example, AppArmor, which supports whitelists, and, to some extent, dynamic profiling, and tried to make a GUI for it.

OpenSUSE's YaST features graphical interface for apparmor setup and 'learning' , but it is specific to the distribution.

So Linux users and administrators have several ways to control network (and files) access on per-application basis.

Why the graphical frontends for MAC are so few is another question. Probably it's because Linux desktop users tend to trust software they install from repositories and have less reasons to control them this way (if an application is freely distributed, it has less reasons to call home and packages are normally reviewed before they get to repositories) while administrators and power users are fine with command line.

As desktop Linux gets more popular and people install more software from AUR or PPA or even from gnome-look.org where packages and scripts are not reviewed that accurately (if at all) a demand for such type of software (user-friendly, simple to configure MAC) might grow.

Roman Grazhdan
  • 467
  • 4
  • 15
1

To answer your 3rd point. There is such a program which provides zenity popups, it is called Leopard Flower: http://sourceforge.net/projects/leopardflower

abirvalg
  • 128
  • 1
  • 7
  • So, here (http://netfilter.org/projects/libnetfilter_queue/) is the answer... Thanks! – Marko Kevac May 18 '11 at 11:54
  • 2
    According to the stackexchange page: "As of 2014-01-12, this project [Leopard Flower] is no longer under active development." – nealmcb Feb 27 '14 at 21:04
0

I reached that Question as i am currently trying to migrate from a Mac to Linux. There are a lot of applications I run on my Mac and on my Linux PC. Some of them I trust fully. But others I am not fully trusting. If they are installed from a source that checks them or not, do i have to trust them because someone else did? No, I am old enough to choose myself.

In times where privacy is getting more and more complicate to achieve, and Distributions exist that show that we should not trust everyone, I like to be in control of what my applications do. This control might not end at the connection to the network/Internet but it is what this question (and mine is about.

I have used LittleSnitch for MacOSX in the past years and I was surprised how often an application likes to access the internet without me even noticing. To check for updates, to call home, ...

Now where i would like to switch to Linux, I tried to find the same thing as I want to be in control of what leaves my PC.

During my research I found a lot of questions about that topic. This one, in my opinion, best describes what it is about. The question for me is the same. I want to know when an application tries to send or receive information over the network/internet.

Solutions like SELinux and AppAmor might be able to allow or deny such connections. Configuring them means a lot of manual configuration and does not inform when a new application tries to connect somewhere. You have to know which application you want to deny access to the network.

The existence of Douane (How to control internet access for each program? and DouaneApp.com) show that there is a need for an easy solution. There is even a Distribution which seems to have such a feature included. But i am not sure what Subgraph OS (subgraph.com) is using, but they state something like this on there website. It reads exactly like the initial question: "The Subgraph OS application firewall allows a user to control which applications can initiate outgoing connections. When an unknown application attempts to make an outgoing connection, the user will be prompted to allow or deny the connection on a temporary or permanent basis. This helps prevent malicious applications from phoning home."

As it seems to me, there are only two options at the moment. One is to Compiling Douane manually mysqlf or two, switch distribution to Subgraph OS. As one of the answers state, everything is possible - So i am surprised there is no other solution. Or is there?

Community
  • 1
  • 1
Gerhard
  • 176
  • 1
  • 4
0
  1. Yes. Everything is possible
  2. -
  3. There are real antiviruses for linux, so there could be firewalls with GUI also. But as a linux user I can say that such firewall is not needed.
xappymah
  • 1,624
  • 10
  • 14