Mailinglist Archive: opensuse-security (605 mails)
| < Previous | Next > |
Re: [suse-security] Filtering *outgoing* packets...
- From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
- Date: Sat, 6 Oct 2001 00:48:13 -0600
- Message-id: <004501c14e32$df736ea0$6400030a@xxxxxxxxxxxx>
> This is a well-known phenomenon. See the writeup on www.grc.com about
> 'Trojan Spyware'. Much of the objection to WinXP is that it forces this
> behaviour, under the guise of 'verifying the license'. If you don't
> connect to the internet, and allow it to phone home periodically, the OS
> simply shuts down. If you're running a business, your entire business is
> effectively held hostage until you get 'validated' by microsoft...
You don't have to run XP. If you don't like a product don't use it. I'm so
sick and tired of people bitching about MS, especially on non MS security
mailing lists!
> I, too, would like to know how to go about creating such a filter using
> iptables. The ZoneAlarm package for Windows filters based on program name
> for outgoing connections, but I have not seen anything short of a sniffer
> or tcpdump that will look at the packet content itself. I can't even
> imagine the processor overhead required to parse the content of every
> outgoing packet!
IPTables allows you to filter based on uid/gid. for example most users will
probably only ever go out to port 25, 53, 80, maybe 110/143, 6667, etc. As
for parsing packets, uhh, you ever heard of snort? or any other NIDS for
that matter? It's actually a reasonable amount of overhead if done right.
And yes, you can do it at gigabit speeds.
> Does iptables have access to the pid of the originating process? Would a
> filter which used the pid, looked at /proc/<pid>/cmdline, and checked an
> 'allowed program' list like ZoneAlarm does, incur too much overhead to be
> practical?
Uhhh well that would be a lot of overheard. And I would just write a script
called netscape that invokes something else. Unlike Windows it is much
harder to subvert a Linux box, assuming people do not log in as root and do
stupid things like run/install software from untrusted sources. OTOH some
popular Linux apps "phone home" and no-one seems to complain (like pine for
example).
> Of course, this approach works only for a 'personal firewall' where the
> originating process and the firewall are on the same machine, and is
> meaningless on a standalone firewall protecting a LAN.
I could answer this, but I'm writing a rather large paper on the subject and
am sick to death of it already =). BTW MS proxy allows you to do stuff like
this (i.e. group sales is only allowed http and https access, no irc for
those naughty little monkeys).
> -- Rick Green
Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
> 'Trojan Spyware'. Much of the objection to WinXP is that it forces this
> behaviour, under the guise of 'verifying the license'. If you don't
> connect to the internet, and allow it to phone home periodically, the OS
> simply shuts down. If you're running a business, your entire business is
> effectively held hostage until you get 'validated' by microsoft...
You don't have to run XP. If you don't like a product don't use it. I'm so
sick and tired of people bitching about MS, especially on non MS security
mailing lists!
> I, too, would like to know how to go about creating such a filter using
> iptables. The ZoneAlarm package for Windows filters based on program name
> for outgoing connections, but I have not seen anything short of a sniffer
> or tcpdump that will look at the packet content itself. I can't even
> imagine the processor overhead required to parse the content of every
> outgoing packet!
IPTables allows you to filter based on uid/gid. for example most users will
probably only ever go out to port 25, 53, 80, maybe 110/143, 6667, etc. As
for parsing packets, uhh, you ever heard of snort? or any other NIDS for
that matter? It's actually a reasonable amount of overhead if done right.
And yes, you can do it at gigabit speeds.
> Does iptables have access to the pid of the originating process? Would a
> filter which used the pid, looked at /proc/<pid>/cmdline, and checked an
> 'allowed program' list like ZoneAlarm does, incur too much overhead to be
> practical?
Uhhh well that would be a lot of overheard. And I would just write a script
called netscape that invokes something else. Unlike Windows it is much
harder to subvert a Linux box, assuming people do not log in as root and do
stupid things like run/install software from untrusted sources. OTOH some
popular Linux apps "phone home" and no-one seems to complain (like pine for
example).
> Of course, this approach works only for a 'personal firewall' where the
> originating process and the firewall are on the same machine, and is
> meaningless on a standalone firewall protecting a LAN.
I could answer this, but I'm writing a rather large paper on the subject and
am sick to death of it already =). BTW MS proxy allows you to do stuff like
this (i.e. group sales is only allowed http and https access, no irc for
those naughty little monkeys).
> -- Rick Green
Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
| < Previous | Next > |