On Fri, 5 Oct 2001, Ray Dillinger wrote:
But when he started up Media Player, the firewall, in his words, "lit up like a christmas tree." As it turns out there are some windows applications that "phone home" with information you'd really rather not have people outside your firewall pawing through, including passwords in cleartext, lists of software installed, etc. And media player is one such.
So set up a good firewall that filters outgoing packets on content, as well as incoming packets on port number. I, too, would like to know how to go about creating such a filter using iptables. The ZoneAlarm package for Windows filters based on program name for outgoing connections, but I have not seen anything short of a sniffer or tcpdump that will look at the packet content itself. I can't even imagine the processor overhead required to parse the content of every outgoing packet! Does iptables have access to the pid of the originating process? Would a filter which used the pid, looked at /proc/<pid>/cmdline, and checked an 'allowed program' list like ZoneAlarm does, incur too much overhead to be
This is a well-known phenomenon. See the writeup on www.grc.com about 'Trojan Spyware'. Much of the objection to WinXP is that it forces this behaviour, under the guise of 'verifying the license'. If you don't connect to the internet, and allow it to phone home periodically, the OS simply shuts down. If you're running a business, your entire business is effectively held hostage until you get 'validated' by microsoft... practical? Of course, this approach works only for a 'personal firewall' where the originating process and the firewall are on the same machine, and is meaningless on a standalone firewall protecting a LAN. -- Rick Green "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin