On Wednesday 06 May 2009 21:59:50 Jim Henderson wrote:
I disagree. How many times have you (not you, Anders, but "you" in the general sense) installed a program and not known every time it opens an outbound connection?
Would you expect, say, Inkscape, to need a network connection for anything?
I'm not big on graphics applications, so I don't really know what inkscape needs. But if you're that worried, simply block everything and let all valid connections complain until you manually let it through a socks proxy
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system configuration) who understand how to configure AppArmor. :-)
(FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you. Selecting OK to everything except the socket_* functions for an application that shouldn't do any networking (though you probably want to be careful with applications that use tcp networking to communicate with something else on localhost). But if you filter on type="inet" you won't block things like accessing the local X server :)
The normal iptables based firewall is enough to protect against incoming connections.
Sure. That doesn't mean you can't protect against outgoing connections as well.
No, but if you're doing that, you have to ask yourself "what am I not protecting against?" It seems to be that establishing an outgoing connection is among the least harmful a rogue application could do Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org