Mailinglist Archive: opensuse (1425 mails)
| < Previous | Next > |
Re: [opensuse] Re: Interactive Firewall Needed
- From: Anders Johansson <ajohansson@xxxxxxx>
- Date: Wed, 6 May 2009 22:20:15 +0200
- Message-id: <200905062220.15687.ajohansson@xxxxxxx>
On Wednesday 06 May 2009 21:59:50 Jim Henderson wrote:
I'm not big on graphics applications, so I don't really know what inkscape
needs. But if you're that worried, simply block everything and let all valid
connections complain until you manually let it through a socks proxy
..or you could just start the yast module and let it do the work for you.
Selecting OK to everything except the socket_* functions for an application
that shouldn't do any networking (though you probably want to be careful with
applications that use tcp networking to communicate with something else on
localhost). But if you filter on type="inet" you won't block things like
accessing the local X server :)
No, but if you're doing that, you have to ask yourself "what am I not
protecting against?" It seems to be that establishing an outgoing connection
is among the least harmful a rogue application could do
Anders
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
I disagree. How many times have you (not you, Anders, but "you" in the
general sense) installed a program and not known every time it opens an
outbound connection?
Would you expect, say, Inkscape, to need a network connection for
anything?
I'm not big on graphics applications, so I don't really know what inkscape
needs. But if you're that worried, simply block everything and let all valid
connections complain until you manually let it through a socks proxy
To prevent applications from opening illicit outgoing connections, run
it with apparmor, which is capable of preventing an application from
doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system
configuration) who understand how to configure AppArmor. :-)
(FWIW, AppArmor configuration is part of Novell's Certified Linux
Engineer certification - the final certification in SUSE Linux
certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you.
Selecting OK to everything except the socket_* functions for an application
that shouldn't do any networking (though you probably want to be careful with
applications that use tcp networking to communicate with something else on
localhost). But if you filter on type="inet" you won't block things like
accessing the local X server :)
The normal iptables based firewall is enough to protect against incoming
connections.
Sure. That doesn't mean you can't protect against outgoing connections
as well.
No, but if you're doing that, you have to ask yourself "what am I not
protecting against?" It seems to be that establishing an outgoing connection
is among the least harmful a rogue application could do
Anders
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |