On Wed, 06 May 2009 22:20:15 +0200, Anders Johansson wrote:
On Wednesday 06 May 2009 21:59:50 Jim Henderson wrote:
I disagree. How many times have you (not you, Anders, but "you" in the general sense) installed a program and not known every time it opens an outbound connection?
Would you expect, say, Inkscape, to need a network connection for anything?
I'm not big on graphics applications, so I don't really know what inkscape needs. But if you're that worried, simply block everything and let all valid connections complain until you manually let it through a socks proxy
That's kinda my point. You don't know what Inkscape needs - it actually does have a "whiteboarding" capability that uses a network connection. Maybe it starts up when you start the app, maybe not. I don't know.
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system configuration) who understand how to configure AppArmor. :-)
(FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you. Selecting OK to everything except the socket_* functions for an application that shouldn't do any networking (though you probably want to be careful with applications that use tcp networking to communicate with something else on localhost). But if you filter on type="inet" you won't block things like accessing the local X server :)
So again, hands up all "normal" users who know that this is the way to configure AppArmor. Or who understood what Anders said here. ;-) It's not about catering to a technical audience, it's about catering to an audience who uses computers as a tool rather than as a way of life. I understand what you're saying, you understand what you're saying. My mother - a normal computer user who uses her PC to design greeting cards, send e-mail, and work on patters for her sewing - would have no idea what you mean by this.
The normal iptables based firewall is enough to protect against incoming connections.
Sure. That doesn't mean you can't protect against outgoing connections as well.
No, but if you're doing that, you have to ask yourself "what am I not protecting against?" It seems to be that establishing an outgoing connection is among the least harmful a rogue application could do
And yet it's one of the more popular avenues to compromise a system - trick the user into running something they didn't mean to and then connect outbound. Why? Because it's something a lot of systems don't protect against. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org