JaguarNight wrote:The rest of apps I found were either too simple or discontinued development.
I'm afraid of that it's not such easy...AlbertP wrote:...Just set your program to use a fixed port and allow that port in the Gufw...
LeopardFlower APPLICATION-based Firewall for Linux:
Personal firewall for Linux OS (based on libnetfilter_queue) which allows to allow or deny Internet access on a per-application basis rather than on a port/protocol basis.
from the README file:
----Leopard Flower 0.4 (released Oct 2011)----
Leopard Flower (LPFW) gives the user control over which applications are allowed to use the network. It consist of a backend/daemon and a graphical frontend.
These instructions apply specifically to Ubuntu 10.10 but are very likely to work on other Linux distributions.
The following packaged must be installed for lpfw to work:
1. Make sure files lpfw and lpfwgui are in the same folder
2. In a terminal window launch "lpfw" as root
3. In a terminal window of an X session launch "lpfw --gui" as a regular user (not root). You will see the graphical frontend.
4. Is you prefer to use a command line frontend instead of the graphical one, issue "lpfw --cli" in a terminal window of an X session.
1. If you don't want lpfw to look for lpfwcli/lpfwgui in the same folder, you can pass to lpfw a command line option --cli-path=/--gui-path= followed by a path to lpfwcli/lpfwgui
2. If you want lpfw to start upon system boot-up, lpfw.conf is an upstart script which should be placed into /etc/init.(If your distro doen't use upstart, then the script should be adjusted to your distro's needs). This script expects to find lpfw in /usr/sbin
3. 30-lpfw.conf can be placed into /etc/rsyslog.d if you want logs to go to syslog
4. Assuming lpfw was launched either by upstart or manually as root, in a terminal window of an X session launch "lpfw --cli"/"lpfw --gui" as a regular user (not root). You will see an ncurses-based/graphical frontend.(By default lpfwcli uses zenity popups. If you don't want to use zenity run ./lpfw --cli --no-zenity)
These can be also seen with "lpfw --help".
File to which rules are commited (default: /etc/lpfw.rules)
Where to write logs. Possible values stdout(default), file, syslog
If --logging_facility=file, then this is the file to which to write logging information. Default /tmp/lpfw.log
Pidfile which prevents two instances of lpfw being launched at the same time. Default /var/log/lpfw.pid
Path to lpfwcli ncurses frontend. It will be launched in xterm window. Default: in the same folder as lpfw
Path to a standalone graphical frontend. Default: in the same folder as lpfw
Path to python-based graphical frontend lpfwgui.py. It will be launched in python. Default: in the same folder as lpfw
Enables different levels of logging. Possible values 1 or 0 for yes/no. Default: all three 1.
To invoke a frontend, issue the following;
lpfw --cli Ncurses
lpfw --gui Standalone
lpfw --guipy Python-based
1. lpfwcli can be invoked only from within X session, it can't work under pure tty(for security reasons).
2. Only one program can send ICMP packets simultaneously, if more than one does, LPFW blocks both.
3. Only IPv4 is supported, IPv6 support is underway.
4. A combination of exceptionally large executables(20Mb+) + slow CPU may result in a 2+ seconds delay when an application connects to the web for the first time, due to heavy calculations performed by sha512 checksumming function.
5. Only TCP, UDP, ICMP (partly, see above) protocols are supported. If your system happens to use any other transport protocol besides TCP/UDP/ICMP and you don't want those packets discarded by lpfw, consider adding a rule to iptables something like: >>> iptables -I OUTPUT 1 -p udplite -j ACCEPT <<< This rule should preceed NFQUEUE rule.
6. Access to network filesystems like NFS, CIFS, SMB an others or to in-kernel servers like khttpd will not be detected by LPFW since such access doesn't create user-space sockets. You will have to manually add iptables rules for such services.
7. If LPFW crashes, the user will have to issue "iptables -F" as root to be able to access the internet without restarting computer.
8. After going to sleep and waking up the PC, LPFW doesn't work properly, it has to be restarted.
9. Albeit lpfwgui is a simple frontend, it consumes 30+ Mb of memory. An attempt to reduce memory consumption is underway.
THE REST OF THIS FILE'S CONTENTS IS TECHNICAL INFORMATION FOR SYSTEM ADMINISTRATORS AND ADVANCED USERS:
HEADLESS MODE - WITHOUT FRONTEND:
If you want to run LPFW without the frontend, you may want to edit the rulesfile manually
By default rules are written to /etc/lpfw.rules in the following blocks of text:
full path to the executable file <new line character>
ALLOW ALWAYS or DENY ALWAYS <new line character>
executable file's size in bytes <new line character>
executable file's sha512 sum in hexadecimal representation <new line character>
(optional line) additional options like [CPUHOG] <new line character>
the block ends with a <new line character>
LeopardFlower (LPFW) utilizes a facility provided by netfilter whereby all outgoing and incoming packets which initiate a new connection are delivered to LPFW for decision on whether to drop them or accept them. LPFW sets up a rule with iptables similar to
iptables -A OUTPUT -j NFQUEUE --queue-num 11220
and installs a callback (using libnetfilter_queue) which is notified whenever a packet hits the NFQUEUE (NFQ). The fact that LPFW doesn't need to process every single packet but only those which initiate new connections, significantly decreases LPFW's CPU consumption.
Upon start up, LPFW read a rules file (if any was created in the previous session) which contains internet access permissions per application. Based upon these rules, whenever a new packet hits NFQ, LPFW decides whether to allow or deny internet access or whether to ask the user what to do if no rule for the application in question has yet been defined.
In order to establish a correlation between a packet which hit nfq and the application which sent it, LPFW does the following:
1. for an outgoing packet - extract source port (for an incoming packet - extract destination port) and look up in /proc/net/tcp to see which socket corresponds to the port.
2. Having found the socket, scan /proc/<PID>/fd to see which process owns the socket
3 Finally extract the application name from /proc/<PID>/exe
LPFW sets a unique netfilter mark on all connections of a specific app. This enables LPFW to instantly halt all app's internet activity if user chooses so. In order to set such a netfilter mark, LPFW uses libnetfilter_conntrack library.
No I don't trust apps even from a well know source. Advertisers are paying way to much money to programes these days. Information is vital and they want yours.
Sammaul wrote:has anyone heard of Zone Alarm? It is apparently a program just like little snitch but for linux. If it is useful it may be what we are looking for in addition to a basic firewall
Users browsing this forum: karlchen and 30 guests