Ubuntu – be notified about blocked connection attempts

firewallnotification-area

My computer is running Ubuntu 10.10 and I would like to know if there is a firewall that actively informs me when a certain program is trying to access the internet or when a connection attempt is blocked from the internet. I remember ZoneAlarm for Windows will alert you to blocked attempts but now that I have switched to Ubuntu I'm not so sure. All my searching leads me to is gufw.

Best Answer

As far as I know the answer to both questions is unfortunately "no".

Details (but I'm going to simplify here anyway):

firewall that actively informs me when a certain program is trying to access the internet

The kernel net filter that firewalls use does not work well on the application level, so it is not used for that purpose. Though it is generally possible to filter outgoing connections (for all programs), it is hard to do, as you can't block connections to port 80 (used for http - just used as an example here), which means that a rogue application can easily use that port to make connections.
Even if this was possible, it would be quite hard to implement, as the connections are either allowed or blocked (and not "intercepted" or "paused" as with e.g. ZoneAlarm) so you don't get a chance to actively allow or ban the request on-the-fly.
One option on an application level would be AppArmor (you can restrict connecting to the Internet among other things there), but it's not very beginner-friendly and granular.

actively informs when a connection attempt is blocked from the internet

It does if you configure it so - for instance ufw by default logs to /var/log/kern.log. Notification via system notifications is certainly possible though I don't know of any such program (for AppArmor it is apparmor-notify).

Related Solutions

Ubuntu – How to block internet access for wine applications

There's a nice tutorial on blocking any given program from accessing the Internet on the Ubuntu forums.

Steps

sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet

iptables rule to prevent that group from accessing the network

sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

Process you don't want to have internet access using sg or sudo -g (execute command as different group ID):

sg no-internet -c "processFullPath args"

It basically involves creating a new group, denying it Internet access, and then running any program you want to restrict as that group ID. So in your case, you would just always run wine using the method described in the tutorial.

Ubuntu – What rules to use for UFW

If you've set ufw to enabled then you've enabled the preset rules, so it means ufw (via iptables) is actively blocking packets.

If you want more details, run

sudo ufw status verbose

and you will see something like this

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

which basically means that all incoming is denied and all outgoing allowed. It's a bit more complicated than that (for example ESTABLISHED - requested - packets are allowed in), and if you're interested in the full set of rules, see the output of sudo iptables -L.

If you have a public IP, you can use an online test to get an idea how good the filtering is, for example www.grc.com (look for ShieldsUP) or nmap-online.

You should also see messages about blocked/allowed packets in logs (/var/log/syslog and /var/log/ufw.log).

Best Answer

Related Solutions

Ubuntu – How to block internet access for wine applications

Ubuntu – What rules to use for UFW

Related Question