Ubuntu – Reverse Firewall or Application Firewalls

firewallsoftware-recommendation

Firewalls are typically employed to prevent bad "packets" coming in from the outside world. But these days we are mostly behind routers and a lot of that danger is mitigated by the router. The danger we face is mostly from within. The proverbial Trojan horse.

In Windows world there are a lot of Application Firewalls and OSX has a neat utility called "Little Snitch" with does this job of ensuring applications behave by not requesting data outside of their scope. Even my iPhone, jail broken, has an app that prevents applications from accessing web site outside of their scope. Its surprising the amount of data they "push" to web sites like scorecard.com and a variety of apple servers. I disable these and the applications still work so I know its not necessary.

In Linux world there seems to be little in this vein. You can kludge it with iptables and some other scripts in perl to get the result in a very clumsy way.

Take this post which is frequently referenced when a question like this is asked.

How to control internet access for each program?

It doesn't answer the question.

They talk about firewalls that totally cut of a port which is not what most people want. All most people want is that application X which should be a local app doesn't go out and chat to the web when it has no need to chat to the web. Or a program that access yahoo weather goes to five other sites not related to its job of accessing the weather. Or in my one of my banking apps on iPhone goes outside of the bank to a webtrends web site. Sure its not related to Ubuntu but is an example of Apps behaving badly.

The other app referred to in this post is Leopard Flower which hasn't been updated in a year and I'd hate to keep that running with the up coming release of Ubuntu.

All other posts related to this area keep making recommendations for apps that totally cut off access for an application but don't provide that simple "Little Snitch" idea of App X wants to access Web Y, Allow or Deny access. No complicated iptable rules, no total port cut offs.

Have I looked hard enough or is there simply no "Application Firewall" for Ubuntu?

Best Answer

AppArmor

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

below link.

https://help.ubuntu.com/community/AppArmor

Related Solutions

Ubuntu – standalone graphical application for configuring Network Manager

I've tested this with fresh Ubuntu server 14.04 installation on a VBox. Setup with:

sudo apt-get update
sudo apt-get upgrade
sudo reboot
sudo apt-get install xserver-xorg xinit xterm
sudo apt-get --no-install-recommends install firefox
sudo reboot
sudo apt-get --no-install-recommends install network-manager
sudo reboot

It does not seem that many packages as half desktop with --no-install-recommends?!

sudo apt-get --no-install-recommends install network-manager-gnome

The following NEW packages will be installed:
  dbus-x11 gconf-service gconf-service-backend gconf2-common gnome-icon-theme
  hicolor-icon-theme humanity-icon-theme libappindicator3-1 libatk-bridge2.0-0
  libatspi2.0-0 libcairo-gobject2 libcolord1 libcroco3 libdbusmenu-glib4
  libdbusmenu-gtk3-4 libgconf-2-4 libgnome-bluetooth11 libgnome-keyring-common
  libgnome-keyring0 libgtk-3-0 libgtk-3-bin libgtk-3-common libindicator3-7
  liblcms2-2 libnm-glib-vpn1 libnm-gtk-common libnm-gtk0 libnotify4 librsvg2-2
  librsvg2-common libsecret-1-0 libsecret-common libwayland-cursor0
  libxkbcommon0 network-manager-gnome policykit-1-gnome
0 upgraded, 36 newly installed, 0 to remove and 3 not upgraded.
Need to get 5,787 kB of archives.
After this operation, 34.2 MB of additional disk space will be used.

If not, I don't think this is the best way. What if we remove non-needed features from network-manager-gnome package.

--disable-migration to remove gconf dep
--enable-introspection=no no need for gi lib
--with-modem-manager-1=no, --without-bluetooth depending on the case
--with-gtkver=2 to build it using gtk2 only as firefox no extra
--enable-indicator=no, indicator is gtk3. didn't work for me, raise errors in building

So on other machine/or Vbox, make the minimum build

sudo apt-get install dpkg-dev
sudo apt-get build-dep network-manager-gnome
apt-get source network-manager-gnome
cd network-manager-applet-0.9.8.8/
./configure --prefix=/opt/nm/ --disable-more-warnings --disable-migration --enable-introspection=no --with-modem-manager-1=no --with-gtkver=2 --without-bluetooth 
make
sudo make install
cd /opt/nm/
tar czf ~/Desktop/nm-custom.tgz .

Extract it on target machine

sudo mkdir /opt/nm
cd /opt/nm
sudo tar xvf ~/nm-custom.tgz

Install missing dependencies

sudo apt-get --no-install-recommends install libnm-glib-vpn1

Test
```
sudo /opt/nm/bin/nm-connection-editor
```

Ubuntu – ny Application level firewall for Ubuntu 16.04? (with GUI)

Douane

Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.

Installation

Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.

These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.

Open a terminal (Ctrl+Alt+T) to run the commands.

Preparation

Update your system:

sudo apt update
sudo apt full-upgrade

If you get a notification asking to restart your computer, then restart it.

Install the dependencies

sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus

Create a directory for compilation

cd
mkdir Douane
cd Douane

Build the kernel module

git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms

Check if the module was built and installed correctly:

lsmod | grep douane

You should see something like:

douane                 20480  0

Build the daemon

cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install

Build the dialog process

cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install

Start the dialog process:

/opt/douane/bin/douane-dialog &

Then check if it is running:

pgrep -a douane-dialog

You should see something like:

21621 /opt/douane/bin/douane-dialog

Build the configurator

cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install

Start the daemon and setup automatic starting

I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:

### BEGIN INIT INFO
# Provides:          douane
# Required-Start:
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Douane firewall
### END INIT INFO

Open the file for edit:

sudo nano /etc/init.d/douane

Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.

This is the first 21 lines of the file after I inserted the text:

#!/bin/bash
#
# douane      This shell script takes care of starting and stopping
#             douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application. \
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides:          douane
# Required-Start:
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions

Now you can set up the auto start and start the daemon:

sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane

Activate the filter and auto start the dialog

Start the configurator:

douane-configurator

Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.

You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.

Test

If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.