Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-03-01 Thread Tom H 
On Wed, Feb 28, 2018 at 6:35 PM, Grant Edwards
 wrote:
> On 2018-02-28, taii...@gmx.com  wrote:
>
>> Is there a windows style application layer firewall?
>
> Can you describe what that means? (For the benefit of those of us that
> aren't familiar with Windows.)

I don't use Windows but on macOS it means that you can allow an
application by name, without having to worry about possibly random
ports.

On my Mac:

# /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
ALF: total number of apps = 2

1 :  /Applications/Skype.app
  ( Allow incoming connections )

2 :  /usr/local/bin/unbound
  ( Block incoming connections )

#

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-03-01 Thread Tom H 
On Wed, Feb 28, 2018 at 6:22 PM, taii...@gmx.com  wrote:
>
> Is there a windows style application layer firewall? I get that it doesn't
> stop truly malicious programs but I am simply wanting to stop random
> programs doing connections without my consent which due to the lennart
> potterings's of the world now are not just a windows freeware problem.

Switch to macOS and its running-by-default socketfilterfw ;)

You can set up OUTPUT iptables rules to allow certain ports and drop the others.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-03-01 Thread Wols Lists 
On 01/03/18 00:26, Rich Freeman wrote:
> Like everybody around here I prefer a FOSS implementation,
> and would trust it more due to the "many eyes" philosophy, but I'd
> stop short of saying that the Windows software firewall is
> particularly insecure.

Bear in mind that "many eyes" only works when said eyes are looking in
that direction.

The crucial take-away is that "many eyes" does not make products any
better, it just means that when a bug is found, it's a lot easier to
find the solution. Because any interested party can look for it rather
than hitting a notice "Kein Eintritt!"

Cheers,
Wol

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-02-28 Thread mad.scientist.at.large 


All microsoft software is inherently less secure.  You see, like many companies 
based here in amerika microsoft notifies nsa of bugs and does not patch them or 
notify anyone else until nsa says so, i.e. not unless/until nsa thinks they 
don't need the indirect back door "accidentally" included back door.  much 
harder but not impossible with linux and not at all difficult when you 
infiltrate development, as nsa did with one of the encrypted filesystems.  
please see 
 for an 
idea of how it really works here and elsewhere.   And don't think they 
harass/pressure/or are cooperated with by companies world wide.  The point 
being that once backdoors are in there is little to do.  Hp and Dell (and 
doubtless others we still don't know about) put backdoors in their server 
hardware bios's that they claim to not know the workings of.

Remember the "Iran hostage 'crisis'", one of the 3 taken hostage, and likely 
the trigger, was working for a SWISS encryption company that had put nsa 
backdoors into it's encryption products.  One of their' employees had the 
misfortune to be servicing the product in Iran when it leaked out.

the point being that anyone who leaves/creates backdoors is making a way for 
others to violate the system.  This is seriously damaging the value (in 
financial terms) as people realize how grossly insecure it is and indeed that 
some of that is deliberate.  some of it is ignorance, badly implemented 
security can make things worse and all software adds bugs to a secure system 
(part of why it's very bad practice to use a whole pc and os as part of a 
voting machine, simpler is nearly always more secure).  Most security breaches 
of encrypted and non-encrypted systems is due to a software but, though often 
partially a lack of good systems administration.   Apparently the math is good, 
but realize nsa employs more mathematicians than any other agency/company, 
about 2500+ as i recall, they know things about math that no one else does.  

p.s., there are good people at nsa, though fewer than there used to be and 
sadly bad attitudes seem now to be required for administrative jobs.  Many have 
left do to the most recent "return to the bad old days" as one of them put it 
(i.e. during the sixties when amongst other things doctor King, and countless 
others were spied on for political ends, i.e. in one of kings hotel rooms there 
were over 50 fbi bugs!  that would be a lot of bugs now.

and 702 is still law here, even though it explicitly allows law enforcement 
data illegally obtained by "homeland security"( a classic example of new speak) 
in court and to LIE about where it came from, i.e. it legalizes perjury on the 
part of the state in many cases, the type of thing that usually causes a 
mistrial and get's people disbarred and sent to prison, though the defense can 
still get in trouble, sometimes.  currently the "rule of law" only applies when 
there is no goverment interest.

My country is adding back doors to routers and likely other electronics at 
customs, outbound at least but very likely inbound as well.  Despite public 
statements many of the tech companies still aid in illegal surveilance, 
partially because it makes more of their' privacy policies void and allows them 
to collect, process, and sell your' privacy.

do you have a samsung voice controlled tv?  samsung has allowed nsa to use 
these tv sets as bugs, which is likely the case with cell phone makers as well. 
 Hence the "creepy" notice in the manual that vocal commands are processed off 
site, i.e. remotely over the net in all cases.

what happens when a company doesn't comply with illegal orders from nsa?  they 
get shut down, remember Qwest (the former provider in colorado etc.), out of 
business and replaced by a very slimy competitor, all because they made a "big 
deal" over providing nsa with peoples "meta data", often very, very usefull.

I feel badly that my countrie's abandonment of of basic human liberties and our 
own constitution/bill of rights, worse about how it is enabling other countries 
to do the same and worse.  It is severely damaging the value of the internet 
and will result in financial losses globally. 

mad.scientist.at.large (a good madscientist)
--
God bless the rich, the greedy and the corrupt politicians they have put into 
office.   God bless them for helping me do the right thing by giving the rich 
my little pile of cash.  After all, the rich know what to do with money.


28. Feb 2018 17:26 by ri...@gentoo.org:


> On Wed, Feb 28, 2018 at 6:22 PM, > taii...@gmx.com>  <> taii...@gmx.com> > 
> wrote:
>> Is there a windows style application layer firewall?
>
> Windows doesn't have an "application layer firewall" as far as I know.
> I believe that it does the filtering at the OS level, the same as
> Linux.
>
> Now, it is true that the UI for the Windows Firewall is typically used
> to set rules on a per-application basis.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-02-28 Thread Rich Freeman 
On Wed, Feb 28, 2018 at 6:22 PM, taii...@gmx.com  wrote:
> Is there a windows style application layer firewall?

Windows doesn't have an "application layer firewall" as far as I know.
I believe that it does the filtering at the OS level, the same as
Linux.

Now, it is true that the UI for the Windows Firewall is typically used
to set rules on a per-application basis.  However, I'm pretty sure
this can also be done with netfilter.  I'm not sure if any of the more
convenient netfilter front-ends offer this capability.

> I get that it doesn't
> stop truly malicious programs

As far as I'm aware there is nothing really wrong with the Windows
Firewall.  I wouldn't expect it to be any less secure than netfilter.
There is something to be said for having layers of defense and running
a firewall that isn't on the server being protected, but that is true
of both Linux and Windows.  Of course the Windows implementation could
contain a bug that the Linux implementation lacks, but the reverse is
also true.  Like everybody around here I prefer a FOSS implementation,
and would trust it more due to the "many eyes" philosophy, but I'd
stop short of saying that the Windows software firewall is
particularly insecure.

And of course if you want to filter based on process you have no
choice but to implement it on the host running the process.  This
doesn't prevent you from also having a separate firewall at the
network perimeter either.

-- 
Rich

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-02-28 Thread Grant Taylor 

On 02/28/2018 04:47 PM, Grant Taylor wrote:
I know that iptables can filter based on a process owner and cgroup. So, 
depending on how the applications are running, you might be able to come 
close to what you're after.


You might be able to punt (metadata about) packets into a user space 
program that can then make decisions based on additional information. 
I.e. what process owns the originating / terminating socket, and ACCEPT 
/ DROP / REJECT packets based on that.


I've never heard of such, but I see how it could work.  E.g. DROP / 
REJECT packets by default, and ACCEPT any packets that have a paternal 
process tied to the /usr/bin/thunderbird file.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-02-28 Thread Grant Taylor 

On 02/28/2018 04:22 PM, taii...@gmx.com wrote:

Is there a windows style application layer firewall?


I'm not aware of one.

I know that iptables can filter based on a process owner and cgroup. 
So, depending on how the applications are running, you might be able to 
come close to what you're after.


I think I've seen a few firewall packages / solutions over the years 
that run a client on workstations that publish state on a central 
firewall, which will then filter flows based on their (lack of) 
registration state.  -  I've never messed with anything like this.


I get that it doesn't stop truly malicious programs but I am simply 
wanting to stop random programs doing connections without my consent 
which due to the lennart potterings's of the world now are not just a 
windows freeware problem.


I think for now, you have to block everything by default and explicitly 
allow what you want through.  Or use something like a SOCKS server that 
can do some different types of filtering than can be done with iptables.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

2018-02-28 Thread taii...@gmx.com 
Is there a windows style application layer firewall? I get that it 
doesn't stop truly malicious programs but I am simply wanting to stop 
random programs doing connections without my consent which due to the 
lennart potterings's of the world now are not just a windows freeware 
problem.