Re: [newbie] Firewall for allowing ports selectively
Il mer, 2005-04-06 alle 04:11, jdow ha scritto: > From: "frengoGorgia" <[EMAIL PROTECTED]> > > > Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto: > > > On Tuesday 05 Apr 2005 19:37, jdow wrote: > > > > > > > > The cute problem is when you want to read a pdf file in your browser. > > > > It is probably better to save the pdf file and only allow AcroRead to > > > > access local files. > > > > > > I do tend to view the pdf in a browser first, then save it if it looks > useful. > > > > Anne , > > when you open a Pdf embed in a web page ,your browser download it in its > > cache so you have a copy saved locally . > > So it's the same thing open the pdf or save it and display later > > Are you sure it works that way, Frengo? There are indications that at > least one "widely distributed" (more's the shame) Web browser launches > AcroRead to reside in the browser window and passes it the file name > so that the file is downloaded by AcroRead. 8^) you are correct , jdow i mean only that there is no difference downloading the PDFfile with the browser plug-in or saving it "manually" with a right-click, and so the user don't have a prewiev of the file that "save" from downloading the complete file if the content of file isn't what he is looking for. The spyware-behaviour of acro-reader could only be prevented allowing it to open only local files . -- Regards, Francesco Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
From: "frengoGorgia" <[EMAIL PROTECTED]>
> Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto:
> > On Tuesday 05 Apr 2005 19:37, jdow wrote:
> > >
> > > The cute problem is when you want to read a pdf file in your browser.
> > > It is probably better to save the pdf file and only allow AcroRead to
> > > access local files.
> >
> > I do tend to view the pdf in a browser first, then save it if it looks
useful.
>
> Anne ,
> when you open a Pdf embed in a web page ,your browser download it in its
> cache so you have a copy saved locally .
> So it's the same thing open the pdf or save it and display later
Are you sure it works that way, Frengo? There are indications that at
least one "widely distributed" (more's the shame) Web browser launches
AcroRead to reside in the browser window and passes it the file name
so that the file is downloaded by AcroRead.
{o.o}
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
Il mar, 2005-04-05 alle 21:05, Anne Wilson ha scritto: > On Tuesday 05 Apr 2005 19:37, jdow wrote: > > > > The cute problem is when you want to read a pdf file in your browser. > > It is probably better to save the pdf file and only allow AcroRead to > > access local files. > > I do tend to view the pdf in a browser first, then save it if it looks useful. Anne , when you open a Pdf embed in a web page ,your browser download it in its cache so you have a copy saved locally . So it's the same thing open the pdf or save it and display later Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 19:37, jdow wrote: > > So you simply block all ports for AcroRead. That's as easy as only > blocking port 80. > > > The cute problem is when you want to read a pdf file in your browser. > It is probably better to save the pdf file and only allow AcroRead to > access local files. I do tend to view the pdf in a browser first, then save it if it looks useful. > So watch, the Acrobat people will include a little > app that AcroRead talks to and that little app accesses the net. It has > a different name so it can still communicate. You get into an arms race > quite literally. > > It may be that the way to handle this is in the court of public opinion. > Spray this information around to all your friends. If they stop using > AcroRead and use other tools instead maybe Adobe will get the message. > (For that matter - why use AcroRead on Linux, anyway?) > In theory, I don't mind a bit if an author wants to know about his work being read. The problem, of course, is in how it can be abused. As to why us AcroRead - things may have improved lately, but I first installed AcroRead because it handled scaleable printing better - printing 2-up, or A4 onto A5 paper. Certainly at that time I couldn't do it in any other package. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpWP90zcUWC4.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
From: "Bryan Phinney" <[EMAIL PROTECTED]>
> On Tuesday 05 April 2005 06:26, Anne Wilson wrote:
>
> > > An app that knows the difference between these two things? That's not
> > > asking for much now, is it? If I could build such a thing, nobody on
> > > this group could afford it, Cisco and the other router manufacturers
> > > would be in a bidding war to buy it for themselves.
> >
> > No, a user that knows the difference.
>
> Should have been more clear here. Two scenarios, first a user that has
access
> which I covered below, second, an app that can do it at root level without
> user access which I was pointing out is quite a stretch.
>
> > > If you have a single personal firewall-like app for Linux, that
problem
> > > is solved. If you install such an app and count on it to protect you
> > > from insecure software, you are living in a fool's paradise.
> > >
> > > Again, I don't have any problem with someone coding this, nor with
> > > running it, I simply don't see the point. It is "Windows" dressing,
> > > nothing more.
> >
> > I don't think so. I accept that it is not good control, but the
> > alternative seems to be complete absence of control. If an application
> > needs to reach out to get data, as Acrobat Reader does, then it has to
have
> > that ability, and I see no reason why it could not equally well send out
> > packets. Perhaps that's because I don't understand firewalling deeply
> > enough, but the discussions on both lists are not explaining the things
we
> > need to understand, like this point.
>
> Well, let's cover that really quickly. If Acroread is only being used to
> access local data, it needs no Internet access at all. Thus, you could
> firewall it off and still use it. However, as I understand things, it
> integrates into a browser and may actually pull the pdf file itself.
> Assuming that is the functionality you want, there is an outgoing request
to
> pull the data from the web, and then incoming packets that contain the pdf
> file. You could probably block posts which is what is being suggested,
but
> this implies an intimate knowledge of the workings of the app, knowing
what
> to block versus accept. Given the audience for this, I think that assumes
> entirely too much.
>
> Also, if Acroread is really using embedded javascript/java for this type
of
> thing, it is possible that someone can code the web bug such that
> communication is sent on a port other than port 80 and well above what
would
> be considered a security area that fits within the first 1024 ports.
Again,
> this requires some type of intimate knowledge of what is being done and
thus
> what needs to be blocked.
So you simply block all ports for AcroRead. That's as easy as only
blocking port 80.
The cute problem is when you want to read a pdf file in your browser.
It is probably better to save the pdf file and only allow AcroRead to
access local files. So watch, the Acrobat people will include a little
app that AcroRead talks to and that little app accesses the net. It has
a different name so it can still communicate. You get into an arms race
quite literally.
It may be that the way to handle this is in the court of public opinion.
Spray this information around to all your friends. If they stop using
AcroRead and use other tools instead maybe Adobe will get the message.
(For that matter - why use AcroRead on Linux, anyway?)
{^_^}Joanne
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 11:57, Bryan Phinney wrote: > > Well, I did suggest that they pay someone to develop such an app as I > didn't think that there would be a big Linux audience for it. (The fact > that there is not a current project for such a thing, to my knowledge, > would tend to bear that out.) However, I don't think that suggestion is so > much rude as simply realistic. Thank you, Bryan. Your exposition of what actually happens, and would be likely to happen in a variety of situations is just what is needed to help us understand the issues. Personally I'm not terribly worried by this, and I quite take the point that if it is really necessary for someone they can buy the expertise. What I was really referring to was the constant RTFM in that thread, when, according to your exposition, that does not really address the issue. As I said, thanks for making things much more clear. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpByO8cbgwiF.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 April 2005 06:26, Anne Wilson wrote: > > An app that knows the difference between these two things? That's not > > asking for much now, is it? If I could build such a thing, nobody on > > this group could afford it, Cisco and the other router manufacturers > > would be in a bidding war to buy it for themselves. > > No, a user that knows the difference. Should have been more clear here. Two scenarios, first a user that has access which I covered below, second, an app that can do it at root level without user access which I was pointing out is quite a stretch. > > If you have a single personal firewall-like app for Linux, that problem > > is solved. If you install such an app and count on it to protect you > > from insecure software, you are living in a fool's paradise. > > > > Again, I don't have any problem with someone coding this, nor with > > running it, I simply don't see the point. It is "Windows" dressing, > > nothing more. > > I don't think so. I accept that it is not good control, but the > alternative seems to be complete absence of control. If an application > needs to reach out to get data, as Acrobat Reader does, then it has to have > that ability, and I see no reason why it could not equally well send out > packets. Perhaps that's because I don't understand firewalling deeply > enough, but the discussions on both lists are not explaining the things we > need to understand, like this point. Well, let's cover that really quickly. If Acroread is only being used to access local data, it needs no Internet access at all. Thus, you could firewall it off and still use it. However, as I understand things, it integrates into a browser and may actually pull the pdf file itself. Assuming that is the functionality you want, there is an outgoing request to pull the data from the web, and then incoming packets that contain the pdf file. You could probably block posts which is what is being suggested, but this implies an intimate knowledge of the workings of the app, knowing what to block versus accept. Given the audience for this, I think that assumes entirely too much. Also, if Acroread is really using embedded javascript/java for this type of thing, it is possible that someone can code the web bug such that communication is sent on a port other than port 80 and well above what would be considered a security area that fits within the first 1024 ports. Again, this requires some type of intimate knowledge of what is being done and thus what needs to be blocked. If you want local access to pdf's only, then use an OS pdf viewer. What is much more likely to happen is that Acroread will request access to pull the pdf, the user will click allow and then Acroread will yank the pdf and then try to send a web bug to the source and since it has already been given permission, it will send its data. Another scenario is that the user will click Allow for get and then deny for second Post attempt in which case, perhaps the PDF will not display which will cause the user to click Allow for the second and the web but goes out. The only point that I can see that is possibly valid is the idea of having a firewall to block heretofore unknown requests from apps that should not need network access. Things like the spyware and adware apps that are bundled with other apps. However, again, I would point out that if you go around installing untrusted apps on your machine, I don't think that any personal firewall-like app is going to salvage your security. You will be compromised. Just as so many Windows users are compromised even though they have personal firewalls installed. > The problem is that security is a huge subject. People who need to > understand security for their business invest a great deal of time in > learning it well, but for users that need only to protect themselves from a > few things they see as threats while getting on with their real need there > is no easy way to get an overview of the subject. We don't need the same > level of security, really, though obviously it would be nice, but this > isn't utopia. There are trade-offs to everything. If you tighten things down too much, a platform becomes nearly unusable for certain things. For instance, locking down a web server makes it an unsuitable platform for development, or building applications. If you lock down your desktop to the level that it is impossible for any local app to communicate out, you are going to likely end up with either a nightmare administration scenario or an unusable desktop. I still truly feel that this discussion is misplaced. Someone wants to run an app they don't trust and they want a second app to protect them from the first. The premise is faulty, the real solution is to not run untrusted apps. For example, Internet Explorer is a bad browser for a lot of reasons but one of which is that it allows ActiveX applications to run without user int
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 11:13, Bryan Phinney wrote: > > > > I think what people really want is something like a dialogue box on any > > dial-out from an application that gives the option of > > > > this session > > always > > never > > > > so that they can block automatic dial outs but allow genuine ones. > > An app that knows the difference between these two things? That's not > asking for much now, is it? If I could build such a thing, nobody on this > group could afford it, Cisco and the other router manufacturers would be in > a bidding war to buy it for themselves. > No, a user that knows the difference. > If you, as a user, can > allow/deny packets, then a rogue process that you installed on your machine > can do the same thing for its own packets. It need merely know HOW to do > so. That sounds a valid point, to me. > If you have a single personal firewall-like app for Linux, that problem > is solved. If you install such an app and count on it to protect you from > insecure software, you are living in a fool's paradise. > > Again, I don't have any problem with someone coding this, nor with running > it, I simply don't see the point. It is "Windows" dressing, nothing more. I don't think so. I accept that it is not good control, but the alternative seems to be complete absence of control. If an application needs to reach out to get data, as Acrobat Reader does, then it has to have that ability, and I see no reason why it could not equally well send out packets. Perhaps that's because I don't understand firewalling deeply enough, but the discussions on both lists are not explaining the things we need to understand, like this point. The problem is that security is a huge subject. People who need to understand security for their business invest a great deal of time in learning it well, but for users that need only to protect themselves from a few things they see as threats while getting on with their real need there is no easy way to get an overview of the subject. We don't need the same level of security, really, though obviously it would be nice, but this isn't utopia. Frankly, the issue that started the discussion on Expert, that of Acrobat Reader being capable of telling an author who is reading his work, doesn't worry me personally. I'm just concerned that we are being told to either invest the time that a professional would, or 'take a running jump' - not that you would be so rude :-) Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgphQ1tLnNlOe.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 April 2005 04:49, Anne Wilson wrote: > On Tuesday 05 Apr 2005 01:11, Bryan Phinney wrote: > > So, when someone suggests that a Linux app be coded to provide the same > > false sense of security to users, when there are myriad choices of real > > firewalls as well as methods to lock the system down that are not > > trivially bypassed, some of us simply don't take the suggestion > > seriously. > > I think what people really want is something like a dialogue box on any > dial-out from an application that gives the option of > > this session > always > never > > so that they can block automatic dial outs but allow genuine ones. An app that knows the difference between these two things? That's not asking for much now, is it? If I could build such a thing, nobody on this group could afford it, Cisco and the other router manufacturers would be in a bidding war to buy it for themselves. > So far > many people have said that iptables rules should be used, but no-one has > actually shown that it can be done - at least they hadn't up to last night. > I haven't finished reading this morning. This has really been covered previously, Anne. If you, as a user, can allow/deny packets, then a rogue process that you installed on your machine can do the same thing for its own packets. It need merely know HOW to do so. If you have a single personal firewall-like app for Linux, that problem is solved. If you install such an app and count on it to protect you from insecure software, you are living in a fool's paradise. Again, I don't have any problem with someone coding this, nor with running it, I simply don't see the point. It is "Windows" dressing, nothing more. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Tuesday 05 Apr 2005 01:11, Bryan Phinney wrote: > > So, when someone suggests that a Linux app be coded to provide the same > false sense of security to users, when there are myriad choices of real > firewalls as well as methods to lock the system down that are not trivially > bypassed, some of us simply don't take the suggestion seriously. > I think what people really want is something like a dialogue box on any dial-out from an application that gives the option of this session always never so that they can block automatic dial outs but allow genuine ones. So far many people have said that iptables rules should be used, but no-one has actually shown that it can be done - at least they hadn't up to last night. I haven't finished reading this morning. Anne -- Registered Linux User No.293302 (http://counter.li.org/) Have you visited http://twiki.mdklinuxfaq.org yet? Mandrake at all levels pgpejHYL6n4nq.pgp Description: PGP signature
Re: [newbie] Firewall for allowing ports selectively
On Monday 04 April 2005 18:32, Paul Smith wrote: > > I do belive this is being discussed in some context in the expert list as > > well? Might be worth joining to follow the thread. > > Since nobody answered suggesting a firewall with that feature, it may > be very complicated to achieve that, in case of being possible. I certainly think that it is possible, just not useful. There have been myriad conversations on this and other lists pointing out that personal firewall apps on Windows are simply panaceas that give windows users the illusion of security while actually not providing much of anything useful. So, when someone suggests that a Linux app be coded to provide the same false sense of security to users, when there are myriad choices of real firewalls as well as methods to lock the system down that are not trivially bypassed, some of us simply don't take the suggestion seriously. Certainly, it would be possible to set up a gui that provides interactive user level functions in iptables, but you would have to run as administrator, which is something that is far worse that what you would seek to protect yourself from in doing so. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Apr 4, 2005 11:01 PM, Stephen Furlong <[EMAIL PROTECTED]> wrote: > > > > Is there some firewall (working through iptables) able to open > > > > selectively a port for a specific program and not to all programs > > > > installed? (Shorewall is not suitable for that purpose.) > > > > > > ** > > > Paul, shorewall can do what you desire. Go to; mcc > security > > > > firewall, and click on the advanced radio button on the bottom. > > > That will open up an area where you can specify special ports to > > > open. > > > > >* > > I'm sorry Paul, I didn't read your post carefully enough. Shorewall > > doesn't have the facility to do as you requirejust as you noted. :-) > > I do belive this is being discussed in some context in the expert list as > well? Might be worth joining to follow the thread. Since nobody answered suggesting a firewall with that feature, it may be very complicated to achieve that, in case of being possible. Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
RE: [newbie] Firewall for allowing ports selectively
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > mandrake.com] On Behalf Of Angus Auld > Sent: 04 April 2005 11:10 > To: newbie@linux-mandrake.com > Subject: Re: [newbie] Firewall for allowing ports selectively > > > - Original Message - > From: "Angus Auld" <[EMAIL PROTECTED]>> > > > > - Original Message - > > From: "Paul Smith" <[EMAIL PROTECTED]> > > To: newbie@linux-mandrake.com > > Subject: [newbie] Firewall for allowing ports selectively > > Date: Sun, 3 Apr 2005 16:15:01 +0100 > > > > > > > > Dear All > > > > > > Is there some firewall (working through iptables) able to open > > > selectively a port for a specific program and not to all programs > > > installed? (Shorewall is not suitable for that purpose.) > > > > > > Thanks in advance, > > > > > > Paul > > > > ** > > Paul, shorewall can do what you desire. Go to; mcc > security > > > firewall, and click on the advanced radio button on the bottom. > > That will open up an area where you can specify special ports to > > open. > > HTH. > > Best regards. > > > > --Angus > > >* > I'm sorry Paul, I didn't read your post carefully enough. Shorewall > doesn't have the facility to do as you requirejust as you noted. :-) > > Best regards. > > --Angus > I do belive this is being discussed in some context in the expert list as well? Might be worth joining to follow the thread. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
On Apr 3, 2005 9:02 PM, Angus Auld <[EMAIL PROTECTED]> wrote: > > Is there some firewall (working through iptables) able to open > > selectively a port for a specific program and not to all programs > > installed? (Shorewall is not suitable for that purpose.) > > ** > Paul, shorewall can do what you desire. Go to; mcc > security > firewall, and > click on the advanced radio button on the bottom. That will open up an area > where you can specify special ports to open. Unfortunately, Angus, it is not true: http://shorewall.net/Shorewall_Doesnt.html Regards, Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
- Original Message - From: "Angus Auld" <[EMAIL PROTECTED]>> > > - Original Message - > From: "Paul Smith" <[EMAIL PROTECTED]> > To: newbie@linux-mandrake.com > Subject: [newbie] Firewall for allowing ports selectively > Date: Sun, 3 Apr 2005 16:15:01 +0100 > > > > > Dear All > > > > Is there some firewall (working through iptables) able to open > > selectively a port for a specific program and not to all programs > > installed? (Shorewall is not suitable for that purpose.) > > > > Thanks in advance, > > > > Paul > > ** > Paul, shorewall can do what you desire. Go to; mcc > security > > firewall, and click on the advanced radio button on the bottom. > That will open up an area where you can specify special ports to > open. > HTH. > Best regards. > > --Angus >* I'm sorry Paul, I didn't read your post carefully enough. Shorewall doesn't have the facility to do as you requirejust as you noted. :-) Best regards. --Angus "Let us not look back in anger or forward in fear, but around in awareness." -- James Thurber *** ~Linux Laptop, Powered by Mandrake 10.1~ *** ~Reg. Linux User #278931~ *** -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Firewall for allowing ports selectively
- Original Message - From: "Paul Smith" <[EMAIL PROTECTED]> To: newbie@linux-mandrake.com Subject: [newbie] Firewall for allowing ports selectively Date: Sun, 3 Apr 2005 16:15:01 +0100 > > Dear All > > Is there some firewall (working through iptables) able to open > selectively a port for a specific program and not to all programs > installed? (Shorewall is not suitable for that purpose.) > > Thanks in advance, > > Paul ** Paul, shorewall can do what you desire. Go to; mcc > security > firewall, and click on the advanced radio button on the bottom. That will open up an area where you can specify special ports to open. HTH. Best regards. --Angus "Let us not look back in anger or forward in fear, but around in awareness." -- James Thurber *** ~Linux Laptop, Powered by Mandrake 10.1~ *** ~Reg. Linux User #278931~ *** -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Firewall for allowing ports selectively
Dear All Is there some firewall (working through iptables) able to open selectively a port for a specific program and not to all programs installed? (Shorewall is not suitable for that purpose.) Thanks in advance, Paul Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
