Is there any Application level firewall for Ubuntu 16.04? (with GUI)












19















I must confess that I'm very new to Linux world, and there are concepts that seem very unfamiliar to me.



One thing I miss the most is a good yet simple application level firewall. As of now, with all this pervasive intrusive and permanent connectivity to the internet it is a must to know what exactly is your computer doing, why and with whom. A protocol analyzer is ok but too unfriendly and time consuming to "analyze" that is practically useless for home users.



I have discovered a lot of programs in Windows environments that should not connect to the internet but they do (and with my ZoneAlarm free firewall I can stop them).



With Gufw (and several others) you have to know which apps do you have already installed (and we know that this is almost impossible with this modern OS´s with billions of code-lines).



What I'm looking for is a firewall that monitors the NIC/WAN connection and detects any program/app or whatever trying to "talk" through it proactively, regardless the port trying to use (must of the apps I mentioned earlier try to connect using well know TCP ports: 80, 443, 8080). Does this exist? (If not, then how I know what is doing my computer for sure?)










share|improve this question




















  • 1





    Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

    – Martin Schröder
    May 22 '17 at 9:40











  • Possible duplicate: How can a non-geek set up a proper firewall?

    – Jon Bentley
    May 23 '17 at 17:22
















19















I must confess that I'm very new to Linux world, and there are concepts that seem very unfamiliar to me.



One thing I miss the most is a good yet simple application level firewall. As of now, with all this pervasive intrusive and permanent connectivity to the internet it is a must to know what exactly is your computer doing, why and with whom. A protocol analyzer is ok but too unfriendly and time consuming to "analyze" that is practically useless for home users.



I have discovered a lot of programs in Windows environments that should not connect to the internet but they do (and with my ZoneAlarm free firewall I can stop them).



With Gufw (and several others) you have to know which apps do you have already installed (and we know that this is almost impossible with this modern OS´s with billions of code-lines).



What I'm looking for is a firewall that monitors the NIC/WAN connection and detects any program/app or whatever trying to "talk" through it proactively, regardless the port trying to use (must of the apps I mentioned earlier try to connect using well know TCP ports: 80, 443, 8080). Does this exist? (If not, then how I know what is doing my computer for sure?)










share|improve this question




















  • 1





    Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

    – Martin Schröder
    May 22 '17 at 9:40











  • Possible duplicate: How can a non-geek set up a proper firewall?

    – Jon Bentley
    May 23 '17 at 17:22














19












19








19


4






I must confess that I'm very new to Linux world, and there are concepts that seem very unfamiliar to me.



One thing I miss the most is a good yet simple application level firewall. As of now, with all this pervasive intrusive and permanent connectivity to the internet it is a must to know what exactly is your computer doing, why and with whom. A protocol analyzer is ok but too unfriendly and time consuming to "analyze" that is practically useless for home users.



I have discovered a lot of programs in Windows environments that should not connect to the internet but they do (and with my ZoneAlarm free firewall I can stop them).



With Gufw (and several others) you have to know which apps do you have already installed (and we know that this is almost impossible with this modern OS´s with billions of code-lines).



What I'm looking for is a firewall that monitors the NIC/WAN connection and detects any program/app or whatever trying to "talk" through it proactively, regardless the port trying to use (must of the apps I mentioned earlier try to connect using well know TCP ports: 80, 443, 8080). Does this exist? (If not, then how I know what is doing my computer for sure?)










share|improve this question
















I must confess that I'm very new to Linux world, and there are concepts that seem very unfamiliar to me.



One thing I miss the most is a good yet simple application level firewall. As of now, with all this pervasive intrusive and permanent connectivity to the internet it is a must to know what exactly is your computer doing, why and with whom. A protocol analyzer is ok but too unfriendly and time consuming to "analyze" that is practically useless for home users.



I have discovered a lot of programs in Windows environments that should not connect to the internet but they do (and with my ZoneAlarm free firewall I can stop them).



With Gufw (and several others) you have to know which apps do you have already installed (and we know that this is almost impossible with this modern OS´s with billions of code-lines).



What I'm looking for is a firewall that monitors the NIC/WAN connection and detects any program/app or whatever trying to "talk" through it proactively, regardless the port trying to use (must of the apps I mentioned earlier try to connect using well know TCP ports: 80, 443, 8080). Does this exist? (If not, then how I know what is doing my computer for sure?)







software-recommendation firewall






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 13 '17 at 5:46









Melebius

5,05752040




5,05752040










asked May 22 '17 at 0:59









jonabrv1965jonabrv1965

9614




9614








  • 1





    Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

    – Martin Schröder
    May 22 '17 at 9:40











  • Possible duplicate: How can a non-geek set up a proper firewall?

    – Jon Bentley
    May 23 '17 at 17:22














  • 1





    Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

    – Martin Schröder
    May 22 '17 at 9:40











  • Possible duplicate: How can a non-geek set up a proper firewall?

    – Jon Bentley
    May 23 '17 at 17:22








1




1





Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

– Martin Schröder
May 22 '17 at 9:40





Just curious: Has this snake oil prevented any serious problems (like wannacry) lately?

– Martin Schröder
May 22 '17 at 9:40













Possible duplicate: How can a non-geek set up a proper firewall?

– Jon Bentley
May 23 '17 at 17:22





Possible duplicate: How can a non-geek set up a proper firewall?

– Jon Bentley
May 23 '17 at 17:22










3 Answers
3






active

oldest

votes


















12














Douane




Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.






Installation



Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.



These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.



Open a terminal (Ctrl+Alt+T) to run the commands.



Preparation



Update your system:



sudo apt update
sudo apt full-upgrade


If you get a notification asking to restart your computer, then restart it.



Install the dependencies



sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus


Create a directory for compilation



cd
mkdir Douane
cd Douane


Build the kernel module



git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms


Check if the module was built and installed correctly:



lsmod | grep douane


You should see something like:



douane                 20480  0


Build the daemon



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install


Build the dialog process



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install


Start the dialog process:



/opt/douane/bin/douane-dialog &


Then check if it is running:



pgrep -a douane-dialog


You should see something like:



21621 /opt/douane/bin/douane-dialog


Build the configurator



cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install


Start the daemon and setup automatic starting



I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:



### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO


Open the file for edit:



sudo nano /etc/init.d/douane


Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.



This is the first 21 lines of the file after I inserted the text:



#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application.
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions


Now you can set up the auto start and start the daemon:



sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane


Activate the filter and auto start the dialog



Start the configurator:



douane-configurator


Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.



You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.



Test



If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.






share|improve this answer





















  • 1





    Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

    – jonabrv1965
    May 22 '17 at 3:33






  • 1





    First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

    – jonabrv1965
    May 23 '17 at 20:56













  • Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

    – Melebius
    Sep 13 '17 at 5:50



















3














This is a really good question, but I hate questions like this because they are really hard to answer without coming off like saying security is not important.



So first, let me say that security is important, but that Linux handles it very differently then Windows does.



So lets tackle your question.



First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one. Many applications work in a client/server architecture even though you are using them on the same machine. Xorg is a great example. First you have a server (in this case the part that draws on the screen) and a client (gedit) gedit talks to the server about drawing it's buttons, placing it's text and so on. Even something as simple os a mouse has this same architecture (or could have). A program acts as a server listening for information and sending out data when it gets it, then a client "connects" to that "mouse server" and waits for information.



This is so prevalent in Linux that if you were to create a "firewall" that asked permission for every network connection then you probably wouldn't be able to configure it because it couldn't connect to it's own server.



This is all a very rough example, some of it is misleading because it is so high level. But it's still very true.



To protect us Linux users against this, we have a set of two very basic rules that do a very good "basic" job.



1st, no user except root can open any port below 1024. (again very high level). This means to even run an FTP server (on a standard port) you need to have root access. You as a user can usually open "high ports" (those above 1024). But see rule two.



2nd. no process can access any file that the user starting the process could not access. (again very high level) So if "coteyr" were to start an FTP server, then that FTP server at worse case (high level) would only have the exact same access as the user coteyr that started it.



Because of the combination of these two rules, a "software" that asks every time something tries to connect firewall just gets in the way, and there isn't a lot of demand for it.



That said you can always create an outbound firewall rule, and in many cases this is probably not a bad idea. Many services can be (and are by default) configured to use file based sockets (or memory based) and not network based sockets.



An Inbound firewall rule usually closes any odd gapes left over by rule 1 or 2.



My point is this. Security is important and I am not trying to say it's not, it's just here in Linux land we have different tools and goals. I would recommend that you look into Linux user and group permissions and then use a tool like gfw and IPTABLES to fill in any gaps.






share|improve this answer





















  • 3





    > no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

    – Bob
    May 22 '17 at 10:39








  • 1





    Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

    – Bob
    May 22 '17 at 10:47






  • 1





    First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

    – djsmiley2k
    May 22 '17 at 11:13











  • Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

    – jonabrv1965
    May 23 '17 at 20:48











  • Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

    – coteyr
    May 24 '17 at 3:16



















2














There is a new project called OpenSnitch described at



https://www.cyberciti.biz/python-tutorials/opensnitch-the-little-snitch-application-like-firewall-tool-for-linux/



The project page is https://www.opensnitch.io/



At this point it is considered alpha software, and strangely it is written in Python, but at least it is a fresh attempt, whereas Douane is a very old program that (I think) is much harder to install.



Disclaimer: I have not personally tested either program, I was just trying to find if there are any other options and noticed that no one had mentioned OpenSnitch here yet.






share|improve this answer
























  • > "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

    – Sarge Borsch
    Apr 15 '18 at 7:46













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f917575%2fis-there-any-application-level-firewall-for-ubuntu-16-04-with-gui%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









12














Douane




Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.






Installation



Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.



These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.



Open a terminal (Ctrl+Alt+T) to run the commands.



Preparation



Update your system:



sudo apt update
sudo apt full-upgrade


If you get a notification asking to restart your computer, then restart it.



Install the dependencies



sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus


Create a directory for compilation



cd
mkdir Douane
cd Douane


Build the kernel module



git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms


Check if the module was built and installed correctly:



lsmod | grep douane


You should see something like:



douane                 20480  0


Build the daemon



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install


Build the dialog process



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install


Start the dialog process:



/opt/douane/bin/douane-dialog &


Then check if it is running:



pgrep -a douane-dialog


You should see something like:



21621 /opt/douane/bin/douane-dialog


Build the configurator



cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install


Start the daemon and setup automatic starting



I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:



### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO


Open the file for edit:



sudo nano /etc/init.d/douane


Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.



This is the first 21 lines of the file after I inserted the text:



#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application.
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions


Now you can set up the auto start and start the daemon:



sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane


Activate the filter and auto start the dialog



Start the configurator:



douane-configurator


Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.



You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.



Test



If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.






share|improve this answer





















  • 1





    Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

    – jonabrv1965
    May 22 '17 at 3:33






  • 1





    First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

    – jonabrv1965
    May 23 '17 at 20:56













  • Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

    – Melebius
    Sep 13 '17 at 5:50
















12














Douane




Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.






Installation



Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.



These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.



Open a terminal (Ctrl+Alt+T) to run the commands.



Preparation



Update your system:



sudo apt update
sudo apt full-upgrade


If you get a notification asking to restart your computer, then restart it.



Install the dependencies



sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus


Create a directory for compilation



cd
mkdir Douane
cd Douane


Build the kernel module



git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms


Check if the module was built and installed correctly:



lsmod | grep douane


You should see something like:



douane                 20480  0


Build the daemon



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install


Build the dialog process



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install


Start the dialog process:



/opt/douane/bin/douane-dialog &


Then check if it is running:



pgrep -a douane-dialog


You should see something like:



21621 /opt/douane/bin/douane-dialog


Build the configurator



cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install


Start the daemon and setup automatic starting



I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:



### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO


Open the file for edit:



sudo nano /etc/init.d/douane


Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.



This is the first 21 lines of the file after I inserted the text:



#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application.
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions


Now you can set up the auto start and start the daemon:



sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane


Activate the filter and auto start the dialog



Start the configurator:



douane-configurator


Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.



You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.



Test



If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.






share|improve this answer





















  • 1





    Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

    – jonabrv1965
    May 22 '17 at 3:33






  • 1





    First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

    – jonabrv1965
    May 23 '17 at 20:56













  • Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

    – Melebius
    Sep 13 '17 at 5:50














12












12








12







Douane




Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.






Installation



Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.



These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.



Open a terminal (Ctrl+Alt+T) to run the commands.



Preparation



Update your system:



sudo apt update
sudo apt full-upgrade


If you get a notification asking to restart your computer, then restart it.



Install the dependencies



sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus


Create a directory for compilation



cd
mkdir Douane
cd Douane


Build the kernel module



git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms


Check if the module was built and installed correctly:



lsmod | grep douane


You should see something like:



douane                 20480  0


Build the daemon



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install


Build the dialog process



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install


Start the dialog process:



/opt/douane/bin/douane-dialog &


Then check if it is running:



pgrep -a douane-dialog


You should see something like:



21621 /opt/douane/bin/douane-dialog


Build the configurator



cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install


Start the daemon and setup automatic starting



I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:



### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO


Open the file for edit:



sudo nano /etc/init.d/douane


Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.



This is the first 21 lines of the file after I inserted the text:



#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application.
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions


Now you can set up the auto start and start the daemon:



sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane


Activate the filter and auto start the dialog



Start the configurator:



douane-configurator


Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.



You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.



Test



If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.






share|improve this answer















Douane




Douane is a personal firewall that protects a user's privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.






Installation



Until now (2017/05/22) there isn't Ubuntu packages available. You must build it from source.



These installation instructions are based on information from the Douane Wiki and tested on Ubuntu 16.04.2 64-bit.



Open a terminal (Ctrl+Alt+T) to run the commands.



Preparation



Update your system:



sudo apt update
sudo apt full-upgrade


If you get a notification asking to restart your computer, then restart it.



Install the dependencies



sudo apt install git build-essential dkms libboost-filesystem-dev libboost-regex-dev libboost-signals-dev policykit-1 libdbus-c++-dev libdbus-1-dev liblog4cxx10-dev libssl-dev libgtkmm-3.0-dev python3 python3-gi python3-dbus


Create a directory for compilation



cd
mkdir Douane
cd Douane


Build the kernel module



git clone https://github.com/Douane/douane-dkms
cd douane-dkms
sudo make dkms


Check if the module was built and installed correctly:



lsmod | grep douane


You should see something like:



douane                 20480  0


Build the daemon



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-daemon
cd douane-daemon
make
sudo make install


Build the dialog process



cd ~/Douane
git clone --recursive https://github.com/Douane/douane-dialog
cd douane-dialog
make
sudo make install


Start the dialog process:



/opt/douane/bin/douane-dialog &


Then check if it is running:



pgrep -a douane-dialog


You should see something like:



21621 /opt/douane/bin/douane-dialog


Build the configurator



cd ~/Douane
git clone https://github.com/Douane/douane-configurator
cd douane-configurator
sudo python3 setup.py install


Start the daemon and setup automatic starting



I had to insert the following text in the file /etc/init.d/douane in order to enable the automatic starting of the daemon:



### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO


Open the file for edit:



sudo nano /etc/init.d/douane


Then paste the above text after the program description. Press Ctrl+O,Enter to save, then Ctrl+X to exit the editor.



This is the first 21 lines of the file after I inserted the text:



#!/bin/bash
#
# douane This shell script takes care of starting and stopping
# douane daemon (A modern firewall at application layer)
#
# Author: Guillaume Hain zedtux@zedroot.org
#
# description: douane is the daemon process of the Douane firewall application.
# This firewall is limiting access to the internet on application bases.

### BEGIN INIT INFO
# Provides: douane
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Douane firewall
### END INIT INFO

# Source function library.
. /lib/lsb/init-functions


Now you can set up the auto start and start the daemon:



sudo systemctl daemon-reload
sudo systemctl enable douane
sudo systemctl start douane


Activate the filter and auto start the dialog



Start the configurator:



douane-configurator


Then make sure the switches Use Douane to filter my network traffic and Auto start Douane on boot are both turned on.



You can review the filtering rules in the Rules tab. Right clicking a rule you get an option to delete it.



Test



If everything is fine you should see the Douane window asking for permission when you open applications that uses network connections.







share|improve this answer














share|improve this answer



share|improve this answer








edited May 22 '17 at 14:19

























answered May 22 '17 at 1:12









Eric CarvalhoEric Carvalho

42.3k17115147




42.3k17115147








  • 1





    Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

    – jonabrv1965
    May 22 '17 at 3:33






  • 1





    First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

    – jonabrv1965
    May 23 '17 at 20:56













  • Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

    – Melebius
    Sep 13 '17 at 5:50














  • 1





    Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

    – jonabrv1965
    May 22 '17 at 3:33






  • 1





    First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

    – jonabrv1965
    May 23 '17 at 20:56













  • Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

    – Melebius
    Sep 13 '17 at 5:50








1




1





Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

– jonabrv1965
May 22 '17 at 3:33





Hi Eric, thank you very much for your promptly answer. As mentioned I'm quite novice with Linux. I did found this Douane thing before post my question, I took a look on the Douane site and there is no "package" for Ubuntu, only for something called "Archlinux" (I guess another distro of linux)... I also found that one can adapt this to whatever distro making a recompilation and installation manually... am I right?... nobody has this already compiled and packaged for ubuntu?

– jonabrv1965
May 22 '17 at 3:33




1




1





First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

– jonabrv1965
May 23 '17 at 20:56







First of all thank you again Eric for the support..Uhm... more than 30 steps to put up and running an app in linux... not very user friendly, isn't it?... I´m starting to see why Linux has that very low reception outside techie people... I will give it a try (mainly because I have to break apart from M$ Windoze at any cost)

– jonabrv1965
May 23 '17 at 20:56















Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

– Melebius
Sep 13 '17 at 5:50





Isn’t there a PPA to provide binaries? Google found launchpad.net/~zedtux/+archive/ubuntu/douane (but I haven’t tested it).

– Melebius
Sep 13 '17 at 5:50













3














This is a really good question, but I hate questions like this because they are really hard to answer without coming off like saying security is not important.



So first, let me say that security is important, but that Linux handles it very differently then Windows does.



So lets tackle your question.



First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one. Many applications work in a client/server architecture even though you are using them on the same machine. Xorg is a great example. First you have a server (in this case the part that draws on the screen) and a client (gedit) gedit talks to the server about drawing it's buttons, placing it's text and so on. Even something as simple os a mouse has this same architecture (or could have). A program acts as a server listening for information and sending out data when it gets it, then a client "connects" to that "mouse server" and waits for information.



This is so prevalent in Linux that if you were to create a "firewall" that asked permission for every network connection then you probably wouldn't be able to configure it because it couldn't connect to it's own server.



This is all a very rough example, some of it is misleading because it is so high level. But it's still very true.



To protect us Linux users against this, we have a set of two very basic rules that do a very good "basic" job.



1st, no user except root can open any port below 1024. (again very high level). This means to even run an FTP server (on a standard port) you need to have root access. You as a user can usually open "high ports" (those above 1024). But see rule two.



2nd. no process can access any file that the user starting the process could not access. (again very high level) So if "coteyr" were to start an FTP server, then that FTP server at worse case (high level) would only have the exact same access as the user coteyr that started it.



Because of the combination of these two rules, a "software" that asks every time something tries to connect firewall just gets in the way, and there isn't a lot of demand for it.



That said you can always create an outbound firewall rule, and in many cases this is probably not a bad idea. Many services can be (and are by default) configured to use file based sockets (or memory based) and not network based sockets.



An Inbound firewall rule usually closes any odd gapes left over by rule 1 or 2.



My point is this. Security is important and I am not trying to say it's not, it's just here in Linux land we have different tools and goals. I would recommend that you look into Linux user and group permissions and then use a tool like gfw and IPTABLES to fill in any gaps.






share|improve this answer





















  • 3





    > no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

    – Bob
    May 22 '17 at 10:39








  • 1





    Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

    – Bob
    May 22 '17 at 10:47






  • 1





    First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

    – djsmiley2k
    May 22 '17 at 11:13











  • Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

    – jonabrv1965
    May 23 '17 at 20:48











  • Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

    – coteyr
    May 24 '17 at 3:16
















3














This is a really good question, but I hate questions like this because they are really hard to answer without coming off like saying security is not important.



So first, let me say that security is important, but that Linux handles it very differently then Windows does.



So lets tackle your question.



First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one. Many applications work in a client/server architecture even though you are using them on the same machine. Xorg is a great example. First you have a server (in this case the part that draws on the screen) and a client (gedit) gedit talks to the server about drawing it's buttons, placing it's text and so on. Even something as simple os a mouse has this same architecture (or could have). A program acts as a server listening for information and sending out data when it gets it, then a client "connects" to that "mouse server" and waits for information.



This is so prevalent in Linux that if you were to create a "firewall" that asked permission for every network connection then you probably wouldn't be able to configure it because it couldn't connect to it's own server.



This is all a very rough example, some of it is misleading because it is so high level. But it's still very true.



To protect us Linux users against this, we have a set of two very basic rules that do a very good "basic" job.



1st, no user except root can open any port below 1024. (again very high level). This means to even run an FTP server (on a standard port) you need to have root access. You as a user can usually open "high ports" (those above 1024). But see rule two.



2nd. no process can access any file that the user starting the process could not access. (again very high level) So if "coteyr" were to start an FTP server, then that FTP server at worse case (high level) would only have the exact same access as the user coteyr that started it.



Because of the combination of these two rules, a "software" that asks every time something tries to connect firewall just gets in the way, and there isn't a lot of demand for it.



That said you can always create an outbound firewall rule, and in many cases this is probably not a bad idea. Many services can be (and are by default) configured to use file based sockets (or memory based) and not network based sockets.



An Inbound firewall rule usually closes any odd gapes left over by rule 1 or 2.



My point is this. Security is important and I am not trying to say it's not, it's just here in Linux land we have different tools and goals. I would recommend that you look into Linux user and group permissions and then use a tool like gfw and IPTABLES to fill in any gaps.






share|improve this answer





















  • 3





    > no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

    – Bob
    May 22 '17 at 10:39








  • 1





    Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

    – Bob
    May 22 '17 at 10:47






  • 1





    First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

    – djsmiley2k
    May 22 '17 at 11:13











  • Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

    – jonabrv1965
    May 23 '17 at 20:48











  • Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

    – coteyr
    May 24 '17 at 3:16














3












3








3







This is a really good question, but I hate questions like this because they are really hard to answer without coming off like saying security is not important.



So first, let me say that security is important, but that Linux handles it very differently then Windows does.



So lets tackle your question.



First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one. Many applications work in a client/server architecture even though you are using them on the same machine. Xorg is a great example. First you have a server (in this case the part that draws on the screen) and a client (gedit) gedit talks to the server about drawing it's buttons, placing it's text and so on. Even something as simple os a mouse has this same architecture (or could have). A program acts as a server listening for information and sending out data when it gets it, then a client "connects" to that "mouse server" and waits for information.



This is so prevalent in Linux that if you were to create a "firewall" that asked permission for every network connection then you probably wouldn't be able to configure it because it couldn't connect to it's own server.



This is all a very rough example, some of it is misleading because it is so high level. But it's still very true.



To protect us Linux users against this, we have a set of two very basic rules that do a very good "basic" job.



1st, no user except root can open any port below 1024. (again very high level). This means to even run an FTP server (on a standard port) you need to have root access. You as a user can usually open "high ports" (those above 1024). But see rule two.



2nd. no process can access any file that the user starting the process could not access. (again very high level) So if "coteyr" were to start an FTP server, then that FTP server at worse case (high level) would only have the exact same access as the user coteyr that started it.



Because of the combination of these two rules, a "software" that asks every time something tries to connect firewall just gets in the way, and there isn't a lot of demand for it.



That said you can always create an outbound firewall rule, and in many cases this is probably not a bad idea. Many services can be (and are by default) configured to use file based sockets (or memory based) and not network based sockets.



An Inbound firewall rule usually closes any odd gapes left over by rule 1 or 2.



My point is this. Security is important and I am not trying to say it's not, it's just here in Linux land we have different tools and goals. I would recommend that you look into Linux user and group permissions and then use a tool like gfw and IPTABLES to fill in any gaps.






share|improve this answer















This is a really good question, but I hate questions like this because they are really hard to answer without coming off like saying security is not important.



So first, let me say that security is important, but that Linux handles it very differently then Windows does.



So lets tackle your question.



First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one. Many applications work in a client/server architecture even though you are using them on the same machine. Xorg is a great example. First you have a server (in this case the part that draws on the screen) and a client (gedit) gedit talks to the server about drawing it's buttons, placing it's text and so on. Even something as simple os a mouse has this same architecture (or could have). A program acts as a server listening for information and sending out data when it gets it, then a client "connects" to that "mouse server" and waits for information.



This is so prevalent in Linux that if you were to create a "firewall" that asked permission for every network connection then you probably wouldn't be able to configure it because it couldn't connect to it's own server.



This is all a very rough example, some of it is misleading because it is so high level. But it's still very true.



To protect us Linux users against this, we have a set of two very basic rules that do a very good "basic" job.



1st, no user except root can open any port below 1024. (again very high level). This means to even run an FTP server (on a standard port) you need to have root access. You as a user can usually open "high ports" (those above 1024). But see rule two.



2nd. no process can access any file that the user starting the process could not access. (again very high level) So if "coteyr" were to start an FTP server, then that FTP server at worse case (high level) would only have the exact same access as the user coteyr that started it.



Because of the combination of these two rules, a "software" that asks every time something tries to connect firewall just gets in the way, and there isn't a lot of demand for it.



That said you can always create an outbound firewall rule, and in many cases this is probably not a bad idea. Many services can be (and are by default) configured to use file based sockets (or memory based) and not network based sockets.



An Inbound firewall rule usually closes any odd gapes left over by rule 1 or 2.



My point is this. Security is important and I am not trying to say it's not, it's just here in Linux land we have different tools and goals. I would recommend that you look into Linux user and group permissions and then use a tool like gfw and IPTABLES to fill in any gaps.







share|improve this answer














share|improve this answer



share|improve this answer








edited May 22 '17 at 12:31









Honza Remeš

1032




1032










answered May 22 '17 at 4:27









coteyrcoteyr

12.6k52449




12.6k52449








  • 3





    > no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

    – Bob
    May 22 '17 at 10:39








  • 1





    Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

    – Bob
    May 22 '17 at 10:47






  • 1





    First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

    – djsmiley2k
    May 22 '17 at 11:13











  • Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

    – jonabrv1965
    May 23 '17 at 20:48











  • Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

    – coteyr
    May 24 '17 at 3:16














  • 3





    > no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

    – Bob
    May 22 '17 at 10:39








  • 1





    Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

    – Bob
    May 22 '17 at 10:47






  • 1





    First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

    – djsmiley2k
    May 22 '17 at 11:13











  • Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

    – jonabrv1965
    May 23 '17 at 20:48











  • Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

    – coteyr
    May 24 '17 at 3:16








3




3





> no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

– Bob
May 22 '17 at 10:39







> no process can access any file that the user starting the process could not access — which is no different from Windows, as you seem to be implying. That's not an OS difference. Honestly, though, if you just allowed all loopback connections then such a firewall would not interfere with any TCP client/server applications on the same machine — it's perfectly possible to set one up that only controls network access. (Also. Unless you're running Windows 9x, Windows ACLs are, if anything, more powerful than traditional Unix permissions. Which again has little to do with restricting network.)

– Bob
May 22 '17 at 10:39






1




1





Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

– Bob
May 22 '17 at 10:47





Actually, reading the answer again... I'm not sure how not being able to use well-known ports is relevant either - that's only useful to prevent masking of system services (e.g. pretending to be sshd on 22), but the question seems to be asking more about data exfiltration. Which are almost entirely outgoing connections and have little to do with which ports you're allowed to bind to.

– Bob
May 22 '17 at 10:47




1




1





First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

– djsmiley2k
May 22 '17 at 11:13





First there is not going to be a outgoing firewall that works in the same way as zone alarm. Linux simply doesn't have a large need for one - IP tables will control outgoing just as well as in coming, please don't say stuff you don't actually know.

– djsmiley2k
May 22 '17 at 11:13













Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

– jonabrv1965
May 23 '17 at 20:48





Hi Honza, during my "homework" tour I saw several times answers like yours. And I somewhat understand it, but... and is a big "but"... is not what I'm looking for... I do understand the port, low exposure (due to the low widespread of the platform) and all the other concepts you mentioned... but what I´m looking for is to understand in a easy way (e.g. zonealarm) what is my computer doing outside the computer itself.. (is Xorg/gedit, to follow your example, in need to go to internet to do anything? if so I want/need to know why/when/where...

– jonabrv1965
May 23 '17 at 20:48













Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

– coteyr
May 24 '17 at 3:16





Then your going to dig a bit deeper. try netstat Right now my box has 1354 open connections. 65 of those are network connections. That's quite a low number for me (not saying it is for everyone) but then you would start trying to find out what each one of those connections does. Like I said, it's not that security is not important, it's just a very different environment.

– coteyr
May 24 '17 at 3:16











2














There is a new project called OpenSnitch described at



https://www.cyberciti.biz/python-tutorials/opensnitch-the-little-snitch-application-like-firewall-tool-for-linux/



The project page is https://www.opensnitch.io/



At this point it is considered alpha software, and strangely it is written in Python, but at least it is a fresh attempt, whereas Douane is a very old program that (I think) is much harder to install.



Disclaimer: I have not personally tested either program, I was just trying to find if there are any other options and noticed that no one had mentioned OpenSnitch here yet.






share|improve this answer
























  • > "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

    – Sarge Borsch
    Apr 15 '18 at 7:46


















2














There is a new project called OpenSnitch described at



https://www.cyberciti.biz/python-tutorials/opensnitch-the-little-snitch-application-like-firewall-tool-for-linux/



The project page is https://www.opensnitch.io/



At this point it is considered alpha software, and strangely it is written in Python, but at least it is a fresh attempt, whereas Douane is a very old program that (I think) is much harder to install.



Disclaimer: I have not personally tested either program, I was just trying to find if there are any other options and noticed that no one had mentioned OpenSnitch here yet.






share|improve this answer
























  • > "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

    – Sarge Borsch
    Apr 15 '18 at 7:46
















2












2








2







There is a new project called OpenSnitch described at



https://www.cyberciti.biz/python-tutorials/opensnitch-the-little-snitch-application-like-firewall-tool-for-linux/



The project page is https://www.opensnitch.io/



At this point it is considered alpha software, and strangely it is written in Python, but at least it is a fresh attempt, whereas Douane is a very old program that (I think) is much harder to install.



Disclaimer: I have not personally tested either program, I was just trying to find if there are any other options and noticed that no one had mentioned OpenSnitch here yet.






share|improve this answer













There is a new project called OpenSnitch described at



https://www.cyberciti.biz/python-tutorials/opensnitch-the-little-snitch-application-like-firewall-tool-for-linux/



The project page is https://www.opensnitch.io/



At this point it is considered alpha software, and strangely it is written in Python, but at least it is a fresh attempt, whereas Douane is a very old program that (I think) is much harder to install.



Disclaimer: I have not personally tested either program, I was just trying to find if there are any other options and noticed that no one had mentioned OpenSnitch here yet.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 13 '17 at 5:36









user736189user736189

211




211













  • > "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

    – Sarge Borsch
    Apr 15 '18 at 7:46





















  • > "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

    – Sarge Borsch
    Apr 15 '18 at 7:46



















> "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

– Sarge Borsch
Apr 15 '18 at 7:46







> "strangely it is written in Python" — no it's not strangely, it's actually a very good idea to use a high level language for everything except the "hot" parts to save time and to make less mistakes.

– Sarge Borsch
Apr 15 '18 at 7:46




















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f917575%2fis-there-any-application-level-firewall-for-ubuntu-16-04-with-gui%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Category:香港粉麵

List *all* the tuples!

Channel [V]