could you add this feature or discuss it at 13.04 Developer Summit?

Brian labishi bni1984 at live.com
Fri Oct 19 17:59:28 UTC 2012


Hi.

I am asking for the ability to log the internet connections that "applications" on my machine make. Currently, Ubuntu has a default "firewall log." This log shows ports, protocols, etc of internet connections. But it doesn't show what "application" generated the log report. For example, if I use the existing firewall to block all outgoing connections and then start Firefox, the log will report a bunch of blocked connections for TCP ports 80 and 443 but say nothing about the fact that Firefox is the application that was blocked.


application-firewall:
I do like having control over an application's ability to connect to the internet. For example, currently if I open port 80, any app can theoretically connect to the internet if using port 80. I would like the ability to open port 80 for only Firefox. But this is not what I started this discussion about. Perhaps it is impossible to record what app is causing the log without the development of an application-firewall. This I don't know as I am not knowledgeable enough. But this is why I bring this topic up so it can be discussed. an application-firewall would be nice to have on ubuntu, but this is not what I started this topic about.


counter-arguments to your enumerated negatives of an application-firewall:
I started this about the LOG being able to record the application of origin for the already existing ubuntu-firewall-log. But I don't mind discussing the ideas of firewall because I am speaking to firewall-LOG capabilities.

1) I am not asking that the LOG show the application that generated a log-report because I suspect the application of behaving badly. I just want to know what the application is doing internet wise. Some applications connect more than others by design. Say two different applications both do the same thing--play videos (say Windows Media Player and VLC). Yet if you watch internet connectivity of the two applications on a Windows machine via a Comodo LOG report, you notice Windows Media Player connects to internet a lot more than VLC. This doesn't mean Windows Media Player is doing anything sneaky necessarily, it just connects more for whatever reason. I like to know this. I think other users like to know this about their apps as well. A LOG that records the app making the connection helps non-tech users like myself (who don't know how to read source code) still know these things about the operation of their computer. So whether the app is malware or legitware, it doesn't matter. I still want to be able to LOG what it's doing so I know how it behaves. Now Netstat shows this information great. But the problem is that NETSTAT 
does not show when an application is blocked and I also can't 
stare at Netstat the whole time I'm using the computer. So without a LOG
 I will miss ephemeral connection attempts as well as not have knowledge
 of what ports that the firewall is currently blocking
 that I may need to open (e.g., a firewall-log can help me decide 
whether I need to open ports 80 & 443 for firefox or whether I need 
to open ports 80, 443, & 8080). This is the most important sentence in this email so I will repeat it in the hopes that it is not overlooked: Netstat shows this information great. But the problem is that NETSTAT does not show when an application is blocked and I also can't 
stare at Netstat the whole time I'm using the computer. So without a LOG
 I will miss ephemeral connection attempts as well as not have knowledge of what ports that the firewall is currently blocking
 that I may need to open (e.g., a firewall-log can help me decide whether I need to open ports 80 & 443 for firefox or whether I need to open ports 80, 443, & 8080).


3) Firewall popups. Let me first say that the currently existing ubuntu-firewall has no popups. An application-firewall does not have to have popups.

a. when I used Windows with the Comodo Firewall, I never had popups once I configured the firewall how I wanted. I don't like popups either. I agree that people just click YES and defeat security. but remember this is unimportant to me because I am seeking knowledge of application behavior, not necessarily trying to control an application's behavior. Application-firewalls can be made without using popups:

b. take the existing ubuntu-firewall as an example. It has no popups. If it were to gain application-level filtering and nothing more. It would be an application-firewall without popups. let's pretend that the ubuntu-firewall is an application-firewall. The user who knows enough configures the firewall how he wants. He looks at his firewall-log to learn the behavior of his applications. He notices that application A needs certain ports opened and application B needs these other ports opened.In other words, the firewall just follows the preset rules and doesn't prompt the user for anything. It blocks what it's told to block and allows what isn't blocked--the same way the firewall presently works on ubuntu--EXCEPT it also allows configuration of rules at the application level.

Do you see my point? You can have an application-firewall that doesn't have popups. Just add application-level filtering to the currently existing ubuntu-firewall.


All good points, Nicholas. Hopefully my email has helped clarify the issue better? I really appreciate your emails as they are all good points and great discussion. Hopefully others can see the value in the firewall-LOG being able to report the application that generates the log report?




Date: Wed, 17 Oct 2012 08:23:18 +0200
Subject: Re: could you add this feature or discuss it at 13.04 Developer Summit?
From: be.nicolas.michel at gmail.com
To: mathieu-tl at ubuntu.com
CC: bni1984 at live.com; ubuntu-devel-discuss at lists.ubuntu.com

I think what Brian wants (correct me if not) is an application level firewall. On Windows most antivirus do it : you get a popup when an application try to access something you didn't already allowed to.I think what should be done is an AppArmor graphical frontend (with notifications). Some others already emits the idea on the net :
http://superuser.com/questions/271584/how-can-i-restrict-applications-on-having-internet-access
Here are the rules to set with AppArmorhttp://wiki.apparmor.net/index.php/ProfileLanguage#Network_rulesMore on apparmor
http://www.ubuntugeek.com/detailed-tutorial-about-apparmor-for-ubuntu-users.html
But honestly, Linux is not Windows Brian. Every application is open-source (except if you installed a propriatary app from the net). It means from a security point of view that everyone can read the source code (it he has the skill)  and see what the application do exactly.
This is not the case for the big majority of applications on Windows. You just can't see the source code and don't really know what behavior they will have. So it works on blind trust like: "it is an Adobe app so it should be OK". Sometimes applications are not coming from a trusted or a well-know developper. So these application level firewalls are there to be sure that apps won't access things you don't want to.
In consequence, all applications that you install from the Ubuntu Software center are considered "safe" by the distribution maintainers because they or others members of the open-source community already reviewed the source code. This is why you always should prefer installing app from the ubuntu software center than from the net directly except if you know what you're doing.

In addition I also have to mentionned that on Linux, all installed applications from the software center are updated on system updates and so their security flaws are quickly patched. On windows this is not the case: except some Microsoft app like Microsoft Office, applications are only up-to-date when you update them manually.

Other argument against the app firewall level with popus: let the user the possibility to easily configure the security of its computer is only usefull when the user knows what he's really doing and all consequences. Most people will click on "yes" on every popup that appears without asking themselves the consequences of that click.

Final argument against : I hate popups :)
That said, Linux is also well-known for its freedom of choice. So if you feel the need to control the network transactions of your applications with a pretty graphical interface, do it (you or some others that may be interested in the project). It don't need to be discussed at UDS like Mathieu said since it's a place to discuss big trends of the next version of Ubuntu but not where to discuss any new open-source project ;)

Regards,Nicolas

2012/10/17 Mathieu Trudel-Lapierre <mathieu-tl at ubuntu.com>

On Mon, Oct 15, 2012 at 1:25 PM, Brian labishi <bni1984 at live.com> wrote:


>

> Hi. I'm new to Ubuntu and like it very much. Overall I like Ubuntu better

> than what I used to use, Windows. But one thing that I really miss from

> Windows is the ability to know what applications and services are connecting

> to the internet. In Windows I could log this kind of information. But I've

> asked some very knowledgeable computer people for help with Ubuntu and I'm

> told this can't be done on ubuntu.

>

> I was hoping that Ubuntu developers might address this shortcoming at the

> summit? I was told this is where these kind of things are discussed.



You're suggesting a very interesting project, yet one that is likely

to depend on a fair amount of new development.



Do we have other instances of this being asked by people, such as on

Ubuntu Brainstorm (I'll look too)? It would be important to know,

before committing time to work on such a thing, how important it's

perceived to be by our users.



Keeping in mind that there can be a very large number of connections

happening on a machine at any point in time, what kind of information

are you looking for? Is it to see everything that attempts to make a

connection or just what gets blocked by a firewall? Do you want to see

notifications on the desktop or are you looking for this at the server

level?



All the above are information that would be best to flesh out a bit in

advance before starting discussion just so that work items could be

derived from the resulting discussion.



Obviously, you don't *need* to discuss a project like this at UDS.

Perhaps it's just something people can start working on as a project,

and ask for specific things needed in Ubuntu to support using such an

application/service



Kind regards,



Mathieu Trudel-Lapierre <mathieu-tl at ubuntu.com>

Freenode: cyphermox, Jabber: mathieu.tl at gmail.com

4096R/EE018C93 1967 8F7D 03A1 8F38 732E  FF82 C126 33E1 EE01 8C93



--

Ubuntu-devel-discuss mailing list

Ubuntu-devel-discuss at lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss



--
Nicolas MICHEL 		 	   		  



More information about the Ubuntu-devel-discuss mailing list