Is there any Linux firewall like ZoneAlarm, Keiro or Comodo in Windows environment?

I like to to able to monitor and block any Linux program from making in/out TCP/UDP connections on per application base.

netfilter, ipfilter can only handle it on system level.

More details on my ideal "Big Brother" Security Monitor.

I like to setup the following security policy:

Only Apache is allowed to accept connections from everything. 

MySQL can accept connections from only a select few IPs.

If any other application tries to accept / make any connections, 
    log it and flags it for analysis.  
       Log the time, app name, user, to where, amount of traffic xfer, 
       trigger script to do stack dump, strace on the pid, etc).

 X GUI config is nice, but I am not a GUI person. 
 Prefer web or XML base configuration and logging for ease of analysis.

 Should be able to track app even if the user is root. 

 Track app base on name/path 
     Validate the app's size, date, first and last 32 bytes value 
     (Optionally, md5/shar sig of the whole app.)

tony-p-lee

Posted 2009-12-04T07:51:43.230

Reputation: 591

At least some of what you describe can be handled by AppArmor. SELinux may also be worth looking into. I don't know enough to say much more than this, though. BTW - somehow this comment got added to an answer rather than the question earlier - sorry about that. – Steve314 – 2010-11-19T21:10:59.157

Any particular distro you're using? – invert – 2009-12-04T08:46:54.740

I am using both FC 8 - 11 and ubnuntu 9.4 - 9.10. – tony-p-lee – 2009-12-04T14:56:26.680

Answers

Are you looking for something like the Linux-Firewall app?
I think iptables can do these things and most tools are wrappers over them.

nik

Posted 2009-12-04T07:51:43.230

Reputation: 50 788

This app is closed source. Not an option for security software on Linux. – Denis Nikolaenko – 2011-09-05T19:45:14.067

Well, there is the owner match:

   owner
   This module attempts to match various characteristics of the packet creator, for locally-generated packets. 

   --uid-owner userid
          Matches if the packet was created by a process with the given effective user id.

   --gid-owner groupid
          Matches if the packet was created by a process with the given effective group id.

   --pid-owner processid
          Matches if the packet was created by a process with the given process id.

   --sid-owner sessionid
          Matches if the packet was created by a process in the given session group.

   --cmd-owner name
          Matches if the packet was created by a process with the given command name.  (this option  is  present  only  if
          iptables was compiled under a kernel supporting this feature)

This may be not as mighty as the windows counterpart. But I am not a friend of per application/process firewall rules. Thats something windows needs ;)

Flow

Posted 2009-12-04T07:51:43.230

Reputation: 997

2Too many apps (even) the open source app are phoning their owner's website today. I like to know when and why they are doing it. netstat -anp tells me someone is doing it. I like to know how to block them easily. – tony-p-lee – 2009-12-04T08:51:54.263

I see what you mean. But IMHO this won´t be easy to implement under linux, beacause you need a strong UI (eg. Desktop) and System interaction. Thats one of the advantages of windows, as it comes all from a single source. – Flow – 2009-12-04T09:08:39.317

Have a look at Uncomplicated Fire Wall, which is a GUI for IPTables.

Edit: Read here for more technical details on IPTables.

invert

Posted 2009-12-04T07:51:43.230

Reputation: 4 918

It does not have per process control. – Denis Nikolaenko – 2011-09-05T19:45:47.980

Perhaps for such fine grained control, see here: http://stackoverflow.com/q/4314163/114147

– invert – 2011-09-12T18:49:50.813