Re: Firewall confusion



On Monday 28 Dec 2009 10:39, while playing with a tin of spray paint,
Stephen Horne painted this mural:

On Mon, 28 Dec 2009 10:06:39 +0100, houghi <houghi@xxxxxxxxxxxxxxxxxx>
wrote:

Stephen Horne wrote:

The scenario I have in mind is a trojan. I download it, mess around
with it within a user account, and don't realise that it has (e.g.)
scanned the files in my user account, spotted some passwords/bank
details/personal info, and phoned home.

Why would you be messing around with a trojan under your own user
account? If you're that concerned, set up a separate user account and
use it either for messing about with programs of unknown provenance,
or use it for your banking stuff. If you really want to go one step
further, encrypt the home for that user.

Well, it can also just maill home and thus use the programs where you
already have opend the ports for. It could use firefox or whatever

And these are also things that it shouldn't be allowed to do without
my explicit permission.

How would cron be able to ask you for permission to send you a mail
detailing the results of a job it's just run?

Sure you can play arround and even have a user account, but do it with
moderation and limitation. e.g. see that that user does not have access
to the outside world. Wether sandboxing is enough or using a virtual
manager (or both) I am not sure.

Finally, we are getting somewhere ;-)

Right - so are you saying that it's possible to set up a "sandbox"
user account with no internet access allowed?

Yes, but you won't be able to do so without using iptables directly.
All it takes is adding a rule that DROPS packets from a specific UID or
GID. You could easily stop all users from accessing the net. It would
probably make things quite unusable for them, since you'd need to
prevent access to localhost as well, or they could use the mail server
to send mail without asking your permission.

While it's pretty old, this should give you an idea of how to do that:

http://www.linuxjournal.com/article/6091

I would say that a virtual manager with no network is the most safe
enviroment in your case as well as the easiest to do.

Maybe, but on my less than awe inspiring machine, I want to limit the
number of layers of virtualisation if possible.

I've run Parallels on an old Athlon, 1.2GHz with either 512 or 768MB
IIRC, and it was pretty usable. It was slower than running the OS
directly on the hardware, but not that much slower. I also used VMware,
which was a faster on the same hardware, and that made it feel it was
running at about the same speed it would have been if it was running
directly on the hardware. Now I use Virtualbox, mostly on this X2
5200+ machine, and there doesn't seem to be any noticeable slowdown
even when the system is under load.


Regards,
David Bolt

--
Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
openSUSE 11.0 32b | | openSUSE 11.2 32b |
openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
.