Linux 的每程序防火墙类似于 Windows 和 Mac 的对应防火墙
- 是否可以创建与 Windows 和 Mac 对应的 GUI 防火墙?每个程序的基础。当特定程序想要从网络发送\接收数据时弹出通知窗口。
- 如果不是,那么为什么? Linux 内核缺少什么来允许此类程序的存在?
- 如果是的话,为什么没有这样的程序?
PS这是编程问题,而不是用户问题。
- Is it possible to create GUI firewall that works as Windows and Mac counterparts? Per program basis. Popup notification window when specific program want to send\recv data from network.
- If no, than why? What Linux kernel lacks to allow existence of such programs?
- If yes, than why there aren't such program?
P.S. This is programming question, not user one.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这是可能的,没有任何限制,并且至少存在一个这样的应用程序。
不过,我想澄清几点。
如果我理解这篇文章正确的话,到目前为止这里提到的防火墙和iptables这个问题标记为数据包过滤器,并根据数据包来自/发送到的 IP 地址和端口来接受和丢弃数据包。
对我来说,您所描述的看起来更像是强制访问控制。 Linux 中有几个用于此目的的实用程序 - selinux、apparmor、tomoyo。
如果我必须实现您描述的图形实用程序,我会选择例如支持白名单的 AppArmor,以及 在某种程度上,动态分析,并尝试为其制作一个 GUI。
OpenSUSE 的 YaST 具有用于 apparmor 设置和“学习”的图形界面,但它特定于发行版。
因此,Linux 用户和管理员有多种方法来控制每个应用程序的网络(和文件)访问。
为什么 MAC 的图形前端如此之少是另一个问题。可能是因为 Linux 桌面用户倾向于信任他们从存储库安装的软件,并且没有太多理由以这种方式控制它们(如果应用程序是自由分发的,那么它就没有太多理由打电话回家,并且包通常在到达存储库之前经过审查),而管理员和高级用户可以使用命令行。
随着桌面 Linux 变得越来越流行,人们从 AUR 或 PPA 甚至从 gnome-look.org 安装更多的软件,其中软件包和脚本没有得到准确(如果有的话)审查,从而满足了对此类软件(用户友好、简单)的需求。配置 MAC)可能会增长。
It is possible, there are no restrictions and at least one such application exists.
I would like to clarify a couple of points though.
If I understood this article correct, the firewalls mentioned here so far and iptables this question is tagged under are packet filters and accept and drop packets depending more on IP addresses and ports they come from/sent to.
What you describe looks more like mandatory access control to me. There are several utilities for that purpose in Linux - selinux, apparmor, tomoyo.
If I had to implement a graphical utility you describe, I would pick, for example, AppArmor, which supports whitelists, and, to some extent, dynamic profiling, and tried to make a GUI for it.
OpenSUSE's YaST features graphical interface for apparmor setup and 'learning' , but it is specific to the distribution.
So Linux users and administrators have several ways to control network (and files) access on per-application basis.
Why the graphical frontends for MAC are so few is another question. Probably it's because Linux desktop users tend to trust software they install from repositories and have less reasons to control them this way (if an application is freely distributed, it has less reasons to call home and packages are normally reviewed before they get to repositories) while administrators and power users are fine with command line.
As desktop Linux gets more popular and people install more software from AUR or PPA or even from gnome-look.org where packages and scripts are not reviewed that accurately (if at all) a demand for such type of software (user-friendly, simple to configure MAC) might grow.
回答你的第三点。
有这样一个提供 zenity 弹出窗口的程序,它叫做 Leopard Flower:
http://sourceforge.net/projects/leopardflower
To answer your 3rd point.
There is such a program which provides zenity popups, it is called Leopard Flower:
http://sourceforge.net/projects/leopardflower
我遇到这个问题是因为我目前正在尝试从 Mac 迁移到 Linux。我在 Mac 和 Linux PC 上运行了很多应用程序。其中一些我完全信任。但其他人我并不完全信任。如果它们是从检查或不检查它们的源安装的,我是否必须信任它们,因为其他人这样做了?不,我已经到了可以选择自己的年纪了。
在隐私变得越来越复杂的时代,并且存在的发行版表明我们不应该信任每个人,我喜欢控制我的应用程序的行为。这种控制可能不会在连接到网络/互联网时结束,但这就是这个问题(我的问题是关于这个问题的。
过去几年我曾在 MacOSX 上使用过LittleSnitch,我很惊讶应用程序的使用频率喜欢在我没有注意到的情况下访问互联网,检查更新,打电话回家,...
现在我想切换到 Linux,我试图找到同样的东西,因为我想控制我的东西。 台电脑。
在我的研究过程中,我发现了一 关于该主题的很多问题在我看来,这个问题最能描述它的内容,我想知道应用程序何时尝试通过网络发送或接收信息。 像 SELinux 和 AppAmor 这样的
解决方案可能能够允许或拒绝此类连接,这意味着需要进行大量手动配置,并且在新应用程序尝试连接某处时不会发出通知。网络。
Douane 的存在(如何控制每个人的互联网访问程序?和DouaneApp.com)显示有需要一个简单的解决方案。甚至有一个发行版似乎包含这样的功能。但我不确定 Subgraph OS (subgraph.com) 正在使用什么,但他们在网站上声明了类似的内容。它读起来与最初的问题完全相同:“Subgraph OS 应用程序防火墙允许用户控制哪些应用程序可以发起传出连接。当未知应用程序尝试建立传出连接时,用户将系统会提示您暂时或永久允许或拒绝连接,这有助于防止恶意应用程序打电话回家。”
在我看来,目前只有两个选择。一是手动编译Douane mysqlf,二是切换发行版到Subgraph OS。正如答案之一所述,一切皆有可能 - 所以我很惊讶没有其他解决方案。或者有吗?
I reached that Question as i am currently trying to migrate from a Mac to Linux. There are a lot of applications I run on my Mac and on my Linux PC. Some of them I trust fully. But others I am not fully trusting. If they are installed from a source that checks them or not, do i have to trust them because someone else did? No, I am old enough to choose myself.
In times where privacy is getting more and more complicate to achieve, and Distributions exist that show that we should not trust everyone, I like to be in control of what my applications do. This control might not end at the connection to the network/Internet but it is what this question (and mine is about.
I have used LittleSnitch for MacOSX in the past years and I was surprised how often an application likes to access the internet without me even noticing. To check for updates, to call home, ...
Now where i would like to switch to Linux, I tried to find the same thing as I want to be in control of what leaves my PC.
During my research I found a lot of questions about that topic. This one, in my opinion, best describes what it is about. The question for me is the same. I want to know when an application tries to send or receive information over the network/internet.
Solutions like SELinux and AppAmor might be able to allow or deny such connections. Configuring them means a lot of manual configuration and does not inform when a new application tries to connect somewhere. You have to know which application you want to deny access to the network.
The existence of Douane (How to control internet access for each program? and DouaneApp.com) show that there is a need for an easy solution. There is even a Distribution which seems to have such a feature included. But i am not sure what Subgraph OS (subgraph.com) is using, but they state something like this on there website. It reads exactly like the initial question: "The Subgraph OS application firewall allows a user to control which applications can initiate outgoing connections. When an unknown application attempts to make an outgoing connection, the user will be prompted to allow or deny the connection on a temporary or permanent basis. This helps prevent malicious applications from phoning home."
As it seems to me, there are only two options at the moment. One is to Compiling Douane manually mysqlf or two, switch distribution to Subgraph OS. As one of the answers state, everything is possible - So i am surprised there is no other solution. Or is there?