[Pan-users] Re: OT: freedomware vs... Was: Building Pan onWindows?

[Duncan]

Rob posted on Sat, 06 Mar 2010 21:31:15 -0500 as excerpted:

> On Saturday 06 March 2010 02:23 pm, Joe Zeff wrote:
>> I used ZA back before I switched to Linux only, and I have nothing but
>> praise for it.  The interesting thing is, not one of those programs
>> failed to run properly without Internet access.

FWIW, ZA Pro was I believe the last MSWormOS software I actually paid for, 
before switching to Linux full-time.  At the time, I was already planing 
to eventually switch to Linux, was pre-checking all hardware upgrades for 
Linux drivers (as I mentioned earlier, I unfortunately didn't groke the 
difference between "Linux drivers" and "freedomware Linux drivers" at the 
time, or I'd have never purchased that last nVidia card), and had 
basically stopped purchasing MSWormOS based software, but I decided ZA Pro 
was worth it for my needs, and it's a decision I don't regret. =:^)

> I actually really wish there was a ZoneAlarm, meaning a firewall that'll
> actually pop up interactive alerts when programs try to hit the Internet
> and allow me to confirm or deny them and set up white- and blacklists,
> for Linux.  Not only for keeping proprietary Linux software honest, but
> also for when I need to try something out under Wine (maybe ZoneAlarm
> itself would run under Wine, but I'm not optimistic).

With the kernel based IPTables/Netfilter, it's possible to do, you'd just 
need an appropriate front-end.  There's quite a few firewall front-ends to 
netfilter, and even more distributions designed to run it as a core piece 
of a hardware firewall appliance/machine solution, but I don't know of any 
with that level of X-based interactivity.

Using netfilter/iptables, it's actually almost trivial to setup an 
incoming stateful firewall similar in firewall functionality to a NAPT 
based hardware router (with automatically allowed replies to outgoing), 
and to open port specific holes in it again similar to such a router.  One 
could setup an outgoing firewall as well using the same netfilter/iptables 
core, similar to what the various Zone Alarm like apps do on MSWormOS, but 
tracking and managing the allowed apps and setting up a system to remember 
them for more than just a single session isn't anything like as trivial as 
setting up that incoming stateful firewall, command-wise.  Setting up 
logging, and blocking individual apps based on the logs (thus black-list 
based, rather than white-list), would be rather easier, and indeed is done 
relatively routinely by various Linux sysadmins I'm sure, but that's not 
the same as a white-list based system with a memory of what's allowed 
beyond the current session, and /that/ isn't the same as designing and 
coding a nice GUI to go with it, similar to what ZA does.

But I wonder... surely someone's thought of it and at least has made a 
start at it??  Maybe one day I'll decide it's worth checking out 
freshmeat, etc, and/or googling, to see.  I believe it should be simple 
enough that in theory, even a bash and kdialog/zenity/xdialog scripter 
like me should be able to set it up, including the GUI, no "exotic" C/C++ 
or even "stronger scripting language" like python/perl/tcl/tk necessary 
(tho it'd arguably be easier, better GUI, and faster responding on slow 
hardware, than bash/?dialog, for those that know other languages).

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman