Seems to be 2 separate issues in this thread: 1) Our system logging for firewall issues only logs PIDs via iptables with no program name. Given other applications like netstat and nethogs can do this, I think it's something we should try and work with upstream to address. (my $0.02)
2) Users can't firewall based on applications. I could be completely wrong here, but I believe AppArmor[1] provides this functionality via profiles. While not as simple as adding an application to a list, it might be an alternative solution until there's an easier way to do this. http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html -Robbie On 01/26/2012 02:51 PM, Jason Todd wrote: > Nick, the package is called "acct" all by itself. > IMHO it will not solve the problem you are facing. I have tried it and > it is not "user-friendly" compared to what you are used to. I have > watched numerous people go back to Windows largely because of user > frustration/inability to discover/control what applications can and > cannot internet connect. I remember reading one review of ubuntu where > the reviewer hooked up some friends with 11.04 to get their opinions. > One of the things the friends complained about was only having control > of ports (and not applications) in the firewall. I could have swore it > was at tomshardware.com. I've searched but can't find the review. It was > back around the time 11.04 came out. > The way Linux deals with applications and internet connections has not > evolved to a consumer-desktop-level. In an age where privacy and > security are very important, it's going to need to address this to gain > more users. I was sad to see Bug 820895 marked as Won't Fix. > > I personally tried to get my friend to start using ubuntu. But he grew > frustrated with no application firewall capabilities. He posted in the > ubuntu-forums on the issue and it generated a long discussion but > ultimately turned into a big mess where lots of ubuntu users were > calling him an idiot and saying that Windows uses an application > firewall because Windows sucks. The thread was closed and my friend went > back to Windows feeling like ubuntu is only for programmers and everyone > that uses Ubuntu thinks he's stupid cause he wanted an application firewall. > > ------------------------------------------------------------------------ > From: nru...@hotmail.com > To: ps...@ubuntu.com; ubuntu-devel-discuss@lists.ubuntu.com > Subject: RE: can we find a solution to bug #820895 (show Process Name in > log files)? > Date: Thu, 26 Jan 2012 10:16:22 -0500 > > Philip, thanks for your reply. I greatly appreciate it. You said, > >>>>If you don't like the connections a program makes, then configure it > not to do so. If you can't do that, then don't run such a bad program.>>> > > This is what I'm trying to do on Ubuntu! :) if I can't log the process > name, How do I learn what connections a program is making so that I can > configure that program to not make those connections? You see the problem? > > For over a year I have been struggling (on Ubuntu) with a way to > identify the connections programs are making so that I can do what you > say: configure it not to make those connections or to uninstall the > program if I deem it a "bad program." This is a non-issue on Microsoft > Windows because I can easily identify connections programs are making > and I can KNOW the comings and goings on my computer as it is all logged > with Application Name in the firewall log. One of the criteria I use to > select which applications I install and run is "internet connection > behavior." It has been very difficult selecting applications I prefer in > Ubuntu because I am forced to sit and watch netstat while trying to > accomplish things. What I have ended up doing is (when available) > installing the same program on Windows, study the firewall log in > Windows and then deeming it a "good" or "bad" program for use in Ubuntu. > So I am still seeking a solution on Ubuntu. If there's some other way to > accomplish what I'm after (than using a Firewall Log), I will use it. > But I have yet to find as reasonable a solution on Ubuntu. As others > have remarked in forums etc, this is becoming an increasing priority in > order to manage Mobile Broadband internet connection usage as the > accounts come with bandwidth caps where users are charged a lot of extra > money if they exceeds the caps. > > I will investigate using acct package, is this the name ("acct" or "acct > package") I should search for in Synaptic? I have not tried this as a > solution and really appreciate your suggestion. > > > >> Date: Wed, 25 Jan 2012 19:55:18 -0500 >> From: ps...@ubuntu.com >> To: nru...@hotmail.com >> CC: ubuntu-devel-discuss@lists.ubuntu.com >> Subject: Re: can we find a solution to bug #820895 (show Process Name > in log files)? >> > On 01/25/2012 06:22 PM, nick rundy wrote: >> Is there anything that can be done to create some way for Ubuntu >> users to get the capability of having a static record of what >> application/s made an outgoing connection? > > That would require a change to the iptables kernel module that >> implements process based rules. Last I saw, it wasn't really maintained >> because the whole concept is considered broken by design. In other >> words, you shouldn't be setting rules based on processes. > > Needing an external firewall to control network activity of a program >> in the first place is the result of using badly behaved closed source >> programs, and so it largely a non issue for the open source community. > >> The capability to log "process names" has been requested by numerous >> users over the years, here's some links: > > If you want to log what processes are run and when in general, then >> you can install and configure the acct package. You could then use the >> accounting information to look up what process had a given pid at a >> given time. > > > -- Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > > -- Robbie Williamson <rob...@ubuntu.com> robbiew[irc.freenode.net] "Don't make me angry...you wouldn't like me when I'm angry." -Bruce Banner -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss