[Wine] Re: creating built-in firewall for Wine

oiaohm wineforum-user at winehq.org
Thu Apr 7 19:15:56 CDT 2011


James McKenzie wrote:
> On Thu, Apr 7, 2011 at 5:13 AM, oiaohm <wineforum-user at winehq.org> wrote:
> 
> > 
> > 
> > > In short because native firewall knows almost nothing about the program. (But I could be mistaken.)
> > > 
> > > 
> > 
> > Linux firewall is able to do applications.  Few different ways.
> > 
> 
> Two:  Can you prevent (and this is an actual case) IE from not
> accessing the Internet but allowing Firefox to do so using native
> Linux applications from inside Wine?  If you can, details please as
> this is an actual situation that has been requested in a security
> mailing list.
> 
> Yes, there is someone that wants to install IE7 inside of Wine, but
> block all access from that program to the outside world but wants to
> use Firefox from inside of Wine and allow access to the outside world.
> Right now they are using Windows Firewall to do this, but they want
> the perceived security of Linux.  And they have been just about
> everywhere trying to make this work.


I did give this information.  
Of course its 1 wineprefix per application. Splitting wineserver actions to each application inside a prefix is kinda impossible it is a blender of messages basically. Splitting by prefix is possible. Even inside windows splitting all internal calls to windows out to there source application can be impossible. 

Filtering by sub-process is impossible to be secure.  Filtering by Wineprefix on the other hand.  Simple and works more securely than windows firewall does.

Even under windows you cannot truly firewall an application.  Since applications can talk to other parts of windows and have other applications do their requests for them. 

This is key information to pull it off.  wineserver connects to a particular file inside a prefix.  Applications runinside the prefix also touch files inside the prefix.   Yes bad presume that a process itself has to directly talk to the internet.  

In example. If firefox is allowed and application is forbin application inside the prefix could get Firefox todo its dirty work.  So allowing forbin application still to access internet.

To do firewalling going down to the subprocess.  wineserver and other things have to implement selinux like secuirty on restricting applications from being able to talk to each other.

Now to make it work with selinux.  You create a data protection rule inside selinux that anything touching data inside the prefix gets a selinux tag.  That tag lines up with firewall rules.  Bingo one contained application.  Even better you can lock out accessing other wine-prefix directories while you are at it.  Ie applications tag with 1 wine prefix tag cannot access a different prefix.  This prevents applications picking up multi tags.  So breaking the firewall.   It does cause some minor annoyances of not being able to directly copy data from one wine prefix to the next.

Basically is no different to-doing Multi level data secuirty.   There are some selinux front ends that make doing this fairly simple.   http://www.linux.com/learn/tutorials/421152:using-selinux-and-iptables-together  This covers how to make iptables use the selinux tags.

traffic shaping systems can be simpler.  They take the application command line and path and apply filters.  Traffic shaping systems are secuirty system neutral and interfaces to plug them in are part of the Linux firewall design.

But still you have to work by wineprefix since wineserver does some network requests on behalf of applications contained in the wineprefix.   So the subprocess and the wineserver are not truly 100 percent independent.

Yes everyone those commercial Windows firewall programs you love and trust is truly busted.  More a false sense of secuirty.   The paths I am describing are true working secuirty.







More information about the wine-users mailing list