NIX: Douane - An application aware personal firewall

[40hz]

UPDATE: Major problems with this app. See this post below.


Just saw a reference to this over on Distrowatch.

Looks like somebody coded a personal firewall (Douane) that is "application aware." First time something goes to connect to the web, it affords you the opportunity to allow or deny it. Your answer then becomes a rule that's stored for future use.

NIX: Douane - An application aware personal firewall

There's also a control panel that allows you to start and stop the firewall plus enable/disable/delete rules you've already created. This is very similar to how a Windows firewall called ZoneAlarm used to behave. Very convenient for a newbie user. It's also occasionally eye-opening when you see just which apps are seeking web access. And when.

NIX: Douane - An application aware personal firewall

Very handy IMO.

Douane is not in any repo so far. And the only semi-packaged version seems to be for Arch. Everybody else gets to "Git" and compile it. Not a big challenge as the devs published a very detailed page with all the steps necessary. Even a novice should be able to do it.

Lack of a distro specific package isn't an issue for me. And I have no problem doing a compile. But my concern is that part of the installation process creates and installs a DKMS kernal module. This makes perfect sense for an app like a firewall. But I'm a little leery of allowing that when I don't know much about the app or its developers. Especially when it's a security app and includes a DKMS module which will auto-recompile when/if a new kernal gets installed. (Note: that last concern isn't valid - see mwb1100's post below.)  Because what's benign and on the 'up & up' today may not be tomorrow.

So. Anybody have any direct experience or heard more about this thing or the folks behind it?

[mwb1100]

Keep in mind that the auto-recompile done by the DKMS system uses the same source file that was already compiled for the kernel you were using - so the auto-recompile won't introduce any malicious code that wasn't already there.

Trusting the kernel module in the first place is a different story; at least the source is available for audit.  It's a single C file, but it would still probably take a fair bit of study to audit.

[IainB]

Not sure I understand what is so special about this. I thought things like - for example - Windows 7 Firewall Control, were "application aware" - i.e., pretty much just as you describe above - no?

[Shades]

@IainB
In my (very) limited experiences with Linux, most firewalls do not have a simple or easy interface. While these are powerful, it is easy to set these up insufficiently and/or incorrectly. Finding this out and fixing that isn't that easy, especially when you are accustomed to the Windows way of doing things.

The old ZoneAlarm firewall or SyGate firewall were good at their job and easy to setup. It would be nice to have such an easily configurable firewall on Linux.

[40hz]

Not sure I understand what is so special about this. I thought things like - for example - Windows 7 Firewall Control, were "application aware" - i.e., pretty much just as you describe above - no?

-IainB (December 08, 2014, 01:24 PM)

I didn't think it was 'special' so much as it was easy and convenient. Firewall configuration on the Linux platform isn't all that user friendly. Especially for innocent newcomers. Even the 'easy' GUI tools to do it are decidedly geeky.

As far as what Windows own firewall does, I don't have much to say other than it doesn't run on Linux - so it didn't enter into my admittedly limited thought process when I did the original post.

UPDATE: Ah! I see Shades has already chimed in. To which I say: this! 

[40hz]

Keep in mind that the auto-recompile done by the DKMS system uses the same source file that was already compiled for the kernel you were using - so the auto-recompile won't introduce any malicious code that wasn't already there.

-mwb1100 (December 08, 2014, 01:24 PM)

@mwb - Doah! (You're right. What was I thinking? )

[IainB]

@40hz and @Shades: Ah, thanks for putting me straight on that. My ignorance - I had not appreciated that firewalls were so uniquely different/difficult to Windows in other OSes (and I thought the Windows one was bad enough anyway...).

[40hz]

@40hz and @Shades: Ah, thanks for putting me straight on that. My ignorance - I had not appreciated that firewalls were so uniquely different/difficult to Windows in other OSes (and I thought the Windows one was bad enough anyway...).

-IainB (December 09, 2014, 08:20 AM)

You wouldn't believe!

Actually IPtables and NetFilter (which forms the core of most Linux firewall solutions) isn't difficult to set up from the CLI per se. You just need to know a fair bit about how things work when it comes to IP traffic to do it right. Because a misconfigured or badly configured FW can be worse than no FW at all. That's an awful lot of "how" and "why" you need to know, whereas the average beginner only knows "what" at best. Douane seems to bring it down to: "This is what's happening. What do you want to do about it?" Sounds like beginner's heaven to me,

Take a look at this page for Firewall Builder. It's one of the better known tools to make configuring a FW "easier." Imagine turning a new user loose with that.

[40hz]

UPDATE:

Ok, I installed it on a test machine (Mint 17.1 Cinnamon) and have concluded it's NOT ready for prime-time.

Issues:

1) The installation dependencies have left out g++ as a required package. Not a problem as long as you understand the error message you'll see and know how to install g++. Many new users won't have a clue.

2) If you follow the installation steps exactly, at a certain point about half way through you are instructed to start the douane-daemon to verify it installed properly. If you do that you won't be able to complete the installation, because it will be running before the configuration utility and the GUI are installed - and it will be blocking everything. So you'll need to stop the daemon (i.e. sudo service douane stop) to get web access in order to complete installing everything else. Not a problem for a moderately experienced user. But a newbie will find their machine is now unable to get any internet access until they stop the service or (hopefully) reboot their machine. That's pretty scary situation for a new Linux user to find themselves in. Fortunately, the installation process doesn't configure the daemon to autostart on boot or it would be a total nightmare for the unsuspecting.

3)The script for installing the Ubuntu launcher for the Configurator does not work with Cinnamon. You'll need to do it manually.

Item 2 above is pretty serious IMO. But the real showstopper is Douane does not recognize Firefox. It caught Thunderbird and Dropbox just fine. But FF (v33.x) and it's cousin PaleMoon (25.1.0 x64) were ignored. No popup asking what to do. So if the douane-daemon is running you won't be able to use either browser unless you turn it off.

That was it for me.



Recommendation: skip this one for now. Or better yet, wait until it's stable enough to find it in your distro's repository.