Consider adding SubGraph's "fw-daemon" tool

[bnvk]

The folks at SubGraph OS have made a really handy tool they call fw-daemon which monitors network requests and allows the user to allow / disallow specific requests. The daemon presents a focus grabbing widget that looks like:

I think this is highly useful helping users better understand when certain applications are sending their data and where. SubGraph based their tool on LittleSnitch which is MacOS and I really miss on Linux. SubGraphs tool is not packaged yet, but we should look into the feasibility of integrating it with Qubes once it gets more refined. I assume making VM specific firewall rules will be a challenge if it is implemented differently!

• fw-daemon repo

[adrelanos]

What's the purpose? Can / should it contain a malicious application trying to circumvent it? I find these a PITA. And last time I checked these personal firewalls, not capable of containing malicious applications.

[bnvk]

@adrelanos not sure I understand what you're saying. This tool (like LittleSnitch) is really useful in letting a user know things like:

• A non-Google application is phoning home to Google everytime you launch it
• An application is suddenly making calls to a random URL

The former is just intrusive data mining / reporting that usually goes unnoticed. The later could be a sign of malware. Both of which are helpful to users.

[adrelanos]

The output of such tools is not reliable as in not to be trusted.
Effective containment of malicious applications on that level is in
vain. Otherwise we would not require Qubes. If applications are
untrusted, the right thing to do is to not install them. Such tools can
lead to a false sense of security which these are incapable to provide.

lightbeam (firefox add-on) and perhaps noscript are better suited to
educate users about data mining. [however I am not arguing for
pre-installing them]

Brennan Novak:

• A non-Google application is phoning home to Google everytime you
  launch it

I think it's up to us distribution maintainers not to pre-install such
applications. And to make sure these do not even enter upstream
repositories. And to complain loudly should this ever happen.

Such as people loudly complained about the Ubuntu search box amazon data
leak (see EFF blog post). Except for that case, I don't think we yet
have phoning home software in Libre Software repositories yet.

• An application is suddenly making calls to a random URL
  [...] could be a sign of malware. Both of which are helpful to users.

As soon as such tools get pre-installed by default on a considerable
amount of systems, malware would take precautions to prevent getting
spotted by tools such as fw-daemon. Tunnel their illicit communications
by example through DNS.

[marmarek]

Such tool can be useful for training your firewall. To setup firewall for particular VM to access only resources you want.

For example:
You have banking VM with web browser used only to access your online banking. Now you want to allow it to access only yourbank.com site (over HTTPS only of course). But after you setup such firewall, you notice that some images on the page do not show. Now such fw-daemon would be useful to find out that you need to add also static.yourbank.com too (but not google-analytics.com).

[bnvk]

I think it's up to us distribution maintainers not to pre-install such
applications

@adrelanos because users never install software on their own? And they don't all know how to use Wireshark or netstat? I ran Atom Editor by Github for months (on my Qubes) machine, before I used it again on my Mac and LittleSnitch informed me there was a "debugging" module enabled by default that submitted to google-analytics.com everytime I used the app... 😦

We might want to enable fw-daemon by default except for advanced users, but I think it should definitely be included and integratable with Qubes VM firewalls!

[ag4ve]

I like this idea. Granted, if your bank starts serving up malware you won't detect that. But you also won't be connecting to near as many hosts. So it lowers your threat level.

[andrewdavidwong]

Closing as retroactive duplicate of #2350, per #2350 (comment).