Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Strict firewall?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
PostPosted: Fri Jun 12, 2015 12:35 pm    Post subject: Strict firewall? Reply with quote
I have a bit of a problem here. In Windows 7 I use Windows Firewall to block all incoming AND outgoing connections, except for applications that I allow. For example, I allow The Elder Scrolls Online launcher and client to create outbound connections on my gaming laptop. Linux, as far as I can tell, does not do application-based firewalls. I can block outgoing easily, but what do I do about programs which use random ports to connect? I assume that programs like Aurora will connect on 80 or 443 and then switch to some random port once connected, but what about other apps? Would I simply allow 80 and 443 outbound and then allow established/related connections?

Before anybody informs me that Linux doesn't have spyware and such like Windows, I know this. I am looking for a way to block anything not approved on domain networks using Linux workstations. For example, Amarok can create multiple connections when starting up to sites like last.fm, but I do not want to deny users access to play their music (file collections). What if it connects on port 80? How do I stop Amarok without stopping Aurora?

Again, this is primarily a learning experience for me. The next thing will be location awareness. I love that in Windows. I block almost everything in "Public" networks (Starbucks, whatever) and allow things like file sharing in "Private" or "Domain" networks.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2289
Location: near Augsburg, Germany
PostPosted: Sun Jun 14, 2015 4:39 pm    Post subject: Reply with quote
http://www.netfilter.org/projects/iptables/
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 422
PostPosted: Sun Jun 14, 2015 5:46 pm    Post subject: Reply with quote
Application level firewall is, unfortunately, not possible in linux without tinkerung. The kernel just doesn't have the information per-packet from which application it originates.

You could activate the "owner match" extension for netfilter in kernel, and run "suspicious" applications as another user, using passwordless sudo <user>. And configure the firewall to drop everything from that user.

You could create network namespaces. I don't know how to configure different firewall rules for them. They also need an option in kernel.

I think the way of the future will be sandboxes for applications. With docker, which uses lxc, which in turn combines chroot, namespaces and control groups, I expect one will be able to configure different firewall rules for different applications. But this is future talk.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy