View previous topic :: View next topic |
Author |
Message |
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Fri Jun 12, 2015 12:35 pm Post subject: Strict firewall? |
|
|
I have a bit of a problem here. In Windows 7 I use Windows Firewall to block all incoming AND outgoing connections, except for applications that I allow. For example, I allow The Elder Scrolls Online launcher and client to create outbound connections on my gaming laptop. Linux, as far as I can tell, does not do application-based firewalls. I can block outgoing easily, but what do I do about programs which use random ports to connect? I assume that programs like Aurora will connect on 80 or 443 and then switch to some random port once connected, but what about other apps? Would I simply allow 80 and 443 outbound and then allow established/related connections?
Before anybody informs me that Linux doesn't have spyware and such like Windows, I know this. I am looking for a way to block anything not approved on domain networks using Linux workstations. For example, Amarok can create multiple connections when starting up to sites like last.fm, but I do not want to deny users access to play their music (file collections). What if it connects on port 80? How do I stop Amarok without stopping Aurora?
Again, this is primarily a learning experience for me. The next thing will be location awareness. I love that in Windows. I block almost everything in "Public" networks (Starbucks, whatever) and allow things like file sharing in "Private" or "Domain" networks. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
|
Back to top |
|
|
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
Posted: Sun Jun 14, 2015 5:46 pm Post subject: |
|
|
Application level firewall is, unfortunately, not possible in linux without tinkerung. The kernel just doesn't have the information per-packet from which application it originates.
You could activate the "owner match" extension for netfilter in kernel, and run "suspicious" applications as another user, using passwordless sudo <user>. And configure the firewall to drop everything from that user.
You could create network namespaces. I don't know how to configure different firewall rules for them. They also need an option in kernel.
I think the way of the future will be sandboxes for applications. With docker, which uses lxc, which in turn combines chroot, namespaces and control groups, I expect one will be able to configure different firewall rules for different applications. But this is future talk. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|