Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unix-Based Application Specific Firewalls?

Posted by Cliff on from the which-would-you-recommend dept.

tengwar asks: "Under Windows I use a firewall (Zone Alarm) which can prevent individual applications from gaining Internet access, restricting them either to the local network or preventing any network access at all. This can be used to prevent Microsoft software and other trojans from calling home. I also restrict Outlook so that it can talk to my email server (which is on the local network), but can't pull remote content href'ed in a HTML email - helps with cutting the virus risk. I've also set it so that Internet Explorer has to ask for permission to access the Internet each time. I'm planning to move over to Linux as my main working environment, and I will probably want to use some Windows programs under Crossover - in particular I'll need Internet Explorer occasionally for getting to my banks, and I may need Outlook for work-related reasons. I'm not interested in iptables on the client (I think) as I've already got NAT and a hardware firewall guarding the network. Have you any suggestions on how to get the application-specific filtering that I get under Zone Alarm, for Linux?"

2 of 29 comments (clear)

  1. iptables can do some by ctr2sprt · · Score: 5, Informative
    iptables can do some of what you want, but not all. Still, it may get you close enough to get by (at least until you find a better option). There is an iptables module called "owner" that lets you perform various tests on the owner of a packet, including its "owning command" (creator process) if the kernel supports it. This still doesn't interactively query if you want to pass a connection, but at least you can hardcode in your basic rules:

    # iptables -A OUTPUT -m owner --cmd-owner outlook ! --dport 25 -m state --state NEW -j REJECT
    It's possible that someone has used that functionality, along with userspace iptables packet queueing, to do exactly what you want, but I haven't heard of it.
    1. Re:iptables can do some by cowbutt · · Score: 5, Informative
      You could also chown root.outlook the outlook binary, then use iptables' --gid-owner to apply rules to any process spawned by that binary.

      Also nice for proxies and network daemons too.

      --