Defining rules on a program-by-program basis is hard on Linux.
That's sort of embarrassing for a "secure" operating system, right?
The historical reason: filters based on application (as opposed to port) are comparatively slow and complicated. Linux thrives in a server environment, where the threat model is different: on a server, it's a better idea to write extremely restrictive firewall rules that all applications must abide by. Spyware is not much of a threat on a server that allows no outgoing connections except HTTPS to 10.x.x.x.
The feature does exist, in something called "libnetfilter_queue". I haven't seen anything that's usable by Normal People. Folks who want to write their firewalls in C can start here: https://home.regit.org/netfilt...
Slashdot Mirror
Defining rules on a program-by-program basis is hard on Linux.
That's sort of embarrassing for a "secure" operating system, right?
The historical reason: filters based on application (as opposed to port) are comparatively slow and complicated. Linux thrives in a server environment, where the threat model is different: on a server, it's a better idea to write extremely restrictive firewall rules that all applications must abide by. Spyware is not much of a threat on a server that allows no outgoing connections except HTTPS to 10.x.x.x.
The feature does exist, in something called "libnetfilter_queue". I haven't seen anything that's usable by Normal People. Folks who want to write their firewalls in C can start here: https://home.regit.org/netfilt...