The idea of dynamically adding rules to iptables is appealing. This is an application level filter, effectively, and it can't as such mangle packets or silently drop them as iptables can. Nor can it do half of the other neat stuff that iptables does.
The poster below suggested making this a module of iptables, but I don't think that would be particularly easy as iptables would have trouble causing the applications themselves to block - the packet has long since disassociated with its sender. I think, though, that it would make a useful partner to iptables. The ideal would be to have something like 'deny all' as your basic firewall setup, and let this punch the requisit holes as your applications bind sockets. I've yet to discover, though, how this might affect performance.
As for adding it as a project, I'm considering it. There's an awfully long list of firewall projects on freshmeat, but none of them seem to do quite what this does, so it might be worth a go.
It just so happens... as of about three days ago, my associates and I have been working on just such a program. It basically hooks into net/socket.c and, on receiving a socket request, blocks the requesting application until a userland daemon authorises it. The daemon automatically grants / denies requests to applications in its control list, and denies requests from unknown applications. We're about to starting working on the client which, when running, will receive information about the unknown app. and ask the user if said app. ought to be allowed to use the internet.
Obviously at the minute it's still heavily alpha. The kernel patch works, and applications can be made to block or allowed to run. I don't know if this has been done before, but work is continuing apace (cause it's still interesting and we haven't hit a brick wall yet). I hope to have gotten something resembling a client working by this evening, but since we're pretty much messing around at this stage it'll probably be a couple of weeks before any files are available for download.
As for authentification, MD5 summing was one of our thoughts, but it would be a little heavy to sum the application every time it requested a socket, so at the moment we're just basing it on inode / dev_no which, although not impossible to fake, seems like a good starting point.
I'd be interested to know what people thought about this; whether any such applications already exist and what features it ought to incorperate. If it turns out people are interested, I'll try making the patches and source files available, but I can't recommend installing it into a kernel which you're actually trying to use - suggest UML or similar virtual machine.
Slashdot Mirror
The idea of dynamically adding rules to iptables is appealing. This is an application level filter, effectively, and it can't as such mangle packets or silently drop them as iptables can. Nor can it do half of the other neat stuff that iptables does.
The poster below suggested making this a module of iptables, but I don't think that would be particularly easy as iptables would have trouble causing the applications themselves to block - the packet has long since disassociated with its sender. I think, though, that it would make a useful partner to iptables. The ideal would be to have something like 'deny all' as your basic firewall setup, and let this punch the requisit holes as your applications bind sockets. I've yet to discover, though, how this might affect performance.
As for adding it as a project, I'm considering it. There's an awfully long list of firewall projects on freshmeat, but none of them seem to do quite what this does, so it might be worth a go.
It just so happens... as of about three days ago, my associates and I have been working on just such a program. It basically hooks into net/socket.c and, on receiving a socket request, blocks the requesting application until a userland daemon authorises it. The daemon automatically grants / denies requests to applications in its control list, and denies requests from unknown applications. We're about to starting working on the client which, when running, will receive information about the unknown app. and ask the user if said app. ought to be allowed to use the internet.
Obviously at the minute it's still heavily alpha. The kernel patch works, and applications can be made to block or allowed to run. I don't know if this has been done before, but work is continuing apace (cause it's still interesting and we haven't hit a brick wall yet). I hope to have gotten something resembling a client working by this evening, but since we're pretty much messing around at this stage it'll probably be a couple of weeks before any files are available for download.
As for authentification, MD5 summing was one of our thoughts, but it would be a little heavy to sum the application every time it requested a socket, so at the moment we're just basing it on inode / dev_no which, although not impossible to fake, seems like a good starting point.
I'd be interested to know what people thought about this; whether any such applications already exist and what features it ought to incorperate. If it turns out people are interested, I'll try making the patches and source files available, but I can't recommend installing it into a kernel which you're actually trying to use - suggest UML or similar virtual machine.