You are not logged in.
Pages: 1
Hi,
Any ideas what I can use as application firewall?
I'm using ufw with some manual tweaks, but I would like something to work at app level. I'm not referring to app-server level (INPUT), I mean I want to control what apps are allowed to OUTPUT.
I know ufw can do ufw allow in APP / ufw reject out APP, but it's not the same thing as for out it refers to what goes towards that service, not to a specific application that makes the request.
Something graphical (maybe asking permission for each app) would be great.
Offline
Iptables cannot identify apps.
Iptables *can* identify users, through e.g. -m owner --uid-owner 1000
So, run your specially-firewalled apps as special users.
Offline
I think AppArmor can do that. Never tried it though.
Offline
No, AppArmor is too granular. Can't block individual ports.
Offline
Iptables cannot identify apps.
Iptables *can* identify users, through e.g. -m owner --uid-owner 1000
So, run your specially-firewalled apps as special users.
never tried but it seems it can (Cf. --cmd-owner)
http://www.frozentux.net/iptables-tutor … OWNERMATCH
Offline
--cmd-owner doesn't exist anymore.
Offline
FPFL implements an app-based approach with netfilter, but development has stalled unfortunately last year.
Offline
Iptables has process match, please see here http://www.frozentux.net/iptables-tutor … orial.html - section Owner match.
So basically, no simple solution currently.
Offline
Iptables has process match, please see here http://www.frozentux.net/iptables-tutor … orial.html - section Owner match.
So basically, no simple solution currently.
That guide is outdated (it appears that it was written in 2006 and refers to linux 2.4 2.6)
If you want that functionality back in the kernel, you will have to revert and merge this commit: https://git.kernel.org/cgit/linux/kerne … a1aca026d4; but I don't think one can do that.
Offline
iptables can also match on the group, which is quite useful. E.g.:
Create a new group named "torrent", add yourself to that group.
Then run an app with your "torrent" hat on, as in this fancy example:
sg torrent -c 'ionice -c3 nice -n 17 /usr/bin/transmission-gtk -m'
So sg is the cousin to the common su command
Then iptables can match on the torrent packets, using:
-m owner --gid-owner torrent
Which is a very neat trick
Offline
Pages: 1