You are not logged in.

#1 2013-04-23 10:06:33

MilenKid
Member
Registered: 2013-04-21
Posts: 86

Application firewall

Hi,

Any ideas what I can use as application firewall?

I'm using ufw with some manual tweaks, but I would like something to work at app level. I'm not referring to app-server level (INPUT), I mean I want to control what apps are allowed to OUTPUT.

I know ufw can do ufw allow in APP / ufw reject out APP, but it's not the same thing as for out it refers to what goes towards that service, not to a specific application that makes the request.

Something graphical (maybe asking permission for each app) would be great.

Offline

#2 2013-04-23 11:49:03

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Application firewall

Iptables cannot identify apps.

Iptables *can* identify users, through e.g. -m owner --uid-owner 1000

So, run your specially-firewalled apps as special users.

Offline

#3 2013-04-23 12:09:07

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,585
Website

Re: Application firewall

I think AppArmor can do that. Never tried it though.

Offline

#4 2013-04-23 12:21:56

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Application firewall

Offline

#5 2013-04-23 13:01:16

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: Application firewall

brebs wrote:

Iptables cannot identify apps.

Iptables *can* identify users, through e.g. -m owner --uid-owner 1000

So, run your specially-firewalled apps as special users.

never tried but it seems it can (Cf. --cmd-owner)
http://www.frozentux.net/iptables-tutor … OWNERMATCH

Offline

#6 2013-04-23 13:07:47

Gusar
Member
Registered: 2009-08-25
Posts: 3,604

Re: Application firewall

--cmd-owner doesn't exist anymore.

Offline

#7 2013-04-24 08:04:49

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: Application firewall

FPFL implements an app-based approach with netfilter, but development has stalled unfortunately last year.

Offline

#8 2013-04-24 08:24:35

MilenKid
Member
Registered: 2013-04-21
Posts: 86

Re: Application firewall

Iptables has process match, please see here http://www.frozentux.net/iptables-tutor … orial.html - section Owner match.

So basically, no simple solution currently.

Offline

#9 2013-04-24 08:48:44

aesiris
Member
Registered: 2012-02-25
Posts: 97

Re: Application firewall

MilenKid wrote:

Iptables has process match, please see here http://www.frozentux.net/iptables-tutor … orial.html - section Owner match.

So basically, no simple solution currently.

That guide is outdated (it appears that it was written in 2006 and refers to linux 2.4 2.6)

If you want that functionality back in the kernel, you will have to revert and merge this commit: https://git.kernel.org/cgit/linux/kerne … a1aca026d4; but I don't think one can do that.

Offline

#10 2013-04-29 23:05:57

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Application firewall

iptables can also match on the group, which is quite useful. E.g.:

Create a new group named "torrent", add yourself to that group.

Then run an app with your "torrent" hat on, as in this fancy example:

sg torrent -c 'ionice -c3 nice -n 17 /usr/bin/transmission-gtk -m'

So sg is the cousin to the common su command wink

Then iptables can match on the torrent packets, using:

-m owner --gid-owner torrent

Which is a very neat trick smile

Offline

Board footer

Powered by FluxBB