Holly Bostick wrote: [snip] >>Not an answer but a follow up question: Is there a firewall for Linux >>that can do application level filtering (probably wrong terms but...), > > > Please anybody, correct me if I'm wrong, but afaik, this assumption that > there are multiple firewall programs in the first place is incorrect. > > There is one. IPtables. All right, two, if you count IPchains, which > IPtables replaced.
Not really, there is the ipt* kernel modules, than there is the program iptables, then the various programs that use the iptables program. the iptables program is a frontend, all the other are frontends that use it, it's a question of how much the piece you're looking at is near to the nucleus. > > >>that is is there a program that can block foo from web access but allow >>it to imap and at the same time allow bar web access? (like most Win* >>firewalls can) > > > It's all about the ruleset. In this case, it looks like this option is > involved: > > owner > This module attempts to match various characteristics of the > packet creator, for locally-generated packets. It is only valid in the > OUTPUT chain, > and even this some packets (such as ICMP ping responses) may have > no owner, and hence never match. > > --uid-owner userid > Matches if the packet was created by a process with the > given effective user id. > > --gid-owner groupid > Matches if the packet was created by a process with the > given effective group id. > > --pid-owner processid > Matches if the packet was created by a process with the > given process id. > > --sid-owner sessionid > Matches if the packet was created by a process in the > given session group. > > --cmd-owner name > Matches if the packet was created by a process with the > given command name. (this option is present only if iptables was > compiled under a > kernel supporting this feature) > > > Obviously, one would have to read more of man iptables than I did, or > get a GUI front end that handles this more 'intuitively' to actually > write the appropriate rule, but clearly it is possible. > > Hope this helps, > Holly See what "l7" provide as application level filtering to have some other ideas. never worked with advanced options like "--cmd-owner name" , this one sound promising for a "personal firewall" but sound difficult to maintain. A question: there are front-ends (graphical or not) that use this kind of options ? Just because I've found rather ugly maintain directly iptables rules. -- gentoo-user@gentoo.org mailing list
