3

I have a lot more experience with the Windows Firewall with advanced functionality than I do with IPTables. With the WFAF, I was able to lock down a program so that it could only connect over specific ports via specific protocols to specific IP addresses (as opposed to basically just saying "outgoing connections on port 80 are fine.") I'm not sure how I can duplicate that with IP tables. Can anyone provide some quick and dirty tips? Like, let's say I wanted firefox to only be able to use ports 80 and 443, what would I do?

BKilpat01
  • 59
  • It might be better to think about what the actual purpose of a firewall is. Going with your example, limiting firefox so that it only connects to 80 and 443 is going to protect you against exactly zero malicious things, and this is essentially true of any "per application" setting, unless the whole application itself is so untrustworthy you'd rather run it sandboxed -- in which case per user settings would be more appropriate. – goldilocks Aug 02 '14 at 19:18
  • I wouldn't say it protects you against zero malicious things. It does eliminate attack vectors. This sort of project typically ends up being more work than it's worth, though. Unless the OP is protecting nuclear launch codes, they're probably going overboard looking for access controls. – Bratchley Aug 02 '14 at 19:31
  • It's really as an experiment to learn how to do it. – BKilpat01 Aug 02 '14 at 22:49
  • FWIW, firewalld offers a GUI for iptables that does exactly what I wanted. – BKilpat01 Sep 11 '16 at 08:59

1 Answers1

2

With the WFAF, I was able to lock down a program so that it could only connect over specific ports via specific protocols to specific IP addresses

That functionality would be a combination of SELinux for port number access control netfilter/iptables firewall for HBAC and protocol inspection.

I'm not sw00ft enough with SELinux to give you full-on policy examples but essentially you would label the program (if it wasn't already) and configure processes running in that domain such that they could only bind to specific ports.

Like, let's say I wanted firefox to only be able to use ports 80 and 443, what would I do?

I'm no expert can you really do this with Windows firewall? On Linux, you there are solutions for marking packets according to SELinux type which would then let you create filtering decisions (such as to DROP packets for non-approved destination ports) based on SELinux type.

That said, you can do it. It just probably won't be easy. I also don't know many places that need this insanely granular level of access control.

Bratchley
  • 16,824
  • 14
  • 67
  • 103
  • Personal Firewalls under Windows do frequently that: Allowing connections per process. However, this is mostly very cumbersome to configure. For instance, most personal firewalls ask the user (!) whether a connection for a process, including system processes, are allowed. Even for the power user it is tedious to track down the process and make an educated decision. I once blocked a process, and everything continued to work fine at first. A week later important applications stopped to work properly. Took me a couple of hours to find out the cause. To me the whole concept is an epic fail. – countermode Aug 02 '14 at 20:18
  • I always kept the number of internet facing applications to a minimum and used event logger to make sure that everything that needed access had it. After the initial setup, it was fairly easy to maintain. – BKilpat01 Aug 02 '14 at 22:49