is there any filtering in ufw which works sort-of like win firewall?
basically allowing me not only to create ip/port/proto based rules, but also to bind such limitations to specific executables within the system.
a deep read of the man page didn't reveal any indication so I'm supposing it's not possible, but I also noticed an incredible lack of documentation regarding the python API for ufw, so I'm hoping to find some experienced user who can point me in the right direction.
Asked
Active
Viewed 1,546 times
1
Gilles 'SO- stop being evil'
- 829,060
nxet
- 181
- 2
- 13
-
On which Unix variant? Linux? – Gilles 'SO- stop being evil' Jun 22 '16 at 22:07
1 Answers
2
When I was looking for something similar the suggestions seemed to be along the lines of 'run the program under a separate user' - as you can write per-user iptables rules - http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html.
Having said that, selinux rules might do what you're looking for - https://serverfault.com/questions/563872/selinux-allow-httpd-to-connect-to-a-specific-port. It sounds like selinux comes with rules for common binaries and their usual ports - like httpd in the above link. What would be required to write rules for arbitrary binaries and/or lock down all connections that don't satisfy a rule I don't know, but it could be worth looking at.
Edit: Just a few similar existing questions:
https://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service
One of them points to this: https://sourceforge.net/projects/leopardflower/ - if you're looking for something wrapped up in a GUI with most of the fiddly stuff taken care of already, this might fit the bill. I linked to sourceforge rather than the newer github page as sourceforge has a screenshot there to give you an idea of what you're looking at - but you'd probably want to grab the newer version from github rather than the 2.5 year old version on sourceforge if it looks like what you're after.
Blair
- 45