Linked by Thom Holwerda on Fri 20th Mar 2009 22:01 UTC, submitted by diegocg
Linux The Netfilter development team's Patrick McHardy has released an alpha version of nftables, a new firewall implementation for the Linux kernel, with a user space tool for controlling the firewall. nftables introduces a fundamental distinction between the user space defined rules and network objects in the kernel: the kernel component works with generic data such as IP addresses, ports and protocols and provides some generic operations for comparing the values of a packet with constants or for discarding a packet.
Permalink for comment 354512
To read all comments associated with this story, please click here.
WereCatf
Member since:
2006-02-15

Iptables cannot identify applications, but you can filter based on pid and gid so there's something to play with.

You could set a daemon to dinamically add/delete rules using pids from running processes that match a list of allowed applications, or you could create a group for allowed applications and set them to always run with that gid.


First of all, polling for stuff is a poor way to do anything. It just results in needless overhead.

Secondly, if you first set the system to disallow all traffic and then used a script/daemon similar to what you described, you'd have to edit it every time you want to allow a new application access. And it's not very user-friendly, now is it? ;)

Anyway, I think it would be useful if the firewall provided hooks for userland applications to attach to so they can be notified when a previously unconfigured application tries to open a network connection. I have no doubt people would find a whole lot of use for that.

Reply Parent Score: 2