Linked by Thom Holwerda on Fri 20th Mar 2009 22:01 UTC, submitted by diegocg
The Netfilter development team's Patrick McHardy has released an alpha version of nftables, a new firewall implementation for the Linux kernel, with a user space tool for controlling the firewall. nftables introduces a fundamental distinction between the user space defined rules and network objects in the kernel: the kernel component works with generic data such as IP addresses, ports and protocols and provides some generic operations for comparing the values of a packet with constants or for discarding a packet.
Thread beginning with comment 354319
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: application-based filtering
by msundman on Sat 21st Mar 2009 15:04
in reply to "RE: application-based filtering"
Member since:2005-07-06
Yes, all of this can be done with firewall rules. Basically instead of the application name, you need the IP addresses and ports it is using and perform redirection.
Huh? How could that be enough if I want to let application A communicate with host X while at the same time I don't want to let application B communicate with host X? If I create a firewall rule disallowing communication with host X (all ports in and out) then neither A nor B can communicate with X. If I open up some ports in or out then both A and B could use those ports when making/accepting a connection.
Edited 2009-03-21 15:05 UTC
RE[3]: application-based filtering
by DrillSgt on Sat 21st Mar 2009 15:55
in reply to "RE[2]: application-based filtering"
Member since:2005-12-02
Huh? How could that be enough if I want to let application A communicate with host X while at the same time I don't want to let application B communicate with host X? If I create a firewall rule disallowing communication with host X (all ports in and out) then neither A nor B can communicate with X. If I open up some ports in or out then both A and B could use those ports when making/accepting a connection.
Well, maybe I misunderstood what you are trying to do? Applications use specific ports generally, not just any old port they find. Firewalls have destination and source IP's that you can set to make an application only communicate with certain IP addresses. This is done all the time in firewalls. You would need the IP's of both the source and destination machines. If you wanted 3 machines for example to be allowed to connect to application a running on a machine, then you would need 6 rules in the firewall to allow them. You would not just, as you indicate, block or open ports indiscriminately. It is all in the firewall rules. Firewalls are not strictly an allow or disallow service, and can be configured to do whatever you want them to. Even the basic Windows firewall has this functionality, if you learn how to use it.
Member since:
2005-12-02
Yes, all of this can be done with firewall rules. Basically instead of the application name, you need the IP addresses and ports it is using and perform redirection.