Linked by Thom Holwerda on Fri 20th Mar 2009 22:01 UTC, submitted by diegocg
Linux The Netfilter development team's Patrick McHardy has released an alpha version of nftables, a new firewall implementation for the Linux kernel, with a user space tool for controlling the firewall. nftables introduces a fundamental distinction between the user space defined rules and network objects in the kernel: the kernel component works with generic data such as IP addresses, ports and protocols and provides some generic operations for comparing the values of a packet with constants or for discarding a packet.
Thread beginning with comment 354512
To view parent comment, click here.
To read all comments associated with this story, please click here.
WereCatf
Member since:
2006-02-15

Iptables cannot identify applications, but you can filter based on pid and gid so there's something to play with.

You could set a daemon to dinamically add/delete rules using pids from running processes that match a list of allowed applications, or you could create a group for allowed applications and set them to always run with that gid.


First of all, polling for stuff is a poor way to do anything. It just results in needless overhead.

Secondly, if you first set the system to disallow all traffic and then used a script/daemon similar to what you described, you'd have to edit it every time you want to allow a new application access. And it's not very user-friendly, now is it? ;)

Anyway, I think it would be useful if the firewall provided hooks for userland applications to attach to so they can be notified when a previously unconfigured application tries to open a network connection. I have no doubt people would find a whole lot of use for that.

Reply Parent Score: 2

ichi Member since:
2007-03-06

First of all, polling for stuff is a poor way to do anything. It just results in needless overhead.


Sure, the gid method is a whole lot better than polling, although obviously still not optimal.

Secondly, if you first set the system to disallow all traffic and then used a script/daemon similar to what you described, you'd have to edit it every time you want to allow a new application access. And it's not very user-friendly, now is it? ;)


That's why the FSM gave us "front ends" ;) but I'd rather use it set the apps' group so they can get through.


The point is it can be done, but you have to get out of your way to set it up.
I think it should be possible to implement a front end that takes care of all that.

Reply Parent Score: 2