Alright boys, It's finally time to address the miserable firewall situation in linux.
Why is there no in-kernel way to make firewall rules on an application basis? We have to rely on external kernel modules to make that happen and that thing doesn't seem to be packaged for any distro.
What gives? I though servers especially would profit from per application rules instead of blanket port blocking for everyone.
How do I protect myself from programs phoning home though port 80 without sacrificing actually using a browser?
And why is a rewrite of iptables(BPF) actually hailed as the second coming of jesus christ even though it still doesn't allow per app rules and brings nothing new to the table?
Thanks for the information. I will try this out too.
Matthew Murphy
sudo ufw enable
Josiah Ross
Nah, that is port based. The gui is made to mimic windows firewalls but it doesn't do any per app rules.
Josiah Hall
There is in-kernel support. Just compile your kernel with SELinux and use iptables for per role rules
Christian Adams
I was wondering why I do not always have an application firewall. Linux guys always told me to use apparmor or selinux, but it was not convenient. Windows Mac and even Android support, but SHIT Linux did not support. Finally a new generation came.
Wyatt Sanchez
>iptables and not nftables I cant remember why it's better, but i remember it was better when I read about why it was better.
Luis Bennett
Too bad for you, now BPF is the new hotness in the block.
Liam King
iptables -m owner --gid-owner
subgraph is pointless now that grsec is no longer available
Landon Clark
kind of a hacky solution. I want to block all ports by default and only allow plasma to get widgets and firefox to browse the net. The former wouldn't be possible with this approach and the latter would work but would miss all integration from the main user account.
Daniel Williams
Nftables is the planned replacement for iptables. But as you probably know, adoption rates for that kind of stuff is really slow (it's been in the works for over 10 years now). Though it's part of the kernel as of version 3.1-something.
Colton Cruz
Use a fucking real firewall at the core or edge that does application filtering like a man's firewall: palo alto
Jayden Ross
Meanwhile, windows had this feature forever. Stuff like tinywall is a just a frontend to windows firewall. I'm hoping systemd saves linux per app networking. Lennart already blogged about per service networking.
Cameron Rodriguez
Linux used to have this too at some point, but it was unmaintained so it got removed
>running non-free software on your computer. The reason most Linux distros and smartphones don't ship with firememes or anti-memes is because you shouldn't have to use one.
Use tails so anything that phones home will just get some random Tor IP. Or just disable networking whilst you want to be offline
Aaron Thomas
Firewall per application is stupid trash invented by trolls to shill their personal firewalls on windows.
>be program x, have no internet access >act like program y which has access >lmao @ ur firewall
It's time to free yourself from windowsesque thinking about things. You set up iptables rules and be done. Personal firewalls are scam.
Joseph Rivera
Everything free as in freedom, friend.
Jaxon Williams
How? You aren't actually thinking that such a firewall will only check for app name? Nobody can pretend to be /usr/bin/bash so long as root isn't compromised.
Ryder Gonzalez
Even then it won't work with selinux as you will still be confined
Liam Green
>use GNU like windows >install lots of potentially phoning home proprietary software >feels unsafe >demands better security for malicious applications in his system, installed by himself Hehehe
>How do I protect myself from programs phoning home though port 80 without sacrificing actually using a browser? You don't install shit, that is how you protect yourself from shit phoning home.
Ayden Reyes
Do you read the source of every piece of software you use? Why should I trust software just because it's GPL? They do whatever the fuck they want and I want to prevent them from doing actual harm.
Bentley Carter
ufw allow ssh means "allow TCP port 22", not "allow SSH"
Hunter Johnson
>be program x, have no internet access >act like program y which has access >lmao @ ur firewall Kernel namespaces prevent this.
Jayden Hall
Not on windows.
Nathan Reyes
>Why is there no in-kernel way to make firewall rules on an application basis? cgroups now go fuck yourself you faggot
So, how does someone tie in cgroups into iptable rules and let a daemon present me with notifications that allow me to allow a connection or not? cgroups aren't meant to be used by endusers, you buffoon.
Jaxon Wilson
>cgroups aren't meant to be used by endusers they are you retard it was poettering who started that meme because he wanted systemd to be the only writer due to its shitty design
>how what a fucking shame search engines haven't been invented yet
Aiden Wilson
isnt iptables the kernel firewall? its included in the kernel source.
Camden Ramirez
it must be garbage then. the javascript framework faggots shill their shit with similar words.
Luke Ward
thats still an application firewall. shit just runs on another device instead.
Brandon Campbell
almost every distro comes with iptables tho
Aaron Foster
Every Linux comes with an unconfigured IPTABLES
Evan Gutierrez
i tried opensuse once and it came with a preconfigured iptables.
Charles Clark
no, the firewall is called netfilter, iptables is just the current userspace interface
no Fedora and RHEL ship with configured firewalld and (Open)SUSE has YaST2-firewall configured by default
