1 |
Nagatoro schreef: |
2 |
> Matt Randolph wrote: |
3 |
> |
4 |
>> I've seen related threads here recently, but I think my question is |
5 |
>> different enough to warrant a new thread. |
6 |
>> |
7 |
>> I'm looking for a personal firewall along the lines of the ZoneAlarm |
8 |
>> product for Windows. I don't want to take the time to teach myself |
9 |
> |
10 |
> |
11 |
> Not an answer but a follow up question: Is there a firewall for Linux |
12 |
> that can do application level filtering (probably wrong terms but...), |
13 |
|
14 |
Please anybody, correct me if I'm wrong, but afaik, this assumption that |
15 |
there are multiple firewall programs in the first place is incorrect. |
16 |
|
17 |
There is one. IPtables. All right, two, if you count IPchains, which |
18 |
IPtables replaced. |
19 |
|
20 |
> that is is there a program that can block foo from web access but allow |
21 |
> it to imap and at the same time allow bar web access? (like most Win* |
22 |
> firewalls can) |
23 |
|
24 |
It's all about the ruleset. In this case, it looks like this option is |
25 |
involved: |
26 |
|
27 |
owner |
28 |
This module attempts to match various characteristics of the |
29 |
packet creator, for locally-generated packets. It is only valid in the |
30 |
OUTPUT chain, |
31 |
and even this some packets (such as ICMP ping responses) may have |
32 |
no owner, and hence never match. |
33 |
|
34 |
--uid-owner userid |
35 |
Matches if the packet was created by a process with the |
36 |
given effective user id. |
37 |
|
38 |
--gid-owner groupid |
39 |
Matches if the packet was created by a process with the |
40 |
given effective group id. |
41 |
|
42 |
--pid-owner processid |
43 |
Matches if the packet was created by a process with the |
44 |
given process id. |
45 |
|
46 |
--sid-owner sessionid |
47 |
Matches if the packet was created by a process in the |
48 |
given session group. |
49 |
|
50 |
--cmd-owner name |
51 |
Matches if the packet was created by a process with the |
52 |
given command name. (this option is present only if iptables was |
53 |
compiled under a |
54 |
kernel supporting this feature) |
55 |
|
56 |
|
57 |
Obviously, one would have to read more of man iptables than I did, or |
58 |
get a GUI front end that handles this more 'intuitively' to actually |
59 |
write the appropriate rule, but clearly it is possible. |
60 |
|
61 |
Hope this helps, |
62 |
Holly |
63 |
|
64 |
-- |
65 |
gentoo-user@g.o mailing list |