| 1 |
Nagatoro schreef: |
| 2 |
> Matt Randolph wrote: |
| 3 |
> |
| 4 |
>> I've seen related threads here recently, but I think my question is |
| 5 |
>> different enough to warrant a new thread. |
| 6 |
>> |
| 7 |
>> I'm looking for a personal firewall along the lines of the ZoneAlarm |
| 8 |
>> product for Windows. I don't want to take the time to teach myself |
| 9 |
> |
| 10 |
> |
| 11 |
> Not an answer but a follow up question: Is there a firewall for Linux |
| 12 |
> that can do application level filtering (probably wrong terms but...), |
| 13 |
|
| 14 |
Please anybody, correct me if I'm wrong, but afaik, this assumption that |
| 15 |
there are multiple firewall programs in the first place is incorrect. |
| 16 |
|
| 17 |
There is one. IPtables. All right, two, if you count IPchains, which |
| 18 |
IPtables replaced. |
| 19 |
|
| 20 |
> that is is there a program that can block foo from web access but allow |
| 21 |
> it to imap and at the same time allow bar web access? (like most Win* |
| 22 |
> firewalls can) |
| 23 |
|
| 24 |
It's all about the ruleset. In this case, it looks like this option is |
| 25 |
involved: |
| 26 |
|
| 27 |
owner |
| 28 |
This module attempts to match various characteristics of the |
| 29 |
packet creator, for locally-generated packets. It is only valid in the |
| 30 |
OUTPUT chain, |
| 31 |
and even this some packets (such as ICMP ping responses) may have |
| 32 |
no owner, and hence never match. |
| 33 |
|
| 34 |
--uid-owner userid |
| 35 |
Matches if the packet was created by a process with the |
| 36 |
given effective user id. |
| 37 |
|
| 38 |
--gid-owner groupid |
| 39 |
Matches if the packet was created by a process with the |
| 40 |
given effective group id. |
| 41 |
|
| 42 |
--pid-owner processid |
| 43 |
Matches if the packet was created by a process with the |
| 44 |
given process id. |
| 45 |
|
| 46 |
--sid-owner sessionid |
| 47 |
Matches if the packet was created by a process in the |
| 48 |
given session group. |
| 49 |
|
| 50 |
--cmd-owner name |
| 51 |
Matches if the packet was created by a process with the |
| 52 |
given command name. (this option is present only if iptables was |
| 53 |
compiled under a |
| 54 |
kernel supporting this feature) |
| 55 |
|
| 56 |
|
| 57 |
Obviously, one would have to read more of man iptables than I did, or |
| 58 |
get a GUI front end that handles this more 'intuitively' to actually |
| 59 |
write the appropriate rule, but clearly it is possible. |
| 60 |
|
| 61 |
Hope this helps, |
| 62 |
Holly |
| 63 |
|
| 64 |
-- |
| 65 |
gentoo-user@g.o mailing list |
Archives