# Strict firewall?

## The_Great_Sephiroth

I have a bit of a problem here. In Windows 7 I use Windows Firewall to block all incoming AND outgoing connections, except for applications that I allow. For example, I allow The Elder Scrolls Online launcher and client to create outbound connections on my gaming laptop. Linux, as far as I can tell, does not do application-based firewalls. I can block outgoing easily, but what do I do about programs which use random ports to connect? I assume that programs like Aurora will connect on 80 or 443 and then switch to some random port once connected, but what about other apps? Would I simply allow 80 and 443 outbound and then allow established/related connections?

Before anybody informs me that Linux doesn't have spyware and such like Windows, I know this. I am looking for a way to block anything not approved on domain networks using Linux workstations. For example, Amarok can create multiple connections when starting up to sites like last.fm, but I do not want to deny users access to play their music (file collections). What if it connects on port 80? How do I stop Amarok without stopping Aurora?

Again, this is primarily a learning experience for me. The next thing will be location awareness. I love that in Windows. I block almost everything in "Public" networks (Starbucks, whatever) and allow things like file sharing in "Private" or "Domain" networks.

----------

## Keruskerfuerst

http://www.netfilter.org/projects/iptables/

----------

## Apheus

Application level firewall is, unfortunately, not possible in linux without tinkerung. The kernel just doesn't have the information per-packet from which application it originates.

You could activate the "owner match" extension for netfilter in kernel, and run "suspicious" applications as another user, using passwordless sudo <user>. And configure the firewall to drop everything from that user.

You could create network namespaces. I don't know how to configure different firewall rules for them. They also need an option in kernel.

I think the way of the future will be sandboxes for applications. With docker, which uses lxc, which in turn combines chroot, namespaces and control groups, I expect one will be able to configure different firewall rules for different applications. But this is future talk.

----------

