# Firewall to block SOFTWARE

## haarp

Greetings.

First off, yes, I know all about iptables. I also know there exist GUIs for it like Firestarter. That's not what I need here.

This may be only a minor issue on Linux systems, but I'm still curious, especially since I often use Wine:

Is there a software firewall for Linux that does block certain APPS from accessing the web? I'm not talking about ports or services, but binaries. There's plenty of such programs for Windoze, but I've never seen something like that on any Linux platform. I'm beginning to think that this is not even possible/has never been done before.

Does anyone know more about this?

----------

## think4urs11

you can limit network access with iptables based on user- and/or process ID; alternatively you can have a look at l7filter

----------

## haarp

 *Think4UrS11 wrote:*   

> you can limit network access with iptables based on user- and/or process ID; alternatively you can have a look at l7filter

 

Yea, l7filter is pretty cool.

PID you say? Now that's a start. Next requirement would be an app that tracks the relationship between PIDs and their corresponding binary and puts a GUI on top of that  :Mr. Green: 

Needless to say, only whitelisting would  work in that manner, since newly-started binaries (that are yet to get tracked with their PID) could send off a few packets until the fw gets ahold of them in blacklisting mode.

But it's an interesting start nonethless, thanks. Question still stands - does anyone know software that does this?

----------

## think4urs11

you can also filter on cmd-owner. With that you can e.g. restrict the user in a way that he can go to internet with firefox but not with thunderbird. But that only checks the name, not the binary itself...

Whats missing though is afaik something which creates a 'known-good'-database of applications with checksums over the binaries or alike and creates/enforces fw-rules based on that.

----------

## malern

SELinux will allow you to restrict the network capabilities of specific apps. I don't have any experience with any GUI's for it, so I can't comment on that.

----------

## think4urs11

NuFW might also be interesting to you.

----------

## haarp

Hi, thanks for the info.

I was actually looking for simpler solutions. While both SELinux and NuFW look promising, they require a lot of work being put into setting it up and learning how to use it. Not really something poor haarp wants to do for just simple personal firewall needs :]

 *Think4UrS11 wrote:*   

> you can also filter on cmd-owner. With that you can e.g. restrict the user in a way that he can go to internet with firefox but not with thunderbird. But that only checks the name, not the binary itself...

 

How exactly would that work? This and PID both looks promising. In the worst case, I could probably hack some whitelisting-fw up in bash  :Mr. Green:  (only language I'm fluent in)

Checking binaries for changed checksums shouldn't be hard and comparing PIDs to binary would be pretty easy aswell. I'd just have to keep a list with binary, checksum and state (allow/deny), then dynamically check PIDs and modify the iptables rules accordingly...

The hard part would be to determine whether an app -attempted- to connect to the net and pop a message box to the user querying what to do. Maybe this can be done by getting iptables to log unsuccessful connection attempts?

Meh, this is getting out of hand pretty quickly. MY knowledge of iptables is extremely limited anyway  :Wink: 

Alternatively, I just found this:

http://tuxguardian.sourceforge.net

Looks very simple, yet promising. Also is in Sunrise repo. On the downside, it hasn't been updated since 2006...opinions?

edit: well, it's dead and won't even work.

----------

