Rexillion, in windows or os x where you have a million services and system components dialing home, yes whitelisting can be problematic and difficult but in linux distros it wouldn't be.


"However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. "

At least you would have a chance, let's say a legit service gets compromised, to see who it was dialing too.

I maintain that little snitch is one of the best firewalls I've seen and it allows you to define rules like app x can only dial to ip y via port z once

It's not listed at 'Main features'. If I remember correctly, firewall developers mentioned that this should be handled in userspace. I.e. some LD_PRELOAD library that catches connect() calls and matches this against a list of allowed/blocked connection characteristics. Which, in my opinion, is a sane thing to do (i.e. let userspace handle userspace).

However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. Most Linux defense mechanisms (PAX, Selinux) are geared to not get infected in the first place (or mititage it) so you won't need these kind of 'safety measures'.

Back on topic: This looks really nice, the kernel side will be a lot smaller now that protocol specific handling will move to userspace.

I just really hope I won't have to rewrite my rules, I spend ages on the current ones .

Per-program rules

Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
:P

It's still tables though, right? :-P

Yeah. The front-end here abstracts away the kernel implementation details. It doesn't matter to end users whether it is netfilter or nftables. They would at the minimum get the same functionality perhaps with better performance.

Front-end then, sorry for my mistake in terminology.

No idea what you talk about

Ip tables are kernel modules + user land commands. It doesnt use daemon anywhere. Looks like some sort of OS functionality.

Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.