Rexillion, in windows or os x where you have a million services and system components dialing home, yes whitelisting can be problematic and difficult but in linux distros it wouldn't be.
"However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. "
At least you would have a chance, let's say a legit service gets compromised, to see who it was dialing too.
I maintain that little snitch is one of the best firewalls I've seen and it allows you to define rules like app x can only dial to ip y via port z once
Announcement
Collapse
No announcement yet.
NFTables IPTables-Replacement Queued For Linux 3.13
Collapse
X
-
Originally posted by tesfabpel View PostWill finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
:P
However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. Most Linux defense mechanisms (PAX, Selinux) are geared to not get infected in the first place (or mititage it) so you won't need these kind of 'safety measures'.
Back on topic: This looks really nice, the kernel side will be a lot smaller now that protocol specific handling will move to userspace.
I just really hope I won't have to rewrite my rules, I spend ages on the current ones .
Leave a comment:
-
Per-program rules
Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
:P
Leave a comment:
-
Originally posted by iniudan View PostFront-end then, sorry for my mistake in terminology.
Leave a comment:
-
No idea what you talk about
Originally posted by iniudan View PostWonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.
Leave a comment:
-
Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.
Leave a comment:
-
NFTables IPTables-Replacement Queued For Linux 3.13
Phoronix: NFTables IPTables-Replacement Queued For Linux 3.13
NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel...
Tags: None
Leave a comment: