Some personal firewalls on windows are using checksums for every application trying to access network device. Yesterday i've upgraded mirc and have got a warning about this. iptables, unfortunately, doesn't provide such a functionality out of the box. luckily, it have an open API and extends well over the kernel modules facility. what you speak about has a different name - "content filtering"
Andriy Bilous -system administration- CCNA, CCNP Certified dcs DILLON COMMUNICATION SYSTEMS GmbH & Co. KG Weidestra�e 122 b D-22083 Hamburg phone +49 40 27 83 82 184 fax +49 40 27 83 82 999 mailto:[EMAIL PROTECTED] http://www.sabre-merlin.de > -----Original Message----- > From: John Leach [mailto:[EMAIL PROTECTED] > Sent: Friday, October 17, 2003 3:44 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Application level firewall > > > I think calling it "application level firewalling" is complicating the > matter. > > I *think* that you want to be able to restrict what connections a > process makes from the machine it's running on (Like Zone Alarm does > with the little pop-ups "porn.exe wants to connect to > www.worldshariestgirlsoncrack.com with your credit-card details, You > sure?") > > I'm not sure about a nice socially engineerable GUI pop-up, but > Netfilter allows you to restrict these connections using the OUTPUT > chain on the FILTER table. Combined with the owner matcher you can > achieve what you need. > > iptables -t filter -P OUTPUT DROP (drop by default) > iptables -t filter -A OUTPUT -p tcp --dport 80 -d 208.185.174.44 -m > owner --cmd-owner webbrowser -j ACCEPT > > Obviously an attacker could rename their process to get the > same access > so this isn't perfect, but I expect ZoneAlarm has the same issue. You > can limit by owner uid too (--uid-owner) which is handy for ensuring > your dns server can only do dns lookups and your smtp server > can only do > all the crazy things BIND does nowadays (assuming they are running as > separate users). > > "Application layer firewalling" is a different matter (is > this tcp port > 1433 packet REALLY an SQL server connection? Are they submitting a > query I don't like? What the hell are they thinking > connecting this to > the Internet? Is this thread actually on topic?) > > I wonder if someone has invented a mailing list topic firewall. > listtables -t filter -s [EMAIL PROTECTED] -s "full disclosure" -s ! > "porno" -j ACCEPT > > John. > > On Fri, 2003-10-17 at 13:02, Jason Freidman wrote: > > Is there any sort of application level firewall for linux? > Something > > like Zone alarm where you can trust an application? I think that > > openBSD has something that allows you to choose which system calls a > > program can run. > > > > The idea would be to restrict a bind call and connect call > using kernel > > modules unless the program is in a config file. It would > make it easier > > (i would think) to lockdown a computer for outgoing > connections as well > > as add a new layer of security. > -- > GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 > HTTP: http://www.johnleach.co.uk > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
