begin quoting James G. Sack (jim) as of Fri, Sep 14, 2007 at 12:09:29PM -0700: > Stewart Stremler wrote: [snip] > > OS X has a per-application outgoing firewall application available for > > it (Lil' Snitch) ... does linux have this functionality yet? > > per-application? How would that work..
There's a table of <application> <destination ips> <destination ports> <action> maintained by the application. Action can be deny or allow, and wildcards can be used to handle varying degrees of trust. > ..I guess maybe the firewall on the client itself, would check the > process owning each outgoing packet? would that be a significant > performance hit? I believe it wedges a hook into the open() -- when an application opens a socket, the tool checks against it's list of allowed and disallowed connections; if it can't find a match, it pops up a dialog box. If the dialog box is ignored long enough, it aborts the pending open() call. A program that does a ton of open() invocations is probably really ineffecient anyway. The only noticable drag on performance is that some applications really don't like having open() stall for that long, and others will outright fail if the open() does not succeed. I think this is an important enough feature that it should be standard. If done right. I think I've seen something on an M$ box that filled this checkbox, but like all things M$, it did it in such a way so as to be annoying and fundamentally useless. That doesn't invalidate the general principle, thank goodness. Of course, it only tells me *what* application is trying to connect to *what* machine. I don't know what it's actually _doing_ with that connection. (And if it's encrypted, then even tcpdump won't help.) -- My computer. My network. My data. Who are you to take control from me? Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
