Re: [LIH]IP Tables: rules based on processes

Tue, 01 Nov 2005 12:09:53 -0800 

Thaths wrote:


On 10/31/05, Sukrit <[EMAIL PROTECTED]> wrote:

I want to filter based on name of process i.e I want to block all
traffic  and allow only traffic going from firefox to remote port 80.

I know you make rules based on process id - can I make sure a process
always runs with a particular process id.


iptables does not allow filtering based on the application that
created the tcp/ip packet. And with good reason. There is absolutely
no reason why the name of the application should be embedded in all
tcp/ip packets. Furthermore, the http spoken by firefox should be
transparent from that spoken by, say, opera. IMO, draconian
restrictions like this are not very productive in the longer run.

If you really want to be the dictator, maybe what you can do is not
install other applications for your users in the first place.
Hahaha, relax Thaths! I'm my laptop's dictator :D I'm my only user, I'm my lord.
But seriously the point is, call me paranoid, but I don't want *any* traffic other than the intended. I know name of application isn't embedded in a TCP/IP packet, I further know that you can filter packets based on process id from iptables. I'm looking for a hack.
OTOH, tell me is the above approach pointless? Should I just block all ports, then open port 80, 443 etc. Also, there is some way to stop people from intitating connection from remote end, I think one would have to block all ACK/SYN/Whatever TCP replies, right? 

Generally what kind of rules should average Swaminathan have?

Cheers
S
--
PS Some LI* legend - you were the one working for Netscape until they had to shut shop, serving LI* from you home comp, right? 



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
linux-india-help mailing list
linux-india-help@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-india-help

Reply via email to