You can set the default policy: iptables -P OUTPUT DROP
Or on RedHat systems, change /etc/sysconfig/iptables like so: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] Jason On Jan 23, 2008 10:12 AM, Chris Carey <[EMAIL PROTECTED]> wrote: > On Jan 23, 2008 9:23 AM, Jason Edwards <[EMAIL PROTECTED]> wrote: > > Sorry, I assumed Chris would be looking for a graphical tool to manage > > his firewall policies. If you can handle it, iptables on the command > > line is absolutely the way to go. > > > > But for somebody coming from Windows, using Comodo (a GUI), I think > > opening a terminal and typing an iptables command may be a little > > intimidating. If you just want really basic rules, and don't know > > iptables, Firestarter would be a good way to go. > > > I am very familiar with writing iptables firewalls by hand. This isn't > really what I'm looking for though. I am looking for something > specifically that could limit on a per-application basis, which I feel > is a very powerful security feature. > > This is very useful in the situation where a non-root account gets > violated. The intruder would attempt to launch some custom-made ssh > brute force script, or add your machine into a IRC botnet. It would be > great if the network connection attempt was denied, logged to a file. > The root user would review that file, have the ability to allow (or > deny) permission to that application from having network access. > > Most (not all) iptables firewalls are configured with the OUTPUT chain > default to ACCEPT. I guess what I'm getting at is that it would be > nice if you could set that OUTPUT chain to DENY by default, but log > and allow outbound access on a per-application basis. Currently, if I > open outbound port 80, then any software, trusted or malicious, could > use that hole. > > It seems SELinux may solve the second part of my question - limiting > what the executables can do on the file system. > > --Chris > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
