[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: creating rules regarding to a command name

[I just subscribed to debian-firewall, so I used the reply-to link on lists.debian.org/... to reply]

> IIRC, the Linux NetFilter and networking developers also consider it to
> be a losing proposition to match on this sort of information, so you can
> probably expect it to eventually go away. :/

Command-matching is unfortunately going away. But there is going to be a replacement:
James Morris's patches will allow you to filter based on SELinux security context.
It  allows matching on socket owner based on uid, and gid not related to SELinux 
(this wasn't previously possible for incoming packets).

If you want command-matching, i.e. matching based on the executable that receives/sends packets, then you'd have
to use SELinux.

There is however another (easier) solution too I'm working on currently. There is a firewall that does application-matching,
called fireflier (fireflier.sourceforge.net). It used to do this in userspace, however there is a flaw in that.
Therefore I started implementing a kernel module that will work with James Morris's patches.

See: http://fireflier.isgeeky.com/wiki/Kernel_module for details on the progress. It will take around 3-4 months for 
the kernel module to be ready, and usable.

In the mean-time you could give fireflier a try, and see if it can do what you want. It can't however (currently) 
mark packets. It can only allow/deny based on the command.

P.S.: Fireflier is the only solution (unless you want to set up SELinux) to this problem now that ipt_owner 
command-match support is gone. And I'm saying this just because I am a fireflier developer :).


Reply to: