[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Introductory reading on firewall/iptables/etc for new Debian user?

On 04/23/2013 11:06 AM, Richard Owlett wrote:
Dan Ritter wrote:
On Tue, Apr 23, 2013 at 09:28:17AM -0500, Richard Owlett wrote:
I will be using email, Usenet, browser and occasionally file
Nothing on my system should look/act like a server.
I want all programs to access the internet after explicitly asking
for permission.
The response to the request may be:
Always YES
Ask each occurrence

Programs don't generally ask for permissions; they assume that
they are connected, and report failures when they can't make

I suppose that you could write a wrapper script for every
program, so that if you invoke it through the wrapper you have
opened the necessary ports, and if you invoke the program
without the wrapper the connections are dropped. However, while
the wrapper is being run, any copy of the program could have
the same permissions.

On Android systems, this issue is slightly addressed (though not
in the manner you want) by having a new user added for every
program, and running each program under that user-id. Since
iptables can look at effective user-id when making packet
accept/drop decisions, you can do per-program firewalls that

By the way, you have an unusually brusque way of stating
conditions rather than asking questions, which comes across as
slightly rude.


Apologies, I've just been chastised by relatives and friends for going
in the other direction.
I was trying to make clear I want only minimal connectivity.
As to the per program feature, I want to prevent an app from deciding to
update on its schedule not mine. I'm restricted to dial-up so I need to
be able to ration a scarce resource, i.e. connectivity.

The only package that upgrades automatically, that I know of, is cron-apt so
Don't install that.

When I was on dial up I tried a number of firewalls and found that the
arno-iptables-firewall was the best for me. So much so I am still using it now on Verizon 3g. YMMV.


Reply to: