I would like to control OUTGOING traffic on an application basis.
How can I set up the firewall in a way that I cannot only control which addresses and ports can be accessed, but that I can set this individually for each application, e.g.:
Firefox: Only port 80 allowed
Thunderbird: Only port 25 and 110, only specific mail provider IP addresses are allowed
FTP: only ports 20 and 21, and only my web hosters are allowed
RealPlayer: no outgoing traffic is allowed
etc.
Under Windows, this functionality was provided by Kerio Personal Firewall. Is there something similar in Linux?
While iptables can have match rules on process ids, there is no way currently to tie the rule to a process name. I remember some party working on something called nufw, which would require authentication whenever a process tried to go out, but that is not something a newbie could setup.
If you assume that the apps will just use its designated port(s), couldn’t you just block all outgoing traffic, except for those ports you list (at allowed addresses). You wouldn’t get much pointing firefox to a port 25 or port 110, or even a ftp port, the other side wouldn’t get the wanted protocol exchange. The danger is from other commands like wget, curl, netcat, etc, that can talk to arbitrary ports.
Are you trying to control your kids’ viewing or are you just very paranoid about getting infected?
Thank you for the answer. I will re-visit iptables documentation and experiment a bit more.
Under Windows, this helps making the PC more secure. There are many applications that “phone home” over standard ports, i.e. send information about behavioral patterns of the user (e.g. Real Player, Adobe Acrobat Reader, WinAmp, etc.), or surf the internet for whatever it is they do. Many applications send information every time an application is started to the Microsoft registration server, generating a usage pattern. While most of this information is rather harmless, once in a while you encounter an application that sends data you would rather not have in the public.
It was always quite interesting to see what a newly installed application would want to send out to the internet.
While I think this functionality makes a system more secure, I admit that I am definitely in favor of enhanced security. And personally I think this is currently more of a threat than incoming traffic that is easily blocked by a firewall on my PC, built in into the router, and provided by the access company (so three levels…)
And perhaps Linux applications are better behaved than Windows, so my fears are unfounded.
There are open software alternatives to adobe reader and winamp. I don’t have the need to use realplayer much, and I think other players like mplayer can handle real media too.
And besides if you are using plugins, the traffic will appear to come from firefox. A proxy like squid might help you here.