jtanium at gmail.com
Wed Jan 23 10:20:57 MST 2008
You can set the default policy:
iptables -P OUTPUT DROP
Or on RedHat systems, change /etc/sysconfig/iptables like so:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
On Jan 23, 2008 10:12 AM, Chris Carey <chris.carey at gmail.com> wrote:
> On Jan 23, 2008 9:23 AM, Jason Edwards <jtanium at gmail.com> wrote:
> > Sorry, I assumed Chris would be looking for a graphical tool to manage
> > his firewall policies. If you can handle it, iptables on the command
> > line is absolutely the way to go.
> > But for somebody coming from Windows, using Comodo (a GUI), I think
> > opening a terminal and typing an iptables command may be a little
> > intimidating. If you just want really basic rules, and don't know
> > iptables, Firestarter would be a good way to go.
> I am very familiar with writing iptables firewalls by hand. This isn't
> really what I'm looking for though. I am looking for something
> specifically that could limit on a per-application basis, which I feel
> is a very powerful security feature.
> This is very useful in the situation where a non-root account gets
> violated. The intruder would attempt to launch some custom-made ssh
> brute force script, or add your machine into a IRC botnet. It would be
> great if the network connection attempt was denied, logged to a file.
> The root user would review that file, have the ability to allow (or
> deny) permission to that application from having network access.
> Most (not all) iptables firewalls are configured with the OUTPUT chain
> default to ACCEPT. I guess what I'm getting at is that it would be
> nice if you could set that OUTPUT chain to DENY by default, but log
> and allow outbound access on a per-application basis. Currently, if I
> open outbound port 80, then any software, trusted or malicious, could
> use that hole.
> It seems SELinux may solve the second part of my question - limiting
> what the executables can do on the file system.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG