Hi.

I'm looking for a firewall for an Ubuntu/Gutsy laptop that will not only firewall connections, but allow restrictions on individual applications for connections to a particular port, or address.

Does this exist ?

Thank you
Akonbobot

I'm not sure - if yes, a web search should give you a few dozen pay-for applications, or probably nothing. The Linux "built-in" firewall, called iptables in nowadays kernel series, works on basis of per-connection, not per-application basis. Windows firewall software works usually the other way around, and that's how a lot of people expect it to work everywhere. I personally find iptables way more suitable (for me, that is), as it allows for rather easy configuration of things in big scale, and doesn't force the user to ask yes-no-"dunno" questions all the time when an application has been updated, moved, or Windows/the software just feels like it. In Vista it's a real pain (the questions I mean)..

You should create your firewalls so that they restrict anything you don't explicitly allow. Then take a look at the things iptables offers (read the man page and their website), like connection tracking - after reading the documentation (which you need to do, if you want to understand things in order to know how to achieve your goal) you should have a fairly good idea on how to do things.

I feel it's rather dangerous to set firewalling rules on per-application basis. What if one application had "rights" to send/receive things over the network, and some other application didn't - and then somebody camouflaged the applications a bit, so that it looked like some application that shouldn't be able to communicate could do it because it looked like it was the other application?

You will need a plugin for the kernel's netfilter module. There is one that will allow the execution of a user script which is usually done to check the application and the checksum of the application. However, IMHO, logging would be better at determining if you have an ill-behaved program. If you actually managed to install mal-ware, a wiped drive and reinstallation is in order.

You could make the application run as a particular user and then use the --uid-owner option to specify that you want the rules to apply only to packets generated by that user. You could also play with the --cmd-owner option, which lets you match a packet based on the name of the command that created it. These options are part of the owner module.

Thanks all.

I would prefer to have a linux laptop with equal representation and ability as a windows counterpart. Firewall rules are are cumbersome and complex on either platform (imho) but it would be great to have for example, an unbuntu-gutsy laptop to;

1. Deny 'all' internet access for a particular application
2. Allow bittorrent traffic for 'only' one application
3. Have a visual pop up warning when someone tries to connect via port 137 IN udp
4. Allow 'only' TCP connections for an application, and 'only' to a particular host.

Are any of the above possible ?

Thank you
Akonbobot

Well, #1, #2, and #4 should be doable with the owner module.

Not sure how you'd do #3 but it can't be too hard - Ubuntu comes with a desktop notification daemon.

It's frustrating when windows has an advantage. Seems there is not a
parallel method for #1-4 above via firewall, as in windows.

Thanks for the recommendations.
Akonbobot

Well, a solution that meets the requirements you've described doesn't sound too difficult to create (assuming one doesn't exist already). Perhaps you could use this as an opportunity to start your own project. I mean, this is how a lot of open source projects get started, someone has an itch to scratch, etc. Apparently not enough developers share this itch of yours at the moment. But it does sound like a pretty cool idea, though. I can imagine some future Ubuntu version spamming us with pop-ups ZoneAlarm style.

No problem. BTW, I remember someone asking something like this a couple years ago, and a link was posted to a project which was sort of trying to achieve something like this (using a much more effective method than the iptables owner module). I'm sure if you search a bit you will find said post.