Quote:
My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?
|
You must allow the loopback interface.
For everything else, make a list of services you want to access out of the box, where, and under what circumstances... allow those. You'll soon know if you missed one.
Quote:
Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work.
|
The best way to force users to use only a specific application is to deny them access to any others on the box. The best way to do that is to remove them all.
It's usually only a concern if you know an application has a specific exploit that you would like to avoid.
I understand you can use the --cmd-owner option to allow connections based on the launching process.
There is a highly entertaining and interesting discussion on outbound policies here:
http://ubuntuforums.org/showthread.php?t=131616&page=4