Quote:
Originally Posted by gabyz
I still have a question un-answered. If I allow IP traffic, -d 0/0 80 (any ip destination on port 80) can I configure the firewall in such a way that only say Firefox and Chrome are allowed to use this rule and all other applications are denied?
|
Gaby - Turning the problem "upside-down", I obtained a possible solution by combining iptables rules, a proxy software like
Squid and individual configuration of the browser I wanted to allow to the Internet. I did this by using a dedicated box for the firewall and proxy, while connecting from a separate machine on the internal net. I used iptables on the filtering box to drop everything coming to the internal interface, except hosts I wanted to allow on the port where the proxy was listening. Of course NAT rules allowing direct Internet access from the LAN were disabled. Then I configured the browser I wanted to use, by telling it to go through the proxy. This way all other applications were blocked by default. One might also restrict write permissions on configuration files, so that users will not manipulate them, and set user/group ownerships as brebs suggested. This configuration was very straightforward, but Squid has lots of options and allows for complex authentication rules which I didn't investigate, but seem interesting. I didn't check if this can be set up on a stand-alone machine as well.