This is a well-known phenomenon. See the writeup on www.grc.com about 'Trojan Spyware'. Much of the objection to WinXP is that it forces this behaviour, under the guise of 'verifying the license'. If you don't connect to the internet, and allow it to phone home periodically, the OS simply shuts down. If you're running a business, your entire business is effectively held hostage until you get 'validated' by microsoft...
You don't have to run XP. If you don't like a product don't use it. I'm so sick and tired of people bitching about MS, especially on non MS security mailing lists!
I, too, would like to know how to go about creating such a filter using iptables. The ZoneAlarm package for Windows filters based on program name for outgoing connections, but I have not seen anything short of a sniffer or tcpdump that will look at the packet content itself. I can't even imagine the processor overhead required to parse the content of every outgoing packet!
IPTables allows you to filter based on uid/gid. for example most users will probably only ever go out to port 25, 53, 80, maybe 110/143, 6667, etc. As for parsing packets, uhh, you ever heard of snort? or any other NIDS for that matter? It's actually a reasonable amount of overhead if done right. And yes, you can do it at gigabit speeds.
Does iptables have access to the pid of the originating process? Would a filter which used the pid, looked at /proc/<pid>/cmdline, and checked an 'allowed program' list like ZoneAlarm does, incur too much overhead to be practical?
Uhhh well that would be a lot of overheard. And I would just write a script called netscape that invokes something else. Unlike Windows it is much harder to subvert a Linux box, assuming people do not log in as root and do stupid things like run/install software from untrusted sources. OTOH some popular Linux apps "phone home" and no-one seems to complain (like pine for example).
Of course, this approach works only for a 'personal firewall' where the originating process and the firewall are on the same machine, and is meaningless on a standalone firewall protecting a LAN.
I could answer this, but I'm writing a rather large paper on the subject and am sick to death of it already =). BTW MS proxy allows you to do stuff like this (i.e. group sales is only allowed http and https access, no irc for those naughty little monkeys).
-- Rick Green
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/