Andrei, Carlos, all - Thanks for your input, I am following along with interest! And yes I am also putting on my scuba tanks so I can dive deep into the world of iptables also (i.e. reading up on it...) Andrei I am a bit confused however by your comments about my desire to be able to control/block all incoming and outgoing communications through an interface zone, except for communications that originate in processes/services on my firewall system/server itself. You said I can't do that because firewalls don't know anything about processes that are behind the data packets carrying information across networks or in and out of a computer. Won't all such communications, originating for/from processes/services that are running on my firewall system, either have a source or a destination address of the IP address assigned to the firewall system itself? Anything else that is attempting to communicate with devices on my IOT thingies sub net, from the outside world, would have to either be NATted or deNATted (yeah I may be inventing some terminology here but I'm trying to understand/talk about the firewall model and it is not easy for me to communicate clearly) or have an incoming source address, and an outgoing destination address that is different from the firewalld's host IP address(es). I do understand AX.25 packet data structures and since these data packets are going through some other interface, into and out of the firewall system, before they can be routed through the interface for my IOT thingies subnet (again I hope I am using terminology correctly and clearly, by "IOT thingies subnet" I am referring to the second subnet I want to create for isolating and putting all my IOT thingies on.) it seems it should be possible for a firewall to block all such "external" packets and allow my "internal" packets. For example, data packets such as those "internal" packets to/from an Apache HTTP server that is also running on the same system with the firewalld service.. (but still log any incoming communication attempts by "external" devices from the internet or other unsecured networks, and log any outgoing communications attempts to "external" devices, so I can examine them later at my leisure) Please forgive me if my understanding of how firewalls actually work is all screwed up, I am looking at them in a high altitude conceptual way... It seems that as a system admin I should be able to control what information is allowed to pass through my systems. So these requirements I want to pursue seem to belong in the purview of firewall administration... If you look at this from what I am trying to accomplish I think it will make it clearer what I am asking for in the way of help on firewalld. I don't want IOT thingies to be able to communicate to/from the internet without my being able to discover what they are doing and to intercede and/or proxy what is being communicated. The best example is security cameras made in some foreign country. I want to have complete control over who is accessing the video data from these cameras, via my own web server and storage devices, rather than use some cloud based web service located who knows where and with who knows what sort of security systems are in that place. And I don't want any surreptitious data leakage to be occurring either from these IOT thingies nor of course do I want unauthorized accesses to be made to these thingies. Since there is no way to audit the firmware in IOT thingies, the next best security measure is to monitor/control when/what is being communicated and that is why I am focused on firewalld which I am using on all my Linux systems. Marc, who is struggling to learn about firewalls by drinking through a fire hose of information. And who is tired of the constant erosion of privacy and tired of hearing about all the data breaches going on around the world... (and who STILL cannot get an account on the Fedora servers where I could actually talk to some of the gurus who support firewalld...) On 8/31/19 1:41 PM, Carlos E. R. wrote:
On 31/08/2019 22.31, Andrei Borzenkov wrote:
31.08.2019 23:11, Carlos E. R. пишет:
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely. :-)
<https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html>
How to block Acroread 7 with SuSE FW2?
You seriously do not see the difference between "blocking everything from specific process" and "blocking everything from specific user/group"? And you do not see that the trick is blocking an specific application?
-- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org