31.08.2019 23:11, Carlos E. R. пишет:
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any
That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely.
:-)
<https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html>
How to block Acroread 7 with SuSE FW2?
You seriously do not see the difference between "blocking everything from specific process" and "blocking everything from specific user/group"?
] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall.
] Date: Mon, 18 Apr 2005 15:56:26 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] Carl A. Schreiber wrote: ]> I'd like to learn more about this, would you mind to give an example ]> for such a rule? ] ] I did it with the following rule: ] iptables -A OUTPUT -m owner --gid-owner talker -j REJECT ] ] Then I set /usr/bin/netcat to be owned by group 'talker' and to mode ] 2755 (SGID). After that I could not connect anywhere with netcat. Once I ] chmodded netcat back to 755 it worked again.