01.09.2019 5:57, Marc Chamberlin пишет:
Andrei, Carlos, all - Thanks for your input, I am following along with interest! And yes I am also putting on my scuba tanks so I can dive deep into the world of iptables also (i.e. reading up on it...)
Andrei I am a bit confused however by your comments about my desire to be able to control/block all incoming and outgoing communications through an interface zone, except for communications that originate in processes/services on my firewall system/server itself. You said I can't do that because firewalls don't know anything about processes that are behind the data packets carrying information across networks or in and out of a computer. Won't all such communications, originating for/from processes/services that are running on my firewall system, either have a source or a destination address of the IP address assigned to the firewall system itself?
Yes, they will. And how exactly does it help to distinguish specific service/process? This can only be done at best using TCP/UDP ports, and for outgoing communications ports are usually selected automatically and at random and not every application even supports choosing specific port (range) to select from; for incoming communication it can be done (that is exactly the main functionality of firewalld), but that's not strictly speaking "service/application", this is still "TCP/UDP port". Distinction is crucial e.g. on Windows where you can actually allow communication for specific service/program (e.g. apache) over port 80 and in this case no other HTTP server (e.g. ngnix or your favorite trojan) you will run will be allowed. On Linux you can only open port 80; whatever listens on port 80 will be allowed. Yes, if you have total control over how your services work you may start each one under specific user/group and use this as criteria. This is unrealistic in general (what about services that *must* run as root as example). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org