how to filter on applications?

how to filter on applications?

[vwf]

Hello,

I want to filter outgoing traffic based on the originating application.
How do I do this? Please tell me iptables can do this. If not, how can I
lock down my system?

Thanks.

Re: how to filter on applications?

[Mike]

vwf wrote:
> Hello,
>
> I want to filter outgoing traffic based on the originating application.
> How do I do this? Please tell me iptables can do this. If not, how can I
> lock down my system?
>
> Thanks.
>
>

http://l7-filter.sourceforge.net/

Re: how to filter on applications?

[vwf]

On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
> vwf wrote:
> > Hello,
> >
> > I want to filter outgoing traffic based on the originating application.
> > How do I do this? Please tell me iptables can do this. If not, how can I
> > lock down my system?

> http://l7-filter.sourceforge.net/

This filters on protocol, not on application.

Re: how to filter on applications?

[Gáspár Lajos]

vwf írta:
> On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
>   
>> vwf wrote:
>>     
>>> Hello,
>>>
>>> I want to filter outgoing traffic based on the originating application.
>>> How do I do this? Please tell me iptables can do this. If not, how can I
>>> lock down my system?
>>>       
>
>   
>> http://l7-filter.sourceforge.net/
>>     
>
> This filters on protocol, not on application.
>
>   
Yes! Because APPLICATIONS use PROTOCOLS to communicate with....

What do you do not understand?

Swifty

Re: how to filter on applications?

[Gáspár Lajos]

vwf írta:
> On Fri, Oct 27, 2006 at 10:27:00AM +0200, Gáspár Lajos wrote:
>   
>> vwf írta:
>>     
>>> On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
>>>  
>>>       
>>>> vwf wrote:
>>>>    
>>>>         
>>>>> Hello,
>>>>>
>>>>> I want to filter outgoing traffic based on the originating application.
>>>>> How do I do this? Please tell me iptables can do this. If not, how can I
>>>>> lock down my system?
>>>>>      
>>>>>           
>>>  
>>>       
>>>> http://l7-filter.sourceforge.net/
>>>>    
>>>>         
>>> This filters on protocol, not on application.
>>>
>>>  
>>>       
>> Yes! Because APPLICATIONS use PROTOCOLS to communicate with....
>>
>> What do you do not understand?
>>     
>
> My question was how to filter on application. Filtering on protocol does
> not suffice.
>
>   
Okay... You want to filter on APPLICATION...
Let me assume that you have a firewall and some clients.
You want to block some traffic originated from your clients depending on
the application.

If an application talks to an other party then it uses a "language" that
both understands.
This is the PROTOCOL.

In netfilter/iptables you can analyse the packets. Where from do they
coming and where do they go...
If you want to know the content of this pipe then you have to use some
layer 7 filtering mechanism...

http://en.wikipedia.org/wiki/OSI_model

BUT if I did not understood you correctly then please send me an exact
question...

Thanx

Swifty

Re: how to filter on applications?

[Gabor Szokoli]

On 10/27/06, Gáspár Lajos <swifty@freemail.hu> wrote:
> BUT if I did not understood you correctly then please send me an exact
> question...

I might be able to mediate before this escalates...
I think vwf assumes the firewall is on the same host as the
applications, no forwarding takes place.
In this case it is not an unreasonable expectation to be able to write
iptables rules matching the name of the executable whose process
instance owns the socket: so called "personal firewall" applications
on some other operating system do this all the time.

Google-lee-goo:
http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-ownercmd


Szocske

Re: how to filter on applications?

[vwf]

On Fri, Oct 27, 2006 at 12:37:00PM +0200, Gabor Szokoli wrote:
> On 10/27/06, Gáspár Lajos <swifty@freemail.hu> wrote:
> >BUT if I did not understood you correctly then please send me an exact
> >question...
> 
> I might be able to mediate before this escalates...
> I think vwf assumes the firewall is on the same host as the
> applications, no forwarding takes place.
> In this case it is not an unreasonable expectation to be able to write
> iptables rules matching the name of the executable whose process
> instance owns the socket: so called "personal firewall" applications
> on some other operating system do this all the time.
> 
> Google-lee-goo:
> http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-ownercmd

Thank you. Your assumptions are right. I filter on application on the
workstation, and on port/destination on the router.

Iptables lost --cmd-owner, so new kernels were pretty useless to me,
but they seem to be reintroduced for ip6tables. Is there a "howto" to
rewrite a iptables firewall-ruleset to ip6tables (or a good
introduction for ip6tables)?

RE: how to filter on applications?

[Pablo Sanchez]

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of vwf
> Sent: Friday, October 27, 2006 7:05 AM
> To: Netfilter IPtableMailinglist
> Subject: Re: how to filter on applications?
> 
> Thank you. Your assumptions are right. I filter on application on the
> workstation, and on port/destination on the router.

I find this e-mail list generally very courteous.  English is a difficult
language and it's not the primary language for a lot of people on this list.

In my opinion what is important is to strive to understand what the poster
is trying to say.  Posters should strive to put as much detail as possible
in their post to cut down on the 'discovery cycle.'  Make it clear; don't
leave anything to be assumed (if you can help it).

Provide diagrams if possible (emacs' picture-mode works very well!  ;)

Now, back to filtering... 
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)

Re: how to filter on applications?

[Gáspár Lajos]

Hi all,

Let me apologize for my posts in this thread.
Sorry if I were rude.
I did not wanted to be.

As Pablo Sanchez wrote, English is sometimes very difficult to understand.

This list is mostly read by sysops/sysadms. (I think.) They/we create 
iptables rules for a whole network.
Simply I just wanted to help vwf and assumed things. That was bad.

In the future I will not send any comment if I do not fully understand 
the question.

Again, let me apologize.

Swifty