A shorewall daemon with a user agent (Gnome and KDE task bar maybe);
Damon has rights to the output of ps and netstat and to change IP-Tables.
It can then take action based on what is trying to get out of the box
and who it belongs to.
Picture this:
I have big box with lots of users
I set up shorewall to disallow all outgoing traffic.
I set up the shorewall daemon to allow ssh out for all users.
I set up the shorewall daemon to never allow skype out of the box for
any user.
I set up the daemon to allow updates from some of my more experienced
users so they can use their user agents to allow a new application run
by them out of the box (they will not be able to allow skype out of the
box). and the changes will work only for their ID.
Un-privileged users get a message through user agent "The application x
you are running is trying to access the internet, this is not allowed.
please call BSOH for assistance"
Privileged users get the message through user agent "The application x
you are running is trying to access the internet (IP and port details)
would you like to allow it access"
That way I can prevent my less adept users from making my life hell
(read installing all sorts of internet stuff) and allow those with a bit
of knowledge some control.
Also when Linux starts to attract all those spyware and such like
creators we will be ready for them.
What do you think?
Chris.
