On my windows machine I use a software fire will called ZoneAlarm. One feature I like Is the ability to block applications from using the net. I''ve looked with Shorewall and wonder if it does, or was ever meant to. Not a complaint, a curiosity. Kev -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1572 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030224/a0725196/winmail.bin
--On Monday, February 24, 2003 09:14:26 AM -0500 Kevin Smith <ksmith@perfht.com> wrote:> On my windows machine I use a software fire will called ZoneAlarm. One > feature I like Is the ability to block applications from using the net. > I''ve looked with Shorewall and wonder if it does, or was ever meant to. > Not a complaint, a curiosity.Yes. Simply add REJECT rules for those applications that you want to block. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 24 Feb 2003, Tom Eastep wrote:> > On my windows machine I use a software fire will called ZoneAlarm. One > > feature I like Is the ability to block applications from using the net. > > I''ve looked with Shorewall and wonder if it does, or was ever meant to. > > Not a complaint, a curiosity. > > Yes. Simply add REJECT rules for those applications that you want to block.Hummm.... I don''t think that is quite accurate. With ZoneAlarm on a WinXX machine you can selectivly chose which applications you want to allow Internet access. You could, for example, allow Netscape to access the Internet buy deny Explorer. ZoneAlarm keeps track of the DLL and such to accomplish this....I don''t remember seeing this level of granularity in shorewall/iptables. One has to remember that ZoneAlarm is a "personal" firewall built specifically for a single WinXX machine and not a "real" firewall protecting multiple machines in a complex environment. Regards, Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com
--On Monday, February 24, 2003 10:36:26 PM +0800 Ed Greshko <Ed.Greshko@greshko.com> wrote:> On Mon, 24 Feb 2003, Tom Eastep wrote: > >> > On my windows machine I use a software fire will called ZoneAlarm. One >> > feature I like Is the ability to block applications from using the net. >> > I''ve looked with Shorewall and wonder if it does, or was ever meant to. >> > Not a complaint, a curiosity. >> >> Yes. Simply add REJECT rules for those applications that you want to >> block. > > Hummm.... I don''t think that is quite accurate. With ZoneAlarm on a > WinXX machine you can selectivly chose which applications you want to > allow Internet access. You could, for example, allow Netscape to access > the Internet buy deny Explorer. ZoneAlarm keeps track of the DLL and such > to accomplish this....I don''t remember seeing this level of granularity in > shorewall/iptables.Of course not -- Shorewall is a packet filter that can allow "application" ftp access to the internet but not application "ssh". It is certainly not clairvoyant enough to divine the identity of the program on another computer that is generating the packets... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 24 Feb 2003, Tom Eastep wrote:> Of course not -- Shorewall is a packet filter that can allow "application" > ftp access to the internet but not application "ssh". It is certainly not > clairvoyant enough to divine the identity of the program on another > computer that is generating the packets...Right. So, to answer the original question, no Shorewall was never intended to serve that function. Further, this function can only be achieved by deploying a solution on the same system as the application. In the case of WinXX it could be ZoneAlarm. In the case of a linux/Unix machine it could be the use of a restricted shell. Both the WinXX and Linux/Unix solutions assume YOU have control over those machines and your "end user" doesn''t have the priviledge to change settings. Regards, Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com