ufw, and by extension iptables, lacks features such as per process rules. You have to do hacks like assign rules to users, and run the processes under different users. Tails does this to isolate the Tor Browser process.
When you check out the link, see that nothing like this exists on linux. The closest thing on OSX would be little snitch.
github isnt down, flush your dns, its left over cached NXDOMAINS from this mornings outage.
you can also clear your browser dns cache with chrome://net-internals/#dns
I think my original meaning is there is lots of teams and not all of them are bad :-)
> ufw, and by extension iptables, lacks features such as per process rules.
iptables --pid-owner[1]
> I think my original meaning is there is lots of teams and not all of them are bad :-)
Sure, you find diamonds in the rough, but when their AV and their certificate teams are trash does that inspire confidence? When their antivirus software bundles a 'secure browser' that disables CORS (!!!) and infects you only by scanning a file then why is it safe to assume that they know what the fuck they are doing as a company?
That's like assuming it's safe for a doctor to operate on your kidney, despite killing all their patients when operating on other organs, because you know, it's different.
The firewall might work and have the slickest interface but if it's full of buffer overflows and written by an idiot then it's not the best, is it.
Thats broken (only matches the exact PID, no child processes and according to the documentation does not work on SMP systems). It also got removed at some point. There is a cgroup match which may be usable instead, also network namespaces may be a good solution in some cases.
> lacks features such as per process rules. You have to do hacks like assign rules to users
From a practical standpoint, I find it hard to imagine that the cost of added complexity for configuring application rules per user would outweigh the benefits of simply configuring them system wide. I remember the days of terminal clients logging into mainframes but all I see are single user desktops. Things like location on the network matter more in an application firewall than which user is accessing the desktop.
I didn't mean per user vs per system; in as much a per process image. ie: firefox can get out to *, but sandbox can not.
If you have never used something like Little Snitch on MacOS it is very surpassing to see all the outgoing connections from processes. It returns some control to the user to block cloud services, application dial home, etc.
Being able to interactively allow/deny access to resources (say via hostname or via IP) per connection per process (image?) is very valuable.
This is hard to do in linux. Several good solutions to do this in MacOS and Windows.
When you check out the link, see that nothing like this exists on linux. The closest thing on OSX would be little snitch.
github isnt down, flush your dns, its left over cached NXDOMAINS from this mornings outage.
you can also clear your browser dns cache with chrome://net-internals/#dns
I think my original meaning is there is lots of teams and not all of them are bad :-)