#11 filter for selected application only

[Anonymous]

Is it possible to enable filtering for specific daemon/programs only? e.g. by pathname

normally, only a few p2p programs need to be protected. program like ftp client, web browser do not need any "ipfilter" protection at all. using iplist to protect the whole network interface may be an overkill.

e.g. Web browsing in a multi-user machine
User (may be a computer newbie) is blocked by iplist and he has no idea why the web site cannot be accessed.

Although admin can add white list to ignore port like 80, but not all web server use port 80, especially in LAN, and add too many port into white list may lead to security risk.

[Anonymous]

the "cmd-table" feature of the iptable may be useful

http://www.linuxforums.org/forum/linux-networking/41273-iptables-opening-port-certain-application-only.html

[uljanow]

Previous versions of the owner module had the --cmd-owner option which I believe was buggy on SMP systems. But the feature was removed from iptables and the linux kernel. Dealing with changing PID/GID for various applications isn't easy to do, especially in user space.

So what is needed is a patch for the kernel which reimplements the cmd-owner feature in a proper way. This is an interesting task given the necessary time to do it.

Since iplist only checks new connections there is little overhead regardless of the traffic.

[Anonymous]

the traffic overhead is not big actually.

The main problem is that in a multi-user environment, user (without root privilege) browsing a web site may be blocked by iplist.

Open a specific port in iplist do not solve the problem ,as some web site do not use 80 as the default port, they may be 6000, 5557.. any port they want.