[floatboth]

I like the Little Snitch style "allow/deny per binary" thing. It's really unfortunate that it needs a new kernel module because current default firewalls (pf, iptables, etc.) only operate on IP addresses don't know anything about processes.

[xorcist]

That's not the case at all.

The traditional way to filter a program's network traffic with netfilter is to give each software its own uid, which can then be filtered. You will need it anyway to set ulimits and file access rights.

Also avoid to decide policy by process name. Even using full path is problematic (where things like hard links can give nasty surprises). Better to do what SELinux does and tag executables with metadata instead. Any role based system will be much more expressive, but also complex, than a uid based one.

[zokier]

On mainline Linux SELinux can be used for this sort of thing. You can either block applications from opening certain network connections straight away, or you can use SELinux in conjunction with netfilter/iptables to filter traffic coming from certain applications. This is very powerful tool, but as always with selinux it's not exactly simple to configure.

[vbernat]

Netfilter can delegate the fate of a packet to userland. It can be done for all packets or only the first packet of each connection (thanks to conntrack). Userland can there easily match the packet with a local connection or a local application listening socket.

There is nothing bundled inside Netfilter for this anymore because this is racy: several unrelated processes can use the same socket. The processes may come and go whenever they want.

There is also some prior art (but it's a dead project): NuFirewall.

[dividuum]

Not true, at least according to https://www.frozentux.net/iptables-tutorial/iptables-tutoria...

Edit: Looks like that only matches the process "task command name", so it probably won't work for full paths. I guess that's why they use their own kernel module?

Edit2: Never mind. That feature disappeared with 2.6.14, 10 years ago: https://lists.netfilter.org/pipermail/netfilter/2007-January...

[lima]

It should be possible to implement this using a LSM like Tomoyo or AppArmor.

[spikengineer]

Apparmor certainly has it. It also pretty easy in apparmor if the rules you want to set are permanent but I don't know if a dynamic api exists for apparmor.