[sound1]

I am mostly non technical person but why do we need to resort to firewalls etc. if we can employ UNIX like file permission system for network access? Wouldn't it be awesome if we can allow any installed software to contact ONLY whitelisted domains? Of course this excludes web browsers but you get the idea.

How about our mainstream OSes incorporate that kind of permission system similar to what we have in mobile OSes already have today?

[bennysaurus]

It's a fair question and certainly is possible to have firewalls on a per-server basis. We do that for incoming traffic primarily. The catch is if that server itself gets compromised then you can't count on those rules still being enforced.

Having dedicated network appliances acting as firewalls means from a security perspective you need to compromise the local machine and then also compromise a dedicated, hardened external system as well. It vastly ups the difficulty barrier.

[pavs]

Firewalls does a lot more than block ports and services.

[zeroxfe]

Think of them as a defence-in-depth that protect from accidental misconfiguration, software bugs, local exploits, etc.

[Meandering]

SELinux

[sound1]

I didn't know that, learnt somthing today, Thank You!

Again, as a non technical person, why a software needs access to entire internet instead of whitelisted domains specific to its requirements is beyond me, since we already know how UNIX permission system works. Is it so hard to extend that to networks? Especially since everything is file in UNIX? Kindly pardon my ignorance :-)

[Meandering]

You are right. Software doesn't need access to everything and it shouldn't. Unfortunately, it is easier on the consumer end to leave software access somewhat "open ended". The domain for updates may change or it may need to connect to different plugin sources. Unnecessary constrictions on a software's ability to function would fuel software issues. So, more sensitive networks will have administrators define these permissions. However, providing constrictive defaults to a regular consumer wouldn't be worth the customer service burden.

[remram]

You're describing a firewall? How could it be more "UNIX-like"?