On 3/8/19 6:12 PM, Mayayana wrote:
"T" wrote

| * To have a simple, easy firewall that will block outgoing
| processes as well as inbound, and let me choose to
| enable only specific processes to go out.
|
| firewalld. And there is a GUI for it too.
|

Yet another iptables wrapper. "Written in python.
It was intended to be ported to C++, but the porting
project was abandoned in January 2015."

So it's a script wrapper that's no longer supported?

"Firewalld currently does not support outbound rules to the same capacity of
inbound rules. Limitations include things such on ipsets, service names, and
default outbound block by default rules required by standards such as NIST
800-171 and 800-53. Default block all needs to be done at the "raw" IPTables
level via the --direct flag, and with the order of operations FirewallD uses
to prioritize Rrules, rich rules, direct rules, it may be easier to enter
all rules for outbound via --direct or use iptables (netfilter-persist) "

That doesn't sound very user-friendly to me. Or
very functional. No support for "default outbound
block by default"? Is it me, or are they saying it
doesn't really work as a firewall? The only feature
I specifically requested was "default outbound block
by default".

"The firewalld.conf file in /etc/firewalld provides the base configuration
for firewalld."

Oh, goody. The old /etc config file trick. I don't
even know if it's a usable firewall yet but their
website is already telling me all sorts of technical
details.

But there's a nice diagram that explains it all he

https://firewalld.org/documentation/concepts.html

Can I block outgoing per-process? I have no idea.
It doesn't sound promising. Sounds like I'd have to
start by adjusting the programs that are default
whitelisted to control the firewall themselves. (!)
Huh?! What kind of firewall would default whitelist
programs that are allowed to adjust the firewall?!
This sounds like some kind of horror show that
runs on an iPhone....

In Windows I get a dialogue when anything tries
to go out, unless there's already a rule for that
program. I then choose the setting I want. That's
it. Simple. common sense. And if I want to I can
specify protocols and ports.

In firewalld? Who knows. I'd have to read all the
technical docs to understand what it is, then I
guess I'd also need to familiarize myself with the
Linux network APIs so that I could understand
the docs.
It seems to be connected with something called
DBus. Let's look up DBus. Let's see. It's seems to
be a means for both RPC and local inter-process
communication. Well why didn't you say so?
(I happen to be one of the 1 in 500 people who
knows what RPC is.)
But I don't want any RPC functionality. That's part
of why I need a firewall. Hmm.

The homepage does have a list of features, but
most of it means nothing to me. "Complete D-Bus
API with bridge and ipset support." Sounds good,
whatever that is. But why do I need an API? In
Windows I click a button. I don't see anything in
the feature list like, "Control online access of all
software, on a per-process basis." It does say
it has "Timed firewall rules in zones". Timed rules?
Who wants timed rules? I don't want MS spyware
calling home at 1PM but it's OK after 5? And what's
a zone? I don't have any zones. I have a computer.
... Never mind. I'm getting tired.




You could always use iptables. That is what I use on
mine and my customer's servers. No GUI though