Securing outgoing traffic in untrusted net with firewalld?

Support for security such as Firewalls and securing linux
Post Reply
crowhop
Posts: 4
Joined: 2016/01/30 14:24:42

Securing outgoing traffic in untrusted net with firewalld?

Post by crowhop » 2016/02/02 09:30:13

Hi,

I am running CentOS 7 on a laptop and want to harden it for an untrusted network. My assumption is that I am in an untrusted network (like a public wifi hotspot) that is monitored. Therefore, I only want to allow specific applications to access the internet via this untrusted network. Once back in my home network, I want to allow all again.

Example: I want to disallow automatic software updates (the network could see that I connect to CentOS repositories and infer I am running it), but I do want to allow Firefox as the single application that is allowed in this network. All other applications (like Chrome, other browsers) I want to block with the exception of vital system networking services like dhcp-client.

So far, I found only the possibility to open specific ports, but nothing based per application.

Is there a way to do this with firewalld? Are there any other possibilities to limit outgoing traffic based on application?

aks
Posts: 2829
Joined: 2014/09/20 11:22:14

Re: Securing outgoing traffic in untrusted net with firewall

Post by aks » 2016/02/02 16:18:17

Not the applications you mentioned AFIK. Applications can "talk" to firewalld via the d-bus (the applications need to be coded and built to do this) I've heard that libvirt can - and that's the only one I've heard of. The idea is that applications could make runtime firewall (that's what the direct interface is there for), perhaps that'll happen over time as it's down to the individual application projects to code and enable that functionality?

As an aside, you could make a list of ins and outs you allow for one setting at attach that to a zone. Create another list of ins and outs to be allowed and attach to another zone, then just switch zones based on where you are or what you are doing.

crowhop
Posts: 4
Joined: 2016/01/30 14:24:42

Re: Securing outgoing traffic in untrusted net with firewall

Post by crowhop » 2016/02/02 16:52:14

Would there be a possibility to filter the traffic based on the process owner? I.e. I block all outgoing traffic and allow traffic for processes that my user owns?

aks
Posts: 2829
Joined: 2014/09/20 11:22:14

Re: Securing outgoing traffic in untrusted net with firewall

Post by aks » 2016/02/03 17:02:59

Nope.
You are very welcome to code it up though :D Sounds like a lot of work!
AFAIK, the (at the moment) the only published interface is d-bus, so there will be an API between firewalld and d-bus's API, which could be used for such things. I guess you could come up with something to replace firewalld (firewalld is actually a "wrapper" around iptables) that could insert/delete rules based on UID (user running the program). Actually that shouldn't be very hard, but getting it to perform well probably would be.

Post Reply

Return to “CentOS 7 - Security Support”