[TriLUG] host-based dynamic app/port firewall?

[Kevin Hunter]

At 11:01am -0400 Wed, 24 Oct 2012, Cristóbal Palmer wrote:
> On Wednesday, October 24, 2012 at 12:57 AM, Kevin Hunter wrote:
>> Hullo List,
>>
>> I've found myself pondering the fact that I have intermittent
>> network services on my machine. That is to say, sometimes I start
>> Apache, disable SSH, or temporarily fire-up a DHCP server.
>>
>> IPTables is fan-friggin-tastic, but if I at all want to nerd out
>> and enable/disable the ports when the service is (not) running I
>> must do it manually.

> Are you basing your question on what the Mac OS X firewall
> purportedly now does, which is to only allow outbound connections for
> signed applications?

No, but now that you mention it, that would be a logical next step to my 
question.  I was just asking for my edification.  I appreciate your 
insightful response.

> I know of no specific tool for wrangling iptables based on apparmor
> profiles or similar, and I especially know of no system that would
> open and close ports based on what services you've started and
> stopped.

Given the appearance of Upstart and then systemd, and their model of 
events to describe the transitions of the state of a box, (i.e., a 
rule-based system for starting and stopping daemons, rather than an 
ordered list of scripts) I would think that a logical first place to 
implement such a beast might be in their service description files. 
There would be no need of an extra daemon to monitor ports and binaries, 
and would amount to just another set of dependent rules.

As Kevin pointed out the fact that "one size does _not_ fit all", I'd 
also guess that a necessary co-requisite of this would be some sort of 
text/GUI application for viewing and modifying these rules, specific to 
the firewall.

Cheers,

Kevin