[Wine] Re: creating built-in firewall for Wine

Thu Apr 7 07:13:48 CDT 2011

> In short because native firewall knows almost nothing about the program. (But I could be mistaken.)
> 

Linux firewall is able to do applications.  Few different ways.

http://www.linux.com/learn/tutorials/421152:using-selinux-and-iptables-together  This is one way having selinux tag the approved applications then iptables allow or forbid based on tag.

Next is decanted user or group using "-m owner --uid-owner myappuser" or "-m owner --gid-owner myappuser"

Finally is traffic shaping systems for Linux these are normally based on Iproute2 this is the most flexable and alterable on fly.  http://www.freenet.org.nz/python/pyshaper/ Just one of many.  They are designed particularly to join into default firewall of Linux and expand its functionality.  Particularly to applications.

Basically a traffic shaping systems close the gap up completely.  Application you want to have no access to the network you just tell it to be so.

Part of the issue is knowing that per application controls is not called firewall but traffic shaping or traffic control.  Firewall assists traffic control but is not a traffic control system.  Yes I know strange.   Takes a while to get head around what that means.

Basically what you call a firewall under windows is a firewall + traffic shaping/control.   Linux with a traffic controller/shaper is just as functional.  Of course for a lot of routing devices Linux does not need the overhead of firewall + traffic shaping/control.  So they are two parts.

Of course its 1 wineprefix per application.  Splitting wineserver actions to each application inside a prefix is kinda impossible it is a blender of messages basically.  Splitting by prefix is possible.   Even inside windows splitting all internal calls to windows out to there source application can be impossible.

> Here is an example. Some windows internet security programs ("firewalls") have a module that could be used for ads filtering. In the simplest form they filter traffic based on keywords and image sizes. The same could be done with AdBlock add-in for Firefox, but the flexibility of the later is greater. Moreover one could use very smart rules, because ads are filtered where they must be presented (in browser).

Linux iptable modules can do this.  Transparent proxy option.  http://www.review-ninja.com/2008/08/transparent-proxy-with-iptables.html  Of course that is every application and then you can use adblock plugins into proxy server like squid.

You can transparent proxy pop imap and other things as well for scanning.

This is not application targeted as such.  But with the other options like selinux or users and groups it can be.

Boriso simple fact of the issue if windows can do it with networking so can Linux normally just a different way.

There is zero reason to be needing to use any Windows firewall parts once you understand how to make the Linux firewall and shaping systems fully functional. 

In fact with transparent proxy features and other items you can build a system that is more functional than the most expensive windows internet secuirty programs.  At zero cost.