[Wine] creating built-in firewall for Wine

Martin Gregorie martin at gregorie.org
Fri Apr 8 14:34:38 CDT 2011


On Fri, 2011-04-08 at 12:59 -0500, Boriso wrote:
> I think that some kind of script or internal Wine command would be
> great if it could create new Wine prefix and configure some
> restrictions in IPTables and/or AppArmor.
>
There is no relationship at all between the IPTables firewall and
Apparmor/SELinux[1].

The IPTables firewall is only concerned with controlling ICP/IP access
to a computer - both TCP/IP sessions and datagrams. It controls
incoming connections from external TCP/IP data sources and also controls
outgoing connections. Thats all it does. It neither knows not cares what
program is trying to make or receive network connections: it is purely a
perimeter guard. 

OTPH Apparmor/SELinux is concerned with extending control over the way a
specific program can access resources (files, etc.) provided within a
computer. SELinux adds labels to file system resources to implement
Access Control Lists (ACLs) that restrict access in ways that the file
ownership and associated read/write/execute permissions cannot. It
neither knows nor cares about network access apart from the trivial case
of specifying which users can connect to a network port. 

[1]  There are two implementations of this security tool, which was
originally designed to bring Linux installations in line with DOD
requirements. Apparmor is used by some distros and SELinux by others.


Martin





More information about the wine-users mailing list