iptables don't let you know when a particular program tries to access an outside host and choose whether you want to allow that.

Speaking of a desktop (not a server) firewall I'm rarely even interested which host/port/whatever is a connection about. What matters to me is what app initiated it (if it's initiated from outside my PC it should be always blocked).

Iptables used to expose a field attributing a connection to a particular process but this feature was only available in old 2.4.x kernels IIRC.

> iptables don't let you know when a particular program tries to access an outside host and choose whether you want to allow that.

How does this model work for commonly used programs like curl? Do you block it and can't use it at all in your shell scripts, or do you whitelist it and hope that nefarious programs don't use it to exfiltrate data?

This is complicated, yes. This is why I didn't manage to achieve the perfect result with AppArmor - many of the apps I used on Linux are non-native so it seemed I could only allow/block the entire Python or a JVM (or curl, but I rarely use it so not a problem for me). Perhaps there was a way to analyse the parent process and/or the command line, perhaps whatever, AppArmor (let alone SELinux) felt too complicated (and cumbersome to operate) to waste time.

On Windows and Mac I don't really mind enabling/disabling whole Python/Java/whatever because I can do so in a couple of clicks (and I use more native apps there anyway, many untrusted native apps in particular).

By the way there are many processes on Linux which I would like to silence and theoretically could silence by just removing them as I never need them: I mean Avahi, Samba etc. However, today distros have all sorts of essential packages depending on these and won't let you uninstall them without destroying everything.

You can allow or block based on the parent process.

Seems like you could do something with ebpf but how would you deal with the notifications in a cli env... special tty you connect to via tmux/screen?

> but how would you deal with the notifications in a cli env

That's a very interesting question. I'd love to invent something terminal-based for fun and for future occasions when I'm probably going to need that but I never actually needed that so far. I use GUI DEs 100% of time and I don't really care to firewall particular processes on remote servers I SSH to - those have other security policies doing the job pretty well for them.

Perhaps it could be a named pipe a TUI app (TUI running in a separate virtual console, or in a terminal multiplexer) would connect to.

Vuurmuur is an example of a nice TUI firewall app.

Plus if you use docker iptables are essentially useless without a lot of tweaking to make docket respect it.