<div dir="ltr">Firehol will do just fine allowing very specific services from your LAN machines to the internet.<div>For HTTP/HTTPS I suggest to install a proxy and control the allowed URLs there. So, direct layer 3 HTTP/HTTPS should not be allowed. Only through the proxy. Firehol can also setup a transparent HTTP proxy for you (but not HTTPS - HTTPS cannot be intercepted - the clients will have to be configured to use the proxy for HTTPS).</div>
<div><br></div><div>Costa</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 3, 2014 at 1:35 AM, Whit Blauvelt <span dir="ltr"><<a href="mailto:whit@transpect.com" target="_blank">whit@transpect.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">To the degree it can set what types of services you can be a client of, yes.<br>
But if the key logger or whatever is using an HTTP(S) POST or GET to send<br>
your data across, and you allow HTTP(S) clients out over the firewall,<br>
you've still got trouble.<br>
<br>
You could allow only HTTP(S) clients to connect to specific IPs. For most of<br>
us, that would be a nonstarter. But if you wanted to have a system that<br>
could only connect to your bank, and your bank's at a fixed IP, you could<br>
easily do that.<br>
<br>
Whit<br>
<div><div class="h5"><br>
On Tue, Sep 02, 2014 at 08:45:14PM +0100, Robin wrote:<br>
> I feel I need to install a firewall and ubuntu comes with a very simple one,<br>
> but I noticed it did not stop outgoing comms, or provide for a white list,<br>
> dealing with communications going from key loggers, zombie machines, etc.<br>
> Does firehol help in this regard?<br>
><br>
><br>
<br>
</div></div>> _______________________________________________<br>
> Firehol-support mailing list<br>
> <a href="mailto:Firehol-support@lists.firehol.org">Firehol-support@lists.firehol.org</a><br>
> <a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br>
<br>
_______________________________________________<br>
Firehol-support mailing list<br>
<a href="mailto:Firehol-support@lists.firehol.org">Firehol-support@lists.firehol.org</a><br>
<a href="http://lists.firehol.org/mailman/listinfo/firehol-support" target="_blank">http://lists.firehol.org/mailman/listinfo/firehol-support</a><br>
</blockquote></div><br></div>