I need an application firewall - i.e. interactive software that pauses connections and displays a prompt (for every connection without an existing rule), allowing the user to pick options such as (allow|deny) (port|process) (once|until logout|always), and then either drops or unpauses the connection in accordance with selection (creating a rule if appropriate).

I previously looked into this about a year ago and was disappointed by the results:
It seems Douane still has that bug, Portmaster is still on Electron, I still don't trust OpenSnitch, and no matches in Debian's repos.

So, does anyone know any other interactive firewalls that allow adhoc rules via GUI prompts and which are worth considering?

Well after a bunch more depressing searches, I have come to the conclusion that to get what I want I'll need to write my own. :/

Yet another chore, but at least it shouldn't be too bad - both iptables and nftables have libnetfilter_queue, which queues packets and asks a userspace application to deliver an accept/drop verdict. There's a Python binding, which looks to be straight-forward...
So I should be able to plug a simple Tk interface to display the relevant information and choices and so on.
(Not sure if nfqueue will provide process names by default, but if not Picosnitch does do that part, so I can use its method.)


Probably unlikely to happen in the next few weeks, but if after a few months someone finds this thread and I haven't posted what I end up with, feel free to prod me.

And I'm still interested if anyone knows of any existing solutions that'll save me the effort - I have more interesting projects I'd rather be progressing.

I'm interested, and it's been a few months. Did anything come out of it?

i am interested also what you have come up with.

Unfortunately not - I've been tangled up in assorted other issues and haven't even managed to look at it yet. :(

Have you considered opensnitch ?
https://www.makeuseof.com/opensnitch...twork-threats/
https://github.com/evilsocket/opensnitch

1 members found this post helpful.

i started to play with it, it looks like a good program.

Douane doesn't work at all for me and I don't think it has been updated in years? I also found OpenSnitch and Portmaster both miss connections such as ICMP and from some appimages, or assigns the connection to the wrong program, and I'm not sure what OpenSnitch does to my iptables but there are a few programs it makes unbearably slow to launch, whether they were allowed or not.

I tried picosnitch and so far have settled on using it for monitoring and setting Firejail to be used by default for some programs to block network access.

It may not have GUI prompts, but so far this setup has been working really well for me so I thought I'd share, and was interested if you had gotten around to making any progress with your idea.

Thanks jvz, but still no progress; instead I seem to be accumulating blockers that are preventing me making progress with anything. :(

Instead of blocking specific programs with firejail or using a userspace application for prompts, now I drop everything with iptables for my primary user, and created a secondary user with network access. Anything I want connecting to the internet I just run as the secondary user, and have Picosnitch running in the background to verify/alert me of any issues with my setup.

So far this gives me much better performance, and better privacy and usability. I'll report back on this after trying it for a few more weeks or if I change anything.