I would be careful, a critical buffer overflow vulnerability was just found in the Douane kernel module: <a href="https://github.com/Douane/douane-dkms/commit/61023b91fbafab8e63d8c271ec25aa0929f2f643" rel="nofollow">https://github.com/Douane/douane-dkms/commit/61023b91fbafab8...</a>
Nice project and makes you think why all programs are given all network access by default.<p>This page lists nothing under Packages but the author has actually made AUR packages for Archlinux:<p><a href="https://github.com/Douane/Douane/wiki/Archlinux-Packaging" rel="nofollow">https://github.com/Douane/Douane/wiki/Archlinux-Packaging</a><p>Here's a directly link to the installation instructions for anyone who'd want to try it out<p><a href="https://github.com/Douane/Douane/wiki/Compilation" rel="nofollow">https://github.com/Douane/Douane/wiki/Compilation</a>
I remember using this sort of applications on Windows (a very long time ago; those were the days of Windows 98, whose famous stability drove me to Linux and BSD). Can some of its users help me shed some light on the use case of such a program on an open source system? I mean:<p>- Signed packages from trusted repos <i>should</i> not need firewalling, at least not if you're using a serious distro rather than a hobby project. This isn't true in the general case, of course (hence things like OpenBSD's auditing of base packages), but this is a personal firewall, it's not exactly intended for server-grade equipment...<p>- If you install packages from dubious PPAs all over the Interwebs, a puny kernel module is unlikely to stop the two rootkits that you've probably already installed. Same for a system that has already been compromised.<p>- Untrusted applications (which you're running straight on your system, rather than nicely tucked in a VM with no network access because...?) -- as practical experience on Android and Windows shows -- will generally break as soon as they can't do their snooping because they'll segfault or block waiting for the answer that never came to the package that was never sent anyway.<p>I see a lot of talk in the Linux desktop field about building lines of defense against untrusted programs. I see why this is relevant to users who are routinely running closed-source programs (no, I don't personally audit every line of code running on my system, but a public source code repository is sort of a stupid place to hide malicious code when there's so much <i>fully closed</i> code being purchased from "app" stores and downloaded from all over the web and whatnot). I find it hard to understand why it would be relevant on an open source desktop.<p>Things like Wayland's sandboxing, I get to some degree -- it's only a matter of time before JavaScript code in a browser will get access to <i>more</i> stuff from your computer, which will eventually include stuff like keystrokes and mouse events and whatnot, so it'll have to be properly sandboxed. But why a personal firewall? What sort of applications do you find yourself wanting to block, and <i>why</i> for heaven's sake are you running them on your Linux computer, when it's really 2017 and there's plenty of choice in terms of applications.
I like the Little Snitch style "allow/deny per binary" thing. It's really unfortunate that it needs a new kernel module because current default firewalls (pf, iptables, etc.) only operate on IP addresses don't know anything about processes.
A centrally managed app permissions system would go a long way to improving Linux’s desktop experience. For example in Wayland, there's a huge tug-of-war going on between security minded people who don’t want keyloggers and screen capture vs average desktop users that want their old global shortcuts and screen capture/remote access apps to work.<p>I think a permission system like Douane’s would solve this divide.
I like this.<p>Linux has been missing a personal firewall with good GUI for a looong time.<p>I'll probs give it a try on a VM and see how well it works.
The reason I like control like this is the reason I want a plastic shutter/window on all phone and laptop cameras I should trust ur software butttttttt I still want the extra piece of mind. Also I don't trust software since ...ya know...zero days.