I'm going to assume that you are wanting to do this for outgoing connections, so that you can, for example, restrict which sites firefox can access, etc. For incoming connections, the --uid-owner for iptables option (see bug #852129) is probably good enough since daemons typically run under their own UID.
Filtering by command used to be possible with iptables via the --cmd- owner option (see http://www.debian- administration.org/article/120/Application_level_firewalling) but the functionality was removed because it didn't work well (https://git.kernel.org/cgit/linux/kernel/git/stable/linux- stable.git/commit/?id=34b4a4a624bafe089107966a6c56d2a1aca026d4) and blocked other kernel work. Others have tried to make this happen via userspace, but trying to do this via userspace is not optimal. A kernel LSM is in a position to provide this level of network access controls by utilizing secmark rules. SELinux can do this now (I don't know if it is integrated in a higher level tool though) and AppArmor (the default LSM in Ubuntu) will be able to do this in the future (it is unclear at this time if this will be wholly within AppArmor or if there can be ufw integration). ** Changed in: ufw (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1163098 Title: there is no way to block individual apps in firewall To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1163098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
