UFW app based filtering

Question

is there any filtering in ufw which works sort-of like win firewall?
basically allowing me not only to create ip/port/proto based rules, but also to bind such limitations to specific executables within the system.
a deep read of the man page didn't reveal any indication so I'm supposing it's not possible, but I also noticed an incredible lack of documentation regarding the python API for ufw, so I'm hoping to find some experienced user who can point me in the right direction.

Answer 1

When I was looking for something similar the suggestions seemed to be along the lines of 'run the program under a separate user' - as you can write per-user iptables rules - http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html.

Having said that, selinux rules might do what you're looking for - https://serverfault.com/questions/563872/selinux-allow-httpd-to-connect-to-a-specific-port. It sounds like selinux comes with rules for common binaries and their usual ports - like httpd in the above link. What would be required to write rules for arbitrary binaries and/or lock down all connections that don't satisfy a rule I don't know, but it could be worth looking at.

Edit: Just a few similar existing questions:

Per process firewall?

https://stackoverflow.com/questions/5451206/linux-per-program-firewall-similar-to-windows-and-mac-counterparts

https://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service

One of them points to this: https://sourceforge.net/projects/leopardflower/ - if you're looking for something wrapped up in a GUI with most of the fiddly stuff taken care of already, this might fit the bill. I linked to sourceforge rather than the newer github page as sourceforge has a screenshot there to give you an idea of what you're looking at - but you'd probably want to grab the newer version from github rather than the 2.5 year old version on sourceforge if it looks like what you're after.