Besides, on Windows it fails if you only look at the .exe files. svchost.exe will load just anything that has .dll in it's name keeping svchost.exe itself legit.
I get your idea, I did this myself in Windows XP once. It was hell. Stuff just randomly broke.
My firewall is kind of 'complicated' (yes, I like reading docs).
The backward thing is kind off nice at best, but I would probably not be able to resist to rewrite once I get my hands on this. Fortunately, I'm stuck with 3.10 for the nvidia blob since nouveau causes my card to deadlock at really random moments.
iptables - administration tool for IPv4 packet filtering and NAT
[ ....................... ]
This module attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded
packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify a numerical GID, or a GID range.
Matches if the packet is associated with a socket.
Furthermore, I also use a VPN (IPSEC) and allow internet connection sharing. You have to be careful of not allowing the person using your internet connection to access the other side of your IPSEC VPN (ever thought about that?). This could happen if you have a default rule for masquerading, which I require for my qemu hosts to work properly (this way they can access my home network).
Standard firewall is not safe once you have a slightly adventurous setup. And as you can see, I'm able to use netfilter to do some really nifty things. And yes, there have been moments where there was a hole. But it was never worse than the default configuration.
That being said, I don't trust my router which implies I'm replicating NAT on each box (your very own router can be hacked as well, why blindly trust it?). And then I also slapped some basic DDOS protection on it while I'm there.
I think, on and off, I have tweaked the firewall quite a few years. But I haven't touched in ages for a while, it's working *exactly* how I want it and how I expect it to do. Furthermore, tinkering like this helps you explorer more stuff about Linux. I leaned about ip, routing tables, MAC addresses, tcpdump (godsend), wireshark (tcpdump made cool) and the netfilter connection tracking tables.
I even went in the RFC docs once to differentiate NAT UDP packets that were either part of IKE (some bitfield is zero) or part of ESP itself. This taught me about bitfields.
https://bugs.freedesktop.org/show_bug.cgi?id=70566 . I even tried netconsole -> no output. Switched to the blob to rule out a defect card.
I wouldn't be surprised these cards are exhibiting this behaviour since nouveau does not reclock their engine's. We are actually using them in a way that they were not designed to.
here at the first post. I call that insane.