The ability to block this by only allowing "approved" programs to
access the Internet would be a nice addition to Iptables.
The ability to only allow "approved" programs to send traffic out *IS*
available now. You are asking for asking for something that the "owner"
match extension will provide via the "--cmd-owner", possibly in
combination with the "--uid-owner".
nope. owner match is not going to do the 'approved' program access check.
Zone Alarm triggers on the name of the program.
For something similar, there needs to be a way for iptables to store and
reference a list of approved process names (not necessarily their access
patterns such as dest port and so on but i suppose if the name list is
possible, it won't be that hard to tack on extra optional conditions)
and so a trojan running wget would trigger if wget was not in the list
of approved programs.
