Slightly more sophisticated rules engine (feature suggestion)
Created by: lepasserby
It would be nice if we were given just a tiny bit more flexibility with regards to the rules for applications being allowed / blocked.
Specifically, it would be nice to have the ability to specify which interfaces the applications are allowed to use, which IPs/subnets and ports they are allowed to access (if any), which is pretty much bread-and-butter of firewalls, in my humble opinion.
Possible usecase: In a VPN setting, only allow direct internet access to applications responsible for monitoring, maintaining and (in case of failure) re-establishing the VPN connection, while limiting all other applications to the VPN's tun, localhost, or LAN.
Specifically, in case of Mullvad (pretty decent VPN), that would mean allowing unfettered internet access to mullvad (python2), openvpn, and (in some cases) obfsproxy while limiting all other applications to tun interface, LAN connectivity and localhost.
In case of connection "hiccup" and / or mullvad daemon crash, Douane would prevent traffic from escaping to the internet, but LAN-related stuff (such as network printer) and daemons listening on localhost would still be okay. More importantly, upon restart of mullvad daemon the system will be able to re-establish VPN connection (including obfsproxy-enabled VPN connection) and resume normal operation without additional intervention on user's part.
Another usecase: Prevent TOR browser leaks. Everything but TOR is only allowed localhost (where TOR listens), while TOR remains unfettered. In case TOR browser becomes compromised by malicious javascript or plugin (assuming there is no privilege escalation involved, the malicious script / plugin would not be able to bypass Douane and phone home, since "everything but TOR" is prohibited from direct internet access.