forbid internet access to an application? - Networking

This is a discussion on forbid internet access to an application? - Networking ; Hi, I'd like to ask if it's possible to restrict access to the internet to an application (i.e. the list of files which belongs to a package). Under windows there are plenty of firewall programs, which make you decide if ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 22

Thread: forbid internet access to an application?

  1. forbid internet access to an application?

    Hi, I'd like to ask if it's possible to restrict access to the internet to
    an application (i.e. the list of files which belongs to a package).
    Under windows there are plenty of firewall programs, which make you decide
    if an application should access the internet or not.
    I looked on internet and didn't find anything similar under linux. For what
    I could understand, neither apparmor or selinux can do that...

    Thank you.





  2. Re: forbid internet access to an application?

    On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
    form:

    > Hi, I'd like to ask if it's possible to restrict access to the internet to
    > an application (i.e. the list of files which belongs to a package).
    > Under windows there are plenty of firewall programs, which make you decide
    > if an application should access the internet or not.
    > I looked on internet and didn't find anything similar under linux. For what
    > I could understand, neither apparmor or selinux can do that...
    >
    > Thank you.



    man hosts.deny


    --
    David M (dmacchiarolo)
    http://home.triad.rr.com/redsled
    T/S 53
    sled351 Linux 2.4.18-14 has been up 2 days 9:54


  3. Re: forbid internet access to an application?

    In comp.os.linux.networking David M :
    > On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
    > form:


    >> Hi, I'd like to ask if it's possible to restrict access to the internet to
    >> an application (i.e. the list of files which belongs to a package).
    >> Under windows there are plenty of firewall programs, which make you decide
    >> if an application should access the internet or not.
    >> I looked on internet and didn't find anything similar under linux. For what
    >> I could understand, neither apparmor or selinux can do that...
    >>
    >> Thank you.



    > man hosts.deny


    This is thought to restrict incoming connections not outgoing. A
    typical Linux installation isn't infested with spy and malware,
    so there might not be demand for such an application?

    Though one could run some cron job, checking for apps opening
    outgoing connections and kill them if they can't be found in a
    given file with allowed apps. I suppose it shouldn't take more
    then 20 minutes to stick a halfway working script together.

    If there is no such thing you want, consider writing your own
    and put the source online, so others might use and perhaps
    improve it.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 50: Change in Earth's rotational speed

  4. Re: forbid internet access to an application?

    lucatrv wrote:
    > Hi, I'd like to ask if it's possible to restrict access to the internet to
    > an application (i.e. the list of files which belongs to a package).
    > Under windows there are plenty of firewall programs, which make you decide
    > if an application should access the internet or not.
    > I looked on internet and didn't find anything similar under linux. For what
    > I could understand, neither apparmor or selinux can do that...


    The netfilter owner module can accomplish this objective (according to
    the man page, though I've never used it). The switch you want is
    --cmd-owner, however the man page also states that cmd matching is
    broken on SMP machines. YMMV

  5. Re: forbid internet access to an application?

    Hello,

    Allen Kistler a écrit :
    >
    > The netfilter owner module can accomplish this objective (according to
    > the man page, though I've never used it). The switch you want is
    > --cmd-owner, however the man page also states that cmd matching is
    > broken on SMP machines.


    Support for the --pid-owner, --sid-owner and --cmd-owner options has
    been removed from kernel 2.6.14 and later versions.

    [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

    Rip out cmd/sid/pid matching since its unfixable broken and stands in
    the way of locking changes to tasklist_lock.

  6. Re: forbid internet access to an application?

    On Sat, 26 May 2007 19:54:25 +0200, Michael Heiming rearranged some
    electrons to form:

    > In comp.os.linux.networking David M :
    >> On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
    >> form:

    >
    >>> Hi, I'd like to ask if it's possible to restrict access to the internet to
    >>> an application (i.e. the list of files which belongs to a package).
    >>> Under windows there are plenty of firewall programs, which make you decide
    >>> if an application should access the internet or not.
    >>> I looked on internet and didn't find anything similar under linux. For what
    >>> I could understand, neither apparmor or selinux can do that...
    >>>
    >>> Thank you.

    >
    >
    >> man hosts.deny

    >
    > This is thought to restrict incoming connections not outgoing. A
    > typical Linux installation isn't infested with spy and malware,
    > so there might not be demand for such an application?
    >
    > Though one could run some cron job, checking for apps opening
    > outgoing connections and kill them if they can't be found in a
    > given file with allowed apps. I suppose it shouldn't take more
    > then 20 minutes to stick a halfway working script together.
    >
    > If there is no such thing you want, consider writing your own
    > and put the source online, so others might use and perhaps
    > improve it.


    I misread the OP, I thought he was trying to block incoming
    connections. My mistake.


    --
    David M (dmacchiarolo)



  7. Re: forbid internet access to an application?

    In comp.os.linux.networking Allen Kistler :
    > lucatrv wrote:
    >> Hi, I'd like to ask if it's possible to restrict access to the internet to
    >> an application (i.e. the list of files which belongs to a package).
    >> Under windows there are plenty of firewall programs, which make you decide
    >> if an application should access the internet or not.
    >> I looked on internet and didn't find anything similar under linux. For what
    >> I could understand, neither apparmor or selinux can do that...


    > The netfilter owner module can accomplish this objective (according to
    > the man page, though I've never used it). The switch you want is
    > --cmd-owner, however the man page also states that cmd matching is
    > broken on SMP machines. YMMV


    Indeed, nice shot. I see other options I hadn't seen last time
    checking the man page. Presuming the OP had done his homework, I
    didn't bother to take a look before replying...

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 4: static from nylon underwear

  8. Re: forbid internet access to an application?

    In comp.os.linux.networking Pascal Hambourg :
    > Hello,


    > Allen Kistler a écrit :


    >> The netfilter owner module can accomplish this objective (according to
    >> the man page, though I've never used it). The switch you want is
    >> --cmd-owner, however the man page also states that cmd matching is
    >> broken on SMP machines.


    > Support for the --pid-owner, --sid-owner and --cmd-owner options has
    > been removed from kernel 2.6.14 and later versions.


    Interesting, seems my man page is broken and the OP back to the
    script I had already recommended. ;-)

    > [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner


    > Rip out cmd/sid/pid matching since its unfixable broken and stands in
    > the way of locking changes to tasklist_lock.


    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 338: old inkjet cartridges emanate barium-based
    fumes

  9. Re: forbid internet access to an application?

    On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:

    > Indeed, nice shot. I see other options I hadn't seen last time
    > checking the man page. Presuming the OP had done his homework, I
    > didn't bother to take a look before replying...


    One should never make such assumptions regarding outhouse excess users


  10. Re: forbid internet access to an application?

    Allen Kistler writes:

    >lucatrv wrote:
    >> Hi, I'd like to ask if it's possible to restrict access to the internet to
    >> an application (i.e. the list of files which belongs to a package).
    >> Under windows there are plenty of firewall programs, which make you decide
    >> if an application should access the internet or not.


    That would of course be entirely trivial to evade. Just make a hard link to
    the program with a different name.

    It is like denying access to a building to anyone who says their name is John.
    How long would that be effective?

    If you told us which program you wanted to restrict, then we could perhaps
    give better advice.

    >> I looked on internet and didn't find anything similar under linux. For what
    >> I could understand, neither apparmor or selinux can do that...


    >The netfilter owner module can accomplish this objective (according to
    >the man page, though I've never used it). The switch you want is
    >--cmd-owner, however the man page also states that cmd matching is
    >broken on SMP machines. YMMV


  11. Re: forbid internet access to an application?

    In comp.os.linux.networking Dave Uhring :
    > On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:


    >> Indeed, nice shot. I see other options I hadn't seen last time
    >> checking the man page. Presuming the OP had done his homework, I
    >> didn't bother to take a look before replying...


    > One should never make such assumptions regarding outhouse excess users


    It might offer a better start then the usual IE/G2 combination? ;-)

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 269: Melting hard drives

  12. Re: forbid internet access to an application?

    On Mon, 28 May 2007 14:42:35 +0200, Michael Heiming wrote:

    > In comp.os.linux.networking Dave Uhring :
    >> On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:

    >
    >>> Indeed, nice shot. I see other options I hadn't seen last time
    >>> checking the man page. Presuming the OP had done his homework, I
    >>> didn't bother to take a look before replying...

    >
    >> One should never make such assumptions regarding outhouse excess users

    >
    > It might offer a better start then the usual IE/G2 combination? ;-)


    Yes, at least the OP is using a real newsserver. But it is still
    unreasonable ever to expect a Windows user to do his homework or read the
    readily available documentation. It's always "must ask someone else" for
    those cretins.


  13. Re: forbid internet access to an application?

    Michael Heiming a écrit :
    >
    >>>The netfilter owner module can accomplish this objective

    >
    >>Support for the --pid-owner, --sid-owner and --cmd-owner options has
    >>been removed from kernel 2.6.14 and later versions.

    >
    > Interesting, seems my man page is broken


    It seems the paragraph about the "owner" match in the iptables man page
    has been last updated one year before the 2.6.14 kernel was released.

    > and the OP back to the script I had already recommended. ;-)


    Unless he uses a non-SMP kernel version < 2.6.14, including the latest
    2.4 versions.

    P.S. : Special thanks to Dave Uhring for calling me a cretin.

  14. Re: forbid internet access to an application?

    > That would of course be entirely trivial to evade. Just make a hard link
    to
    > the program with a different name.
    >
    > It is like denying access to a building to anyone who says their name is

    John.
    > How long would that be effective?


    I understand, but that would be the behaviour of a malign code. I'm not
    talking of that, but only of preventing some normal application to access
    the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
    have a confirmation that there's no way to do that with netfilter...
    As for now, the only idea I have is if it is possible to define a selinux
    policy with no access to the network, and then apply it to the applicatoin's
    files. But it's only a supposition, since I actually haven't good knowledge
    of selinux, and I guess it's not really easy to set it up with gentoo.

    > If you told us which program you wanted to restrict, then we could perhaps
    > give better advice.


    Ok, so let's for instance consider ping.

    Luca



  15. Re: forbid internet access to an application?

    > If there is no such thing you want, consider writing your own
    > and put the source online, so others might use and perhaps
    > improve it.


    That's a good point, but I'm not actually in the position of doing that. And
    I guess it wouldn't be an easy code to write.

    Luca



  16. Re: forbid internet access to an application?

    "lucatrv" writes:

    >> That would of course be entirely trivial to evade. Just make a hard link

    >to
    >> the program with a different name.
    >>
    >> It is like denying access to a building to anyone who says their name is

    >John.
    >> How long would that be effective?


    >I understand, but that would be the behaviour of a malign code. I'm not
    >talking of that, but only of preventing some normal application to access
    >the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
    >have a confirmation that there's no way to do that with netfilter...
    >As for now, the only idea I have is if it is possible to define a selinux
    >policy with no access to the network, and then apply it to the applicatoin's
    >files. But it's only a supposition, since I actually haven't good knowledge
    >of selinux, and I guess it's not really easy to set it up with gentoo.


    >> If you told us which program you wanted to restrict, then we could perhaps
    >> give better advice.


    >Ok, so let's for instance consider ping.


    That one is simple. Don't run it. Then it will not access the net.

    I meant "What is the real problem you are tring to solve". Yours is a
    hypothetical one. If you do not want ping to access the network and you are
    not talking about rogue programs, the do not use ping. It is that simple.
    But I suspect that is not the answer you want.
    NOw, you have a concern about some program you are running, presumably on
    purpose, which can sometimes access the net, but you do not want it to.
    How does it access the net? Is it a dns lookup, is it http, or what? Your
    specification is not good enough and your idiotic example is just that.



    >Luca




  17. Re: forbid internet access to an application?

    On May 28, 9:44 pm, Unruh wrote:
    > "lucatrv" writes:
    > >> That would of course be entirely trivial to evade. Just make a hard link

    > >to
    > >> the program with a different name.

    >
    > >> It is like denying access to a building to anyone who says their name is

    > >John.
    > >> How long would that be effective?

    > >I understand, but that would be the behaviour of a malign code. I'm not
    > >talking of that, but only of preventing some normal application to access
    > >the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
    > >have a confirmation that there's no way to do that with netfilter...
    > >As for now, the only idea I have is if it is possible to define a selinux
    > >policy with no access to the network, and then apply it to the applicatoin's
    > >files. But it's only a supposition, since I actually haven't good knowledge
    > >of selinux, and I guess it's not really easy to set it up with gentoo.
    > >> If you told us which program you wanted to restrict, then we could perhaps
    > >> give better advice.

    > >Ok, so let's for instance consider ping.

    >
    > That one is simple. Don't run it. Then it will not access the net.
    >
    > I meant "What is the real problem you are tring to solve". Yours is a
    > hypothetical one. If you do not want ping to access the network and you are
    > not talking about rogue programs, the do not use ping. It is that simple.
    > But I suspect that is not the answer you want.
    > NOw, you have a concern about some program you are running, presumably on
    > purpose, which can sometimes access the net, but you do not want it to.
    > How does it access the net? Is it a dns lookup, is it http, or what? Your
    > specification is not good enough and your idiotic example is just that.
    >
    >
    >
    > >Luca- Hide quoted text -

    >
    > - Show quoted text -- Hide quoted text -
    >
    > - Show quoted text -


    Why not use kiosktool from inside KDE (If you are using KDE that is)?

    http://jriddell.org/programs/kiosk-article.html

    Deion "Mule" Christopher


  18. Re: forbid internet access to an application?

    Bear with me I'm rather new to this. Are you trying to block
    applications from your user's side or from the cloud?
    From your user's side - wouldn't it be possible to use rlogin (or
    some other method to remote login) to the host and allow Internet access
    only from/through the host? If so, wouldn't it also be true you could
    set the user/group rights (privileges) to permit only those programs
    which match the user/group privileges? That is make ping a root only
    executable so no other user/group can execute/use it.
    Please excuse me if I missed your point.
    Dana

  19. Re: forbid internet access to an application?

    >>Ok, so let's for instance consider ping.
    >
    > That one is simple. Don't run it. Then it will not access the net.


    1) For instance, I'm not sure if picasa gains access to the internet when I
    use it (they say the option "check for upgrades" is always disabled even if
    it looks selected... but who knows?). Worse, I'm not sure it doesn't signal
    when I'm using it.

    2) The same for instace with eclipse. Also if I tell it not to check for
    updates, how can I be really sure it never access the network?

    3) And what if I would like to prevent skype from connecting to some ips?
    (while still keep them available for other applications)

    Luca




  20. Re: forbid internet access to an application?

    > Why not use kiosktool from inside KDE (If you are using KDE that is)?
    >
    > http://jriddell.org/programs/kiosk-article.html
    >


    I actually use gnome, and by the way from what I read I couldn't understand
    how to get the functionality I was talking about (prevent an application
    from gaining access to the network while having the network functional for
    the other applications). Thank you anyway, bye.



+ Reply to Thread
Page 1 of 2 1 2 LastLast