"lucatrv" <lucatrv@com.com> writes:

>> That would of course be entirely trivial to evade. Just make a hard link
>to
>> the program with a different name.
>>
>> It is like denying access to a building to anyone who says their name is
>John.
>> How long would that be effective?

>I understand, but that would be the behaviour of a malign code. I'm not
>talking of that, but only of preventing some normal application to access
>the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
>have a confirmation that there's no way to do that with netfilter...
>As for now, the only idea I have is if it is possible to define a selinux
>policy with no access to the network, and then apply it to the applicatoin's
>files. But it's only a supposition, since I actually haven't good knowledge
>of selinux, and I guess it's not really easy to set it up with gentoo.

>> If you told us which program you wanted to restrict, then we could perhaps
>> give better advice.

>Ok, so let's for instance consider ping.

That one is simple. Don't run it. Then it will not access the net.

I meant "What is the real problem you are tring to solve". Yours is a
hypothetical one. If you do not want ping to access the network and you are
not talking about rogue programs, the do not use ping. It is that simple.
But I suspect that is not the answer you want.
NOw, you have a concern about some program you are running, presumably on
purpose, which can sometimes access the net, but you do not want it to.
How does it access the net? Is it a dns lookup, is it http, or what? Your
specification is not good enough and your idiotic example is just that.



>Luca