forbid internet access to an application?

Michael Heiming a écrit :
>
>>>The netfilter owner module can accomplish this objective
>
>>Support for the --pid-owner, --sid-owner and --cmd-owner options has
>>been removed from kernel 2.6.14 and later versions.
>
> Interesting, seems my man page is broken

It seems the paragraph about the "owner" match in the iptables man page
has been last updated one year before the 2.6.14 kernel was released.

> and the OP back to the script I had already recommended. ;-)

Unless he uses a non-SMP kernel version < 2.6.14, including the latest
2.4 versions.

P.S. : Special thanks to Dave Uhring for calling me a cretin.

> That would of course be entirely trivial to evade. Just make a hard link
to
> the program with a different name.
>
> It is like denying access to a building to anyone who says their name is
John.
> How long would that be effective?

I understand, but that would be the behaviour of a malign code. I'm not
talking of that, but only of preventing some normal application to access
the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
have a confirmation that there's no way to do that with netfilter...
As for now, the only idea I have is if it is possible to define a selinux
policy with no access to the network, and then apply it to the applicatoin's
files. But it's only a supposition, since I actually haven't good knowledge
of selinux, and I guess it's not really easy to set it up with gentoo.

> If you told us which program you wanted to restrict, then we could perhaps
> give better advice.

Ok, so let's for instance consider ping.

Luca

> If there is no such thing you want, consider writing your own
> and put the source online, so others might use and perhaps
> improve it.

That's a good point, but I'm not actually in the position of doing that. And
I guess it wouldn't be an easy code to write.

Luca

"lucatrv" <lucatrv@com.com> writes:

>> That would of course be entirely trivial to evade. Just make a hard link
>to
>> the program with a different name.
>>
>> It is like denying access to a building to anyone who says their name is
>John.
>> How long would that be effective?

>I understand, but that would be the behaviour of a malign code. I'm not
>talking of that, but only of preventing some normal application to access
>the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
>have a confirmation that there's no way to do that with netfilter...
>As for now, the only idea I have is if it is possible to define a selinux
>policy with no access to the network, and then apply it to the applicatoin's
>files. But it's only a supposition, since I actually haven't good knowledge
>of selinux, and I guess it's not really easy to set it up with gentoo.

>> If you told us which program you wanted to restrict, then we could perhaps
>> give better advice.

>Ok, so let's for instance consider ping.

That one is simple. Don't run it. Then it will not access the net.

I meant "What is the real problem you are tring to solve". Yours is a
hypothetical one. If you do not want ping to access the network and you are
not talking about rogue programs, the do not use ping. It is that simple.
But I suspect that is not the answer you want.
NOw, you have a concern about some program you are running, presumably on
purpose, which can sometimes access the net, but you do not want it to.
How does it access the net? Is it a dns lookup, is it http, or what? Your
specification is not good enough and your idiotic example is just that.



>Luca

On May 28, 9:44 pm, Unruh <unruh-s...@physics.ubc.ca> wrote:
> "lucatrv" <luca...@com.com> writes:
> >> That would of course be entirely trivial to evade. Just make a hard link
> >to
> >> the program with a different name.
>
> >> It is like denying access to a building to anyone who says their name is
> >John.
> >> How long would that be effective?
> >I understand, but that would be the behaviour of a malign code. I'm not
> >talking of that, but only of preventing some normal application to access
> >the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
> >have a confirmation that there's no way to do that with netfilter...
> >As for now, the only idea I have is if it is possible to define a selinux
> >policy with no access to the network, and then apply it to the applicatoin's
> >files. But it's only a supposition, since I actually haven't good knowledge
> >of selinux, and I guess it's not really easy to set it up with gentoo.
> >> If you told us which program you wanted to restrict, then we could perhaps
> >> give better advice.
> >Ok, so let's for instance consider ping.
>
> That one is simple. Don't run it. Then it will not access the net.
>
> I meant "What is the real problem you are tring to solve". Yours is a
> hypothetical one. If you do not want ping to access the network and you are
> not talking about rogue programs, the do not use ping. It is that simple.
> But I suspect that is not the answer you want.
> NOw, you have a concern about some program you are running, presumably on
> purpose, which can sometimes access the net, but you do not want it to.
> How does it access the net? Is it a dns lookup, is it http, or what? Your
> specification is not good enough and your idiotic example is just that.
>
>
>
> >Luca- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Why not use kiosktool from inside KDE (If you are using KDE that is)?

http://jriddell.org/programs/kiosk-article.html

Deion "Mule" Christopher

Bear with me I'm rather new to this. Are you trying to block
applications from your user's side or from the cloud?
From your user's side - wouldn't it be possible to use rlogin (or
some other method to remote login) to the host and allow Internet access
only from/through the host? If so, wouldn't it also be true you could
set the user/group rights (privileges) to permit only those programs
which match the user/group privileges? That is make ping a root only
executable so no other user/group can execute/use it.
Please excuse me if I missed your point.
Dana

>>Ok, so let's for instance consider ping.
>
> That one is simple. Don't run it. Then it will not access the net.

1) For instance, I'm not sure if picasa gains access to the internet when I
use it (they say the option "check for upgrades" is always disabled even if
it looks selected... but who knows?). Worse, I'm not sure it doesn't signal
when I'm using it.

2) The same for instace with eclipse. Also if I tell it not to check for
updates, how can I be really sure it never access the network?

3) And what if I would like to prevent skype from connecting to some ips?
(while still keep them available for other applications)

Luca

> Why not use kiosktool from inside KDE (If you are using KDE that is)?
>
> http://jriddell.org/programs/kiosk-article.html
>

I actually use gnome, and by the way from what I read I couldn't understand
how to get the functionality I was talking about (prevent an application
from gaining access to the network while having the network functional for
the other applications). Thank you anyway, bye.

> Bear with me I'm rather new to this. Are you trying to block
> applications from your user's side or from the cloud?
> From your user's side - wouldn't it be possible to use rlogin (or
> some other method to remote login) to the host and allow Internet access
> only from/through the host? If so, wouldn't it also be true you could
> set the user/group rights (privileges) to permit only those programs
> which match the user/group privileges? That is make ping a root only
> executable so no other user/group can execute/use it.
> Please excuse me if I missed your point.
> Dana

My question was if it's possible to block only some application/files from
using the network, while using the desktop normally.
As for now, to me it seems the only option could be through selinux (but I'm
not sure), and then I should learn how to set it up under gentoo...

On May 30, 1:04 pm, "lucatrv" <luca...@com.com> wrote:
> > Why not use kiosktool from inside KDE (If you are using KDE that is)?
>
> >http://jriddell.org/programs/kiosk-article.html
>
> I actually use gnome, and by the way from what I read I couldn't understand
> how to get the functionality I was talking about (prevent an application
> from gaining access to the network while having the network functional for
> the other applications). Thank you anyway, bye.

OK then, how about using a SQUID proxy? I believe acl's can be set up
to allow specified logged in users to access the Internet using
specified applications. I once ran a shorewall firewall with a
"manual" SQUID proxy (each user had to type in their name and password
anytime they tried using an application that accessed the Internet) to
block all Internet-bound applications _except_ mail clients.

If I'm not mistaken, I was still able to use ping on those machines
for Intranet work...

Does this sound more like what you are wanting? There is the
possibilty of using GConf:

http://www.gnome.org/learn/admin-gui...ockdown-1.html

but I've never used it before...

Deion "Mule" Christopher