forbid internet access to an application?

Hi, I'd like to ask if it's possible to restrict access to the internet to
an application (i.e. the list of files which belongs to a package).
Under windows there are plenty of firewall programs, which make you decide
if an application should access the internet or not.
I looked on internet and didn't find anything similar under linux. For what
I could understand, neither apparmor or selinux can do that...

Thank you.

In comp.os.linux.networking David M <NOSPAM@nospam.com>:
> On Sat, 26 May 2007 15:02:16 +0000, lucatrv rearranged some electrons to
> form:

>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.
>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...
>>
>> Thank you.


> man hosts.deny

This is thought to restrict incoming connections not outgoing. A
typical Linux installation isn't infested with spy and malware,
so there might not be demand for such an application?

Though one could run some cron job, checking for apps opening
outgoing connections and kill them if they can't be found in a
given file with allowed apps. I suppose it shouldn't take more
then 20 minutes to stick a halfway working script together.

If there is no such thing you want, consider writing your own
and put the source online, so others might use and perhaps
improve it.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 50: Change in Earth's rotational speed

lucatrv wrote:
> Hi, I'd like to ask if it's possible to restrict access to the internet to
> an application (i.e. the list of files which belongs to a package).
> Under windows there are plenty of firewall programs, which make you decide
> if an application should access the internet or not.
> I looked on internet and didn't find anything similar under linux. For what
> I could understand, neither apparmor or selinux can do that...

The netfilter owner module can accomplish this objective (according to
the man page, though I've never used it). The switch you want is
--cmd-owner, however the man page also states that cmd matching is
broken on SMP machines. YMMV

Hello,

Allen Kistler a écrit :
>
> The netfilter owner module can accomplish this objective (according to
> the man page, though I've never used it). The switch you want is
> --cmd-owner, however the man page also states that cmd matching is
> broken on SMP machines.

Support for the --pid-owner, --sid-owner and --cmd-owner options has
been removed from kernel 2.6.14 and later versions.

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in
the way of locking changes to tasklist_lock.

In comp.os.linux.networking Allen Kistler <ackistler@oohay.moc>:
> lucatrv wrote:
>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.
>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...

> The netfilter owner module can accomplish this objective (according to
> the man page, though I've never used it). The switch you want is
> --cmd-owner, however the man page also states that cmd matching is
> broken on SMP machines. YMMV

Indeed, nice shot. I see other options I hadn't seen last time
checking the man page. Presuming the OP had done his homework, I
didn't bother to take a look before replying...

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 4: static from nylon underwear

In comp.os.linux.networking Pascal Hambourg <boite-a-spam@plouf.fr.eu.org>:
> Hello,

> Allen Kistler a écrit :

>> The netfilter owner module can accomplish this objective (according to
>> the man page, though I've never used it). The switch you want is
>> --cmd-owner, however the man page also states that cmd matching is
>> broken on SMP machines.

> Support for the --pid-owner, --sid-owner and --cmd-owner options has
> been removed from kernel 2.6.14 and later versions.

Interesting, seems my man page is broken and the OP back to the
script I had already recommended. ;-)

> [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

> Rip out cmd/sid/pid matching since its unfixable broken and stands in
> the way of locking changes to tasklist_lock.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 338: old inkjet cartridges emanate barium-based
fumes

On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:

> Indeed, nice shot. I see other options I hadn't seen last time
> checking the man page. Presuming the OP had done his homework, I
> didn't bother to take a look before replying...

One should never make such assumptions regarding outhouse excess users :)

Allen Kistler <ackistler@oohay.moc> writes:

>lucatrv wrote:
>> Hi, I'd like to ask if it's possible to restrict access to the internet to
>> an application (i.e. the list of files which belongs to a package).
>> Under windows there are plenty of firewall programs, which make you decide
>> if an application should access the internet or not.

That would of course be entirely trivial to evade. Just make a hard link to
the program with a different name.

It is like denying access to a building to anyone who says their name is John.
How long would that be effective?

If you told us which program you wanted to restrict, then we could perhaps
give better advice.

>> I looked on internet and didn't find anything similar under linux. For what
>> I could understand, neither apparmor or selinux can do that...

>The netfilter owner module can accomplish this objective (according to
>the man page, though I've never used it). The switch you want is
>--cmd-owner, however the man page also states that cmd matching is
>broken on SMP machines. YMMV

In comp.os.linux.networking Dave Uhring <daveuhring@yahoo.com>:
> On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:

>> Indeed, nice shot. I see other options I hadn't seen last time
>> checking the man page. Presuming the OP had done his homework, I
>> didn't bother to take a look before replying...

> One should never make such assumptions regarding outhouse excess users :)

It might offer a better start then the usual IE/G2 combination? ;-)

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 269: Melting hard drives

On Mon, 28 May 2007 14:42:35 +0200, Michael Heiming wrote:

> In comp.os.linux.networking Dave Uhring <daveuhring@yahoo.com>:
>> On Sat, 26 May 2007 21:45:07 +0200, Michael Heiming wrote:
>
>>> Indeed, nice shot. I see other options I hadn't seen last time
>>> checking the man page. Presuming the OP had done his homework, I
>>> didn't bother to take a look before replying...
>
>> One should never make such assumptions regarding outhouse excess users :)
>
> It might offer a better start then the usual IE/G2 combination? ;-)

Yes, at least the OP is using a real newsserver. But it is still
unreasonable ever to expect a Windows user to do his homework or read the
readily available documentation. It's always "must ask someone else" for
those cretins.