LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-26-2007, 01:50 PM   #1
TehDooMCat
LQ Newbie
 
Registered: Apr 2007
Posts: 12

Rep: Reputation: 0
Is there a way of blocking individual programs from accessing the network?


There's some programs I want to block from accessing the network. I could disconnect from the network, but that'd mean I wouldn't be able to use any other programs that use the LAN/internet.

Is there a way, without installing firewalls, of stopping programs from using the network, without having to block specific ports? Any method, like some way of forcing the program to use /dev/zero as the network interface?
 
Old 08-26-2007, 03:54 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...

iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT

just says to refuse any packet from ssh to leave the machine.
 
Old 08-28-2007, 11:02 AM   #3
TehDooMCat
LQ Newbie
 
Registered: Apr 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...

iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT

just says to refuse any packet from ssh to leave the machine.
I'm kinda' confused by the iptables command; do I have to replace anything other than "ssh"? like 'OUTPUT' or 'owner'? I tried various combinations and they all gave me an 'invalid argument' error. And --cmd-owner isn't a flag, according to iptables -h
 
Old 08-28-2007, 12:23 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
hmm, seems that the cmd-owner option needs to be enabled directly in the kernle, which is uncommon...
 
Old 08-28-2007, 04:10 PM   #5
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
YOu might take a look at :
TuxGuardian - An application-based firewall
Quote:
Features

* Detects unauthorized applications trying to act like a client or a server;
* Operates with or without user intervention;
* Verifies the applications' integrity so that maliciously modified software won't be able to send or receive data through the network;
* Uses a three-layered architecture of independent modules, which eases the task of addings new features and functionality;
 
Old 08-28-2007, 05:02 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by craigevil View Post
You might take a look at: TuxGuardian
If it works as advertised that's pretty cool...
 
Old 08-30-2007, 07:22 PM   #7
TehDooMCat
LQ Newbie
 
Registered: Apr 2007
Posts: 12

Original Poster
Rep: Reputation: 0
TuxGuardain looks to be exactly what I want, but to use it you've got to enable some extra kernel stuff (allow security modules etc), which involves make menuconfig, which is broken on my Ubuntu build. I haven't messed with the kernel or compilers, but make menuconfig errors out with messages such as these:

scripts/kconfig/lxdialog/checklist.c:310: warning: implicit declaration of function ‘on_key_esc’
scripts/kconfig/lxdialog/checklist.c:312: error: ‘KEY_RESIZE’ undeclared (first use in this function)
make[1]: *** [scripts/kconfig/lxdialog/checklist.o] Error 1
make: *** [menuconfig] Error 2

Am I missing some dependencies? I'm running the latest kernel; 2.6.20-16 - I think I have to enable some stuff in the kernel, at least that's what the documentation says and I'm not sure if it's a lready compiled into the Ubuntu kernels. I think I have to, 'cause only the daemon for TuxGuardian seems to compile succesfully, and that's useless without the TuxGuardian module.
 
Old 08-31-2007, 02:45 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well i would *expect* that tuxguardian would use the owner module, hence the kernel rebuild, hence the original reason my suggestion didn't work for you...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking Specific Programs from Network Access? Trip in VA Linux - Newbie 23 08-06-2006 02:47 PM
Automatically starting programs for individual users at boot johnleemk Linux - General 1 09-13-2004 05:24 AM
Blocking an account from accessing the internet. magnum818 Linux - Security 2 12-03-2003 01:50 AM
Individual IP's on a network goatleg2 Linux - General 3 10-18-2002 08:44 PM
Blocking Chat programs smurf Linux - Networking 2 08-04-2001 07:11 AM


All times are GMT -5. The time now is 07:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration