Is there a way of blocking individual programs from accessing the network?

TehDooMCat · 08-26-2007, 01:50 PM

There's some programs I want to block from accessing the network. I could disconnect from the network, but that'd mean I wouldn't be able to use any other programs that use the LAN/internet.

Is there a way, without installing firewalls, of stopping programs from using the network, without having to block specific ports? Any method, like some way of forcing the program to use /dev/zero as the network interface?

acid_kewpie · 08-26-2007, 03:54 PM

well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...

iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT

just says to refuse any packet from ssh to leave the machine.

TehDooMCat · 08-28-2007, 11:02 AM

Quote:

Originally Posted by acid_kewpie

well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...

iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT

just says to refuse any packet from ssh to leave the machine.

I'm kinda' confused by the iptables command; do I have to replace anything other than "ssh"? like 'OUTPUT' or 'owner'? I tried various combinations and they all gave me an 'invalid argument' error. And --cmd-owner isn't a flag, according to iptables -h

acid_kewpie · 08-28-2007, 12:23 PM

hmm, seems that the cmd-owner option needs to be enabled directly in the kernle, which is uncommon...

craigevil · 08-28-2007, 04:10 PM

YOu might take a look at :
TuxGuardian - An application-based firewall

Quote:

Features

* Detects unauthorized applications trying to act like a client or a server;
* Operates with or without user intervention;
* Verifies the applications' integrity so that maliciously modified software won't be able to send or receive data through the network;
* Uses a three-layered architecture of independent modules, which eases the task of addings new features and functionality;

unSpawn · 08-28-2007, 05:02 PM

Quote:

Originally Posted by craigevil

You might take a look at: TuxGuardian

If it works as advertised that's pretty cool...

TehDooMCat · 08-30-2007, 07:22 PM

TuxGuardain looks to be exactly what I want, but to use it you've got to enable some extra kernel stuff (allow security modules etc), which involves make menuconfig, which is broken on my Ubuntu build. I haven't messed with the kernel or compilers, but make menuconfig errors out with messages such as these:

scripts/kconfig/lxdialog/checklist.c:310: warning: implicit declaration of function ‘on_key_esc’
scripts/kconfig/lxdialog/checklist.c:312: error: ‘KEY_RESIZE’ undeclared (first use in this function)
make[1]: *** [scripts/kconfig/lxdialog/checklist.o] Error 1
make: *** [menuconfig] Error 2

Am I missing some dependencies? I'm running the latest kernel; 2.6.20-16 - I think I have to enable some stuff in the kernel, at least that's what the documentation says and I'm not sure if it's a lready compiled into the Ubuntu kernels. I think I have to, 'cause only the daemon for TuxGuardian seems to compile succesfully, and that's useless without the TuxGuardian module.

acid_kewpie · 08-31-2007, 02:45 AM

well i would *expect* that tuxguardian would use the owner module, hence the kernel rebuild, hence the original reason my suggestion didn't work for you...