0

By alternative it's not meant the program needs to be gui. Any method that allows a program to logs when something calls listen() and only allows selected programs to listen to the interface:port will works. I've seen opensnitch but it woeks with outbound connections only.

If such program doesn't exist can anyone point to how to create? Like using nftable rules. What I'm not looking for is to run a program in separate net namespace etc. The solution should work for all userland programs in general.

flappybirdy
  • 31
  • 4
  • Does this answer your question? [Block network access of a process?](https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process) – Marcus Müller Sep 05 '21 at 11:51
  • No. 1. "What I'm not looking for is to run a program in separate net namespace etc.". 2. I'm interested in allowing a progeam to listen on some interface. Not interested in outbound traffic. – flappybirdy Sep 05 '21 at 12:43
  • well, but what you describe *reads* a lot like a network namespace! in Linux, networking isn't "bound" to a process per se; the method of having network behave differently for different userland software *is* network namespaces, as far as I can tell. The problem with *all* Linux nftables/netfilter-based approaches is that packets don't have a property "comes from process XYZ" or "goes to process XYZ" internally. – Marcus Müller Sep 05 '21 at 14:14
  • All I asked is program x binds and calls listen to port y. The os (or something else) check a whitelist and allows it. If the program no longer listens to the port, the port is closed. If an unauthorized program tries to listen that port it fails silently ie that programs see no packets coming. This is what application firewall does. Without resorting to mach ports. – flappybirdy Sep 05 '21 at 14:29
  • sounds a bit like network namespaces, honestly! Linux is not mach; you can try to implement something similar with eBPF in the Linux kernel, but it would be less clean than starting things in a Linux network namespace – which again, possibly differently than the OS X equivalent, matches the description of "I want to control which software does something with my network" pretty well. – Marcus Müller Sep 05 '21 at 14:29
  • https://en.m.wikipedia.org/wiki/Application_firewall this. – flappybirdy Sep 05 '21 at 14:39
  • 1
    I know what an application firewall is. Linux doesn't think in applications. – Marcus Müller Sep 05 '21 at 14:40
  • 1. you want to know when a program bind()s a socket, not when it listen()s on it. Believe me. 2. you can probably do it with [seccomp](https://man7.org/linux/man-pages/man2/seccomp.2.html), which is already used extensively on Android for all apps (together with other jailing facilities, like dropping caps, selinux and network namespaces). –  Sep 05 '21 at 16:05

1 Answers1

0
Artem S. Tashkinov
  • 26,392
  • 4
  • 33
  • 64
  • this is interesting! It looks to me like they took a few surprising design choices on the [kernel side](https://gitlab.com/douaneapp/douane-dkms/-/blob/master/douane.c); I'll be honest: the fact that this seems to have a usable UI is fantastic! Doesn't mean I trust the underpinnings for productive usage (seems it only hooks the outgoing filter chain), but it's pretty cool overall – Marcus Müller Sep 05 '21 at 11:59
  • Note that the fact I find design choices interesting might be caused by the fact that the invention of douane basically coincided with people inventing Linux networking namespaces, which honestly are a simple and very effective method to achieve the same, but without need for a third-party kernel module; however, that fact doesn't give you a nice UI that a normal user could realistically make use of. – Marcus Müller Sep 05 '21 at 12:02
  • Does this app work for ```listen()```? Or only outbound traffic? – flappybirdy Sep 05 '21 at 12:44
  • I don't think so, but haven't read all of douane.c that I linked to above. What I think is clear at this point is that has [no idea](https://gitlab.com/douaneapp/douane-dkms/-/blob/master/douane.c#L887) of IPv6 (IPv6 addresses can't be formatted into a 16 character string)– so, that would pass completely unfilterable. I'm honestly also worried about using string functions on every single packet. – Marcus Müller Sep 05 '21 at 14:29
  • and you say you want to control the `listen` call alone; douane does something completely different: it offers netfilter hooks, so you can write firewall rules that apply to sockets held by specific processes (I'm reading the code and scratching my head ever more on how they deal with socked FDs passed via IPC). – Marcus Müller Sep 05 '21 at 14:33
  • by the way, you need to check whether the kernel module compiles with the kernel you use at all; it really does not for my kernel. For example, douane needs to use `fcheck_files` to find who "owns" the socket (in a very bad manner of checking things... um.); **that was removed in Linux 5.10, so it *can't* work with a modern kernel** (Duoane's kernel module has not seen an update in 3 years, so I'm not holding my breath until someone fixes this) – Marcus Müller Sep 05 '21 at 14:35
  • Also, this is great, because if I want my process /home/marcus/myevilstuff/evil to get the same restrictions as, say /usr/bin/firefox, I think I can just put it in a mount namespace and call it /usr/bin/firefox within that, and that would solve my being-blocked problem. – Marcus Müller Sep 05 '21 at 14:40
  • 1
    Check `firejail` please – Artem S. Tashkinov Sep 05 '21 at 14:48
  • that sounds reasonable, it simply applies Linux network namespaces. – Marcus Müller Sep 05 '21 at 14:48
  • Yeah the dkms does not compile in latest debian unstable. – flappybirdy Sep 05 '21 at 16:09
  • 1
    Added OpenSnitch. Must be working and compatible with modern Linux distros. – Artem S. Tashkinov Sep 05 '21 at 16:17
  • yep, OpenSnitch uses eBPF and is much more likely to work with modern Linux distros. – Marcus Müller Sep 05 '21 at 17:56
  • Does opensnitch support incomming? Afaik it is on todo – flappybirdy Sep 05 '21 at 19:37