[Software] programs accessing internet only with permission firewall

[hthi]

debian 11
ufw

ufw is installed and enabled. My perception is, any program installed, ufw
gives it permission to access the internet. I want that no program
accesses the internet without getting a permission. How is
that done? Is there a program having a graphical user interface, such
that you can grant or deny a given program access
to the internet?

Thank you.

[dilberts_left_nut]

No.

[Trihexagonal]

My perception is, any program installed, ufw gives it permission to access the internet.

Stateful Packet Inspection, or SPI, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.

Only network traffic that is in response to traffic initiated on your machine is allowed to pass through UFW.

I want that no program accesses the internet without getting a permission. How is that done?

You would have to block everything and make rules to allow outgoing traffic as it happened.
If you don't trust it not to phone home, get rid of it.

Is there a program having a graphical user interface, such that you can grant or deny a given program access to the internet?
Thank you.

ZoneAlarm for Windows.
But you're a Linux user and that's all hokum you're learning to shake off now.

[bkpsusmitaa]

... You would have to block everything and make rules to allow outgoing traffic as it happened.
If you don't trust it not to phone home, get rid of it.

I sincerely apologise, Trihexagonal and hthi, for seeking further elaboration.

Please allow me to reframe the question a bit differently. Is it possible to disallow a particular program from accessing the internet connection that my system has access to, irrespective of whether the connection is active or inactive? So that any program, even if it has such algorithms to have data packets stored in queue and send them when it can access a connection over the internet, can't do so?

I believe that there is one called firejail, that could be used with a command line:

Code: Select all

firejail --net=none <program>

Fortunately for me, I didn't need any program outside of the Debian Universe that could cause a security breach. So I have not used the program. But I will test it in conjuction to running a windows program in Wine to check how firejail fares.

Then there is another more involved way: that of using iptables and creating a user-group without internet connection. Then programs could be added to this group to bar them from internet access. Usually server administrators are the competent ones to understand the method and its finer nuances.

[LE_746F6D617A7A69]

Then there is another more involved way: that of using iptables and creating a user-group without internet connection. Then programs could be added to this group to bar them from internet access.

Not really - ip tables are only able to work with internet packets, and groups can only use application path/names, which can be spoofed (like changing the executable name) -> firejail is using kernel's seccomp and namespaces -> this is IMO the easiest solution.

Regards

[p.H]

Not really

Yes really. Check iptables' "owner" match.

groups can only use application path/names

Nonsense.

[LE_746F6D617A7A69]

Not really

Yes really. Check iptables' "owner" match.

Not really - applications can change their PID/GID, ( f.e using setpgid(2) ) especially that:

groups can only use application path/names

Nonsense.

such "nonsense' is actually possible - by replacing content of executable file with some modified code.
Seccomp + namespaces configuration can simply block all the *forbidden* kernel calls and access to some defined resources, so it doesn't matter what credentials have been granted to the program (binary file)

Regards

[p.H]

applications can change their PID/GID, ( f.e using setpgid(2) )

I suspect that we are not talking about the same thing. The iptables owner match uses effective user/group. setpgid(2) manages the process group which seem to be unrelated. An unprivileged process cannot change its effective user or group arbitrarily.

such "nonsense' is actually possible - by replacing content of executable file with some modified code.

What does this have to do with effective user/group ?

[kent_dorfman766]

I won't say "google is your friend" becuase they clearly are not, but a simple web search yields the following that seems to be directly applicable.

http://linuxpoison.blogspot.com/2010/11 ... -user.html

[LE_746F6D617A7A69]

The iptables owner match uses effective user/group.

See setreuid(2) and setregid(2)


But You're right - only privileged process can do this.

[bkpsusmitaa]

I have been reading your posts, you three. Initially, I thought I would request LE_746F6D617A7A69 and p.H to post an elaborate tutorial for us to set up iptables and allow specific programs access to the internet.
Also, how to add a particular program to a group that iptables allows? man is too cryptic for me to delve into.
However, perhaps kent_dorfman766's link might be helpful. I am not certain. I have an added query however: how to control the bandwidth given to each programs? Could this objective be accomplished?
I have posted your salient observations. I think it would be better if you work collaboratively to have an easy tutorial posted for us users.
Thanking you in anticipation, and best wishes.
---------------------------------------------------------------------------------

... http://linuxpoison.blogspot.com/2010/11 ... -user.html

...

...
I suspect that we are not talking about the same thing. The iptables owner match uses effective user/group. setpgid(2) manages the process group which seem to be unrelated. An unprivileged process cannot change its effective user or group arbitrarily ...

[lindi]

The main problem here is that a "program" is not well defined in Debian. In Android, each app is running as a separate user in a sandbox. In this context it is meaningful to talk about limiting the ability of a program to access the internet. In Debian, a program can simply use another program to make requests to the Internet on its behalf. It is not clear where one program starts and another one begins (for example shell scripts all just call other programs).

To come up with a meaningful solution we'd first need to understand what is the reason for limiting internet access. Is this about running malicious programs and wanting to limit their possibility to access the Internet?

[craigevil]

You want opensnitch or portmaster.
https://github.com/evilsocket/opensnitch/releases
https://github.com/safing/portmaster/

[kent_dorfman766]

linux kernel does provide network bandwidth shaping but confiuring such is extremely advanced and the documentation is nowhere near comprehensive. network interfaces can have bandwidth policies attached to them to do "data dribbling" or "data burst" control within alloted buckets. The command used is "tc".

[bkpsusmitaa]

⋯ "program" is not well defined in Debian. In Android, each app is running as a separate user in a sandbox. ⋯ limiting the ability of a program to access the internet. In Debian, a program can simply use another program to make requests to the Internet on its behalf. It is not clear where one program starts and another one begins (for example shell scripts all just call other programs).

Perhaps you'd meant "... where one program starts (sic, ends) and another one begins ...". Okay. Would hand over the issues to Linux systems software specialists to elaborate on this.

⋯ we'd first need to understand what is the reason for limiting internet access. ⋯ running malicious programs ⋯ limit their ⋯ access ⋯ Internet?

Let's just widen the scope for users' control over how their extensions (computers and programs running there) are allowed to share his personal, private information and data with servers and other systems.

⋯ opensnitch ⋯ portmaster.
https://github.com/evilsocket/opensnitch/releases
https://github.com/safing/portmaster/

opensnitch, portmaster. They don't appear to be from Debian Universe. So alternatives?

linux kernel ⋯ network bandwidth shaping ⋯ confiuring ⋯ extremely advanced ⋯ documentation ⋯ nowhere near comprehensive ⋯ network interfaces ⋯ bandwidth policies attached ⋯ "data dribbling" or "data burst" control ⋯ alloted buckets. ⋯ command used is "tc".

Raed the tc man page. Doesn't appear to offer program-wise controls individually. Please advise.
May this post be raed in conjunction with the post earlier on program-wise control of their internet access.

[lindi]

I don't think Debian offers a ready-made solution for this. If you know how to write programs it is possible to imagine various different ways how this can be implemented, but this solution would still not be part of Debian unless you'd also package it.

Have you considered simply creating a virtual machine that does not have access to the Internet and then just running the programs that shouldn't access the Internet inside that virtual machine?

[p.H]

You do not need a virtual machine for this, it can be done with a container or a network namespace without any real network interface.

[bkpsusmitaa]

You do not need a virtual machine for this, it can be done with a container or a network namespace without any real network interface.

This is the issue which generally accompanies extraordinary gentlemen. What they say is too little for most of the rest.
Please, p.H,, please take up the responsibility to educate the lesser gifted.
Please begin by educating on what did you mean by "container" and "network namespace". How can real "network interface" be assigned?

[CwF]

Code: Select all

$  man ip-netns

https://linuxcontainers.org
The methods really don't compete, they are a resource question.
I prefer the full vm approach, and would flip it, give the vm's the internet, and keep it from the host.

[bkpsusmitaa]

Code: Select all

$  man ip-netns

https://linuxcontainers.org ⋯ ⋯

Raed the containers link. From there to REST, or representational state transfer architectural style API.These remain abstract ideas unless implemented for personal experience. Like the DESCRIPTION section of the ip-netns. Abstract until individual aspects of it are explored personally. A detailed idea on network concepts and protocols is expected.

What is the scope for containers and REST APIs in Debian? How are these implemented? How are then the resources like internet access by individual programs controlled? Checked the packages in Debian (mine is the old verson): lxd, lxd-client and the python libraries to implement LXD-REST APIs.

So the next set of questions would be: Why full VM? Why not containers like LXD? What benefits do these provide if I am using a laptop and want to control the internet access for individual programs running there?