Code: Select all
ALL ALL=(:no-networking) NOPASSWD:SETENV: ALLCode: Select all
sudo -g no-networking COMMAND [ARGUMENT]...
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
What is the correct way to package network traffic rules?
-
ericpruitt
- Posts: 4
- Joined: 2015-07-18 05:38
What is the correct way to package network traffic rules?
I have iptables rules configured on my system that I used to block traffic being sent by a particular group. I pair this with a sudoers rule consisting of: so I can block network access for a program by running it as that group with something like:
I want to create a Debian package that includes the firewall rules to simplify installing them on other systems. What's the correct way to package network rules? Is there a way I can do that will still work regardless of whether the system uses raw iptables, ufw, firewalld, etc.?
-
Aki
- Global Moderator
- Posts: 2979
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 75 times
- Been thanked: 407 times
Re: What is the correct way to package network traffic rules?
Hello,
You are asking two different questions, indeed.
You are asking two different questions, indeed.
The distribution of configurations to managed computers is not necessarily done by distributing packages. It can be done by configuration packages, in any way.ericpruitt wrote: ↑2023-11-01 04:20 [..] I want to create a Debian package that includes the firewall rules to simplify installing them on other systems. What's the correct way to package network rules?
There isn't a single program to rule them all. If none of them are installed, it can be done using iptables/netfilter.ericpruitt wrote: ↑2023-11-01 04:20 Is there a way I can do that will still work regardless of whether the system uses raw iptables, ufw, firewalld, etc.?
-
lindi
- Debian Developer
- Posts: 452
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: What is the correct way to package network traffic rules?
Why are you trying to block network traffic here? I can think of many ways to bypass the blocking that you are using (for example "systemd-run --user curl https://ifconfig.me").
-
ericpruitt
- Posts: 4
- Joined: 2015-07-18 05:38
Re: What is the correct way to package network traffic rules?
Yes, I realize there are ways to get around this including cron and atd to name a couple of other options. My use case is blocking network access to reduce casual telemetry and old software trying to make outgoing connections to internet services that no longer exist (which is a problem for some older commercial titles I run under Wine). It's NOT intended as protection against malicious software. That being said, iptables has the ability to block traffic using supplementary groups using "--suppl-group" which would reduce the number of avenues for making outgoing connections if the user in question was a member of the group being blocked.lindi wrote: ↑2023-11-03 21:59 Why are you trying to block network traffic here? I can think of many ways to bypass the blocking that you are using (for example "systemd-run --user curl https://ifconfig.me").