[opensuse] preventing programs from accessing the net
What's the best/easiest way to stop a program accessing the net? I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue. Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Dave Howorth <dave@howorth.org.uk> [07-14-18 08:50]:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
disconnect from the internet, unplug cable or systemctl stop network afterwards simply systemctl start network or re-plug cable you will/should get an error when something tries to access the disconnected network. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
YES! And that is significant. Dave's message was very unspecific. This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running. I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Dave Howorth <dave@howorth.org.uk> [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle! it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.21.1807142353320.15806@minas-tirith.valinor> El 2018-07-14 a las 14:17 -0400, Patrick Shanahan escribió:
* Dave Howorth <> [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle!
it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time?
Your approach blocks all programs and all users. He wants to block one. - -- Cheers Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAltKcO0ACgkQja8UbcUWM1zcJAD+Pcx51LgxlVsnN0XBSFDMaU3h vgHJm/2YAxAjP8Rk04EBAI0ZlqisE4mkY3LBnRY0gocNIwgwXZxDkE1qbUtdPZ// =g30r -----END PGP SIGNATURE-----
* Carlos E. R. <robin.listas@telefonica.net> [07-14-18 17:55]:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: <alpine.LSU.2.21.1807142353320.15806@minas-tirith.valinor>
El 2018-07-14 a las 14:17 -0400, Patrick Shanahan escribió:
* Dave Howorth <> [07-14-18 11:39]:
On Sat, 14 Jul 2018 11:17:59 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
On 14/07/18 10:56 AM, Patrick Shanahan wrote:
you will/should get an error when something tries to access the disconnected network.
Thanks for the idea. I guess that is simple but I was hoping for something a little less drastic. I'd really like to still be able to access the internet whilst the program is running.
I've read of a program called firejail for example and I believe iptables can do it but I've no experience of either (or of AppArmor if that can do it, or the firewall) so I was hoping somebody could recommend something.
YES! And that is significant. Dave's message was very unspecific.
I'm not sure what else you want me to tell you?
This method will tell you exactly what program is trying to access the net. You can then tweak apparmor, for example, to specifically block it. Examples: https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-inte...
kiss is the BEST principle!
it appears from following this thread and related that you specifically look for exotic approaches/solutions rather than simple ones. you will never achieve what you seek in a short, managable timeframe unless you try smaller steps and simpler approaches. it is very simple and easy to re-enable network access. does the checks you are trying to make take so much time that you cannot do w/o network access for a short time?
Your approach blocks all programs and all users. He wants to block one.
- -- Cheers Carlos E. R.
(from openSUSE 42.3 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAltKcO0ACgkQja8UbcUWM1zcJAD+Pcx51LgxlVsnN0XBSFDMaU3h vgHJm/2YAxAjP8Rk04EBAI0ZlqisE4mkY3LBnRY0gocNIwgwXZxDkE1qbUtdPZ// =g30r -----END PGP SIGNATURE-----
yes, for testing over a short period, wtf. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
W dniu 14.07.2018 o 14:49, Dave Howorth pisze:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
You may try network namespaces: https://lmddgtfy.net/?q=linux%20netns You can create a new network namespace, without attaching any interfaces to it, and run your application in it. Example: sudo ip netns add isolated sudo ip netns exec sudo -u my_username -i This will start new shell session running as your user, but without any access to network. If you want to start graphical application in it, you need to execute export DISPLAY=unix:0 -- Adam Mizerski
On Sat, 14 Jul 2018 21:29:45 +0200 Adam Mizerski <adam@mizerski.pl> wrote:
W dniu 14.07.2018 o 14:49, Dave Howorth pisze:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
You may try network namespaces: https://lmddgtfy.net/?q=linux%20netns
You can create a new network namespace, without attaching any interfaces to it, and run your application in it.
Example:
sudo ip netns add isolated sudo ip netns exec sudo -u my_username -i
This will start new shell session running as your user, but without any access to network.
If you want to start graphical application in it, you need to execute
export DISPLAY=unix:0
Excellent! Many thanks, that's exactly the kind of thing I was looking for. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-07-14 14:49, Dave Howorth wrote:
What's the best/easiest way to stop a program accessing the net?
I want to run a program (actually 'make') that may in turn run other programs and some of which might try to access the net. I'd like the access to be stopped and me given a meaningful error message (i.e. what part of what program tried to access what net resource). Ideally, I'd then have the choice of aborting or allowing it to continue.
Searching throws up various possibilities, some of which are not in the standard repositories, and I'm not sure what the best approach is.
imho there are multiple ways to chive this. Firstly, iptables has a huge amount of seldom used uptions, you can specify the UID of who is generating traffic, and allow/deny that. But that is strict on every thing a specific user tries to to. other approach, might be to handle this through apparmor. For each application you can define what a program is allowed to. In this case: refrain a program any network access. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Adam Mizerski -
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Patrick Shanahan -
suse@a-domani.nl