-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Thursday 2006-01-26 at 00:25 -0800, Crispin Cowan wrote:
A trick was published here about how to block acroread from contacting
internet outside, using the local machine firewall.
I posted a trick of how to prevent it using AppArmor, which is to deny
Acrobat read access to the Javascript libraries. If there was a
firewall-based trick, I haven't seen it. I have some issue with whether
it *could* work; you are going to want to configure your firewall so
that HTTP requests can go out port 80, and there is nothing to prevent
the Javascript from using exactly that channel to get their message out.
It was published by Nordi:
| Date: Mon, 18 Apr 2005 15:56:26 +0200
| From: nordi
| Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2?
The trick, that only works if the firewall is in the same machine, is to
make the acrobat binary owned by a certain group, say "talker" and make it
SGID; then, using the "--gid-owner" option in iptables, you can block any
program executing under that group from internet access:
iptables -A OUTPUT -m owner --gid-owner talker -j REJECT
I'm sure there are people here much more knowleadgeable than me in this
things who could write a small script to activate/deactivate that iptables
rule when the user wants, coupled with a line in /etc/permissions.local.
;-)
It could be inserted in "/etc/sysconfig/scripts/SuSEfirewall2-custom", but
I don't know exactly where.
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFD2MUbtTMYHG2NR9URAopPAJ0a3vxUGZiNCngR2UilttMecOjcngCfeAox
l0fHwuNHda5UOW2dQL9IcMI=
=KjsX
-----END PGP SIGNATURE-----