Re: Application-specific networking
On 11/18/20 8:52 AM, William Oliver wrote: I'd like to say thanks to everybody who responded. I don't know much about containers, so I'll have to do some self-educating to see if these are good solutions -- but they certainly look like a good place to dig around in. I appreciate the help. If I get a solution, I'll check back in and let folk know how it turned out. For your simple use-case, a routing rule would be a lot easier. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On Wed, 2020-11-18 at 11:51 +0100, Roberto Ragusa wrote: > [snip] > Very good idea, namespaces are a very powerful tool that many people > ignore. > > I sometimes want to run a program without allowing any network > access, > my approach is: > > unshare -n /bin/bash > > this will give you a shell where everything can be run, but ifconfig > -a will > show you that there is no network interfaces (localhost is missing > too). > > In your case you should play with the VPN in the secondary namespace, > where you have to arrange a way to have some way traffic out, so that > the VPN can work. > The idea of letting podman do all the setup and then "borrow" the > namespace > for something out of the container is very smart. > > ("container" is a meaningless word; the kernel only knows about > namespaces, > you can use or not each of them, in your case network is all you > need...) > > Best regards. > > -- > Roberto Ragusamail at robertoragusa.it > I'd like to say thanks to everybody who responded. I don't know much about containers, so I'll have to do some self-educating to see if these are good solutions -- but they certainly look like a good place to dig around in. I appreciate the help. If I get a solution, I'll check back in and let folk know how it turned out. billo ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 11/18/20 6:51 AM, Roberto Ragusa wrote: > unshare -n /bin/bash > > this will give you a shell where everything can be run, but ifconfig > -a will show you that there is no network interfaces (localhost is > missing too). Never thought about that one. Great idea. > The idea of letting podman do all the setup and then "borrow" the > namespace for something out of the container is very smart. Indeed! If it wasn't for podman one had to create the namespace, bridge interface on host, the tap interfaces, assign IPs to them, insert proper firewall rules. and so on. I like how you phrased that. > ("container" is a meaningless word; the kernel only knows about > namespaces, you can use or not each of them, in your case network is > all you need...) Right on. -- Jorge ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 2020-11-17 20:14, Jorge Fábregas wrote: Ok, I've just did it now. I launched my VPN within a container. Then on my host I searched for the $PID of the process and then: nsenter -t $PID -n firefox Now Firefox shares the network namepsace of the running container (without having to create a "firefox container" beforehand...). Very good idea, namespaces are a very powerful tool that many people ignore. I sometimes want to run a program without allowing any network access, my approach is: unshare -n /bin/bash this will give you a shell where everything can be run, but ifconfig -a will show you that there is no network interfaces (localhost is missing too). In your case you should play with the VPN in the secondary namespace, where you have to arrange a way to have some way traffic out, so that the VPN can work. The idea of letting podman do all the setup and then "borrow" the namespace for something out of the container is very smart. ("container" is a meaningless word; the kernel only knows about namespaces, you can use or not each of them, in your case network is all you need...) Best regards. -- Roberto Ragusamail at robertoragusa.it ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 11/17/20 6:22 PM, Patrick O'Callaghan wrote: > I've done this successfully using a VM, but not with a container. Can > you give step-by-step instructions? I'm not very familiar with the > container stuff other than basic uses of flatpak. Well there are no specific steps. It'll all depend on what VPN do you use and what container engine you use like docker, podman etc. There's a whole world when it comes to containerization :) You can search for fedora & podman tutorials. There are plenty. In a nutshell, instead of running a full VM with a VPN just so that you have a level of isolation (network-wise), which is overkill, you simply run a small container. If you could run your VPN within a container (launched via podman) then you can attach your regular non-containerized applications to the container's network-namespace. They'll be just "contained" network-wise. Again, you'll need to have a basic understanding of how containers work underneath (the different Linux namespaces etc) in order to play out with this stuff. Cheers! -- Jorge ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 17Nov2020 09:00, William Oliver wrote: >I normally use a VPN that routes through another country. This works >fine. However, a site I often use recently changed its security >policies and now will only allow connection from networks that claim to >be based in the US. So, in order to connect, I either have to turn off >my VPN or rout it through a US proxy or just my ISP -- which I can do, >but I resent it a little. My approach isn't app sepecific, it's domain/website specific. I run a local proxy (squid in my case) and route everything through it. I've got a persistent ssh tunnel to a US VM etc, with a proxy on the VM. Then I just configure the proxy rules to choose the appropriate upstream proxy for special domains (including "DIRECT" - no upstream proxy). "What a PITA" I hear you say. But I actually drive the rules from a simple text file. AN upstream proxy is defined thus: UPSTREAM1=host:port and a rule looks like: UPSTREAM *.wikipedia.org *.wikia.com Obviously, pick memorable proxy nammes. The name "DIRECT" is special in my script and turns into "no proxy". Like any ACL, rules apply in the order in the file: first match is chosen. I run squid via my svcd command, which accepts a signature argument - when the proxy rule file changes, the squid.conf ACLs get recomputed and squid is restarted. So adjusting the rule just means editing the file and waiting a few seconds for the restart. The rule generation is done by my proxy-peerage script, which emits acl definitions and cache_peer directives. I patch the squid.conf from that. My proxy-peerage script is here: https://hg.sr.ht/~cameron-simpson/css/browse/bin/proxy-peerage?rev=tip along with everything else. Cheers, Cameron Simpson ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On Tue, 2020-11-17 at 15:14 -0400, Jorge Fábregas wrote: > On 11/17/20 2:44 PM, Jorge Fábregas wrote: > > On 11/17/20 10:00 AM, William Oliver wrote: > > > Is this doable? Does anybody know where to look for info? > > > > What about running that 2nd VPN (US-based) within a standard container? > > Then open your needed apps "in that same network namespace"? (the > > network namespace of the container running the VPN). I've never done it > > but I believe is doable. > > Ok, I've just did it now. I launched my VPN within a container. Then > on my host I searched for the $PID of the process and then: > > nsenter -t $PID -n firefox > > Now Firefox shares the network namepsace of the running container > (without having to create a "firefox container" beforehand...). > > I did this test as root. I've done this successfully using a VM, but not with a container. Can you give step-by-step instructions? I'm not very familiar with the container stuff other than basic uses of flatpak. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 11/17/20 6:00 AM, William Oliver wrote: I normally use a VPN that routes through another country. This works fine. However, a site I often use recently changed its security policies and now will only allow connection from networks that claim to be based in the US. So, in order to connect, I either have to turn off my VPN or rout it through a US proxy or just my ISP -- which I can do, but I resent it a little. Just add a routing rule for the IP or range for that site that uses your ISP gateway. That will override the default gateway of your VPN. I still generally use the "route" command although it's deprecated in favour of "ip route". ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 11/17/20 2:44 PM, Jorge Fábregas wrote: > On 11/17/20 10:00 AM, William Oliver wrote: >> Is this doable? Does anybody know where to look for info? > > What about running that 2nd VPN (US-based) within a standard container? > Then open your needed apps "in that same network namespace"? (the > network namespace of the container running the VPN). I've never done it > but I believe is doable. Ok, I've just did it now. I launched my VPN within a container. Then on my host I searched for the $PID of the process and then: nsenter -t $PID -n firefox Now Firefox shares the network namepsace of the running container (without having to create a "firefox container" beforehand...). I did this test as root. HTH, Jorge ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On 11/17/20 10:00 AM, William Oliver wrote: > Is this doable? Does anybody know where to look for info? What about running that 2nd VPN (US-based) within a standard container? Then open your needed apps "in that same network namespace"? (the network namespace of the container running the VPN). I've never done it but I believe is doable. HTH Jorge ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
> On 17 Nov 2020, at 14:00, William Oliver wrote: > > This isn't a fedora-specific question, but I don't know where to ask. > > If there's a fedora-specific answer, thanks, and if not, I'd > appreciate a pointer to the apprpropriate forum. > > I normally use a VPN that routes through another country. This works > fine. However, a site I often use recently changed its security > policies and now will only allow connection from networks that claim to > be based in the US. So, in order to connect, I either have to turn off > my VPN or rout it through a US proxy or just my ISP -- which I can do, > but I resent it a little. > > So, I was thinking about adding another network card. I'd have one > attached to my VPN and another attached just to the ISP. I'd like for > some applications to use one card and other applications to use > another, e.g. my browser to use the ISP-attached card and my email > client to use the VPN-attached card. > > I've set up machines as bridges and gateways before, and I can > configure moving traffic between two cards, but I've never tried to > have different applications use different cards. > > Is this doable? Does anybody know where to look for info? Why not add a second VPN connection that comes out in the US and setup routing to use that for your app that wants a US IP. Barry > > Thanks! > > billo > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Application-specific networking
On Tue, 2020-11-17 at 09:00 -0500, William Oliver wrote: > This isn't a fedora-specific question, but I don't know where to ask. > > If there's a fedora-specific answer, thanks, and if not, I'd > appreciate a pointer to the apprpropriate forum. > > I normally use a VPN that routes through another country. This works > fine. However, a site I often use recently changed its security > policies and now will only allow connection from networks that claim to > be based in the US. So, in order to connect, I either have to turn off > my VPN or rout it through a US proxy or just my ISP -- which I can do, > but I resent it a little. > > So, I was thinking about adding another network card. I'd have one > attached to my VPN and another attached just to the ISP. I'd like for > some applications to use one card and other applications to use > another, e.g. my browser to use the ISP-attached card and my email > client to use the VPN-attached card. > > I've set up machines as bridges and gateways before, and I can > configure moving traffic between two cards, but I've never tried to > have different applications use different cards. > > Is this doable? Does anybody know where to look for info? It is theoretically possible to get the same result without having to buy a new card. Some VPNs support "split tunnelling", which will in effect create an additional virtual interface and let you connect to selected destinations through it rather than the default. AFAIK it all involves playing games with network namespaces ('ip -netns ...'). I say "theoretically" because I've never actually managed to get this to work in Fedora, though there are several articles on the subject for other distros. Note that even if you buy a new card, it will still be connected to your ISP, so I don't think you'll gain anything. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org