Re: block a program from access the Internet.
On Mon, Sep 09, 2013 at 11:01:38AM -, atar wrote: Hi there!! Just wanted to know please if there's a way to block a specific program from accessing the Internet while preserving at the same time the ability of other programs to access the Internet, and if there's a way, so how? may be this will help... http://wiki.apparmor.net/index.php/Documentation -- software engineer Rajagiri school of engineering and technology. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130911120252.ga5...@debian.jeff
Re: block a program from access the Internet.
On 10.09.2013 01:54, Pascal Hambourg wrote: Lars Noodén a écrit : Vincent's link suggests that --cmd-owner was removed from iptables entirely. Actually it was removed from the kernel part of iptables, not from the iptables userland. It would be important to find a more authoritative source on that like the netfilter list or the kernel list. Is the Linux 2.6.14 changelog authoritative enough ? That would do it. :) commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig h...@lst.de Date: Sun Aug 14 17:33:59 2005 -0700 [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. 2.6.14 was a while ago, so I guess it's not coming back. Is it the concept itself that is broken or the implementation? FWIW BSD's PF doesn't have that option either, so I'm guessing the former. One work-around would be to make a unique user or group for the process which shall be filtered and then use that with owner match options --uid-owner or --gid-owner. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522ee763.1090...@gmail.com
Re: block a program from access the Internet.
On 09.09.2013 14:01, atar wrote: Hi there!! Just wanted to know please if there's a way to block a specific program from accessing the Internet while preserving at the same time the ability of other programs to access the Internet, and if there's a way, so how? Thanks in advance!! atar. You could try with iptables using -m owner --cmd-owner http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TABLE.OWNERMATCH But that will only work on a system where everyone behaves themselves. It would be trivial to rename or make a copy of the program and run it under a new name. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d86e4.9020...@gmail.com
Re: block a program from access the Internet.
Just wanted to know please if there's a way to block a specific program from accessing the Internet while preserving at the same time the ability of other programs to access the Internet, and if there's a way, so how? iptables my friend.. If it's a known program, try gufw in the repositories : it's a graphical interface for it. ;) -- “One original thought is worth a thousand mindless quotings.” “Le vrai n'est pas plus sûr que le probable.” Diogene Laerce -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d8814.7080...@yahoo.fr
Re: block a program from access the Internet.
Dear atar, atar wrote: Just wanted to know please if there's a way to block a specific program from accessing the Internet while preserving at the same time the ability of other programs to access the Internet, and if there's a way, so how? AppArmor and SELinux likely have such features, however, they may be difficult to configure. If it is just a single program, the simplest way is probably to run it only as a special user and then use iptables’ --uid-owner option in the owner extension to block outgoing traffic from this user. Remember to also block IPv6 traffic using ip6tables if you have a working IPv6 connection. Best, Claudius -- Please don’t CC me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130909102844.3d838...@ares.m.archwiz.org
Re: Re: block a program from access the Internet.
Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/op.w248aua5e4gg2u@localhost
Re: block a program from access the Internet.
On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid] Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522d9ac3.8070...@gmail.com
Re: block a program from access the Internet.
On 09/09/2013 05:54 AM Lars Noodén wrote: On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid] Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Hmmm. I get this: # iptables -V iptables v1.3.5 # iptables -m owner --help ... OWNER match v1.3.5 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name NOTE: pid, sid and command matching are broken on SMP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522db7dc.3050...@mousecar.com
Re: block a program from access the Internet.
On 09.09.2013 14:58, ken wrote: On 09/09/2013 05:54 AM Lars Noodén wrote: On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid]Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Hmmm. I get this: # iptables -V iptables v1.3.5 # iptables -m owner --help ... OWNER match v1.3.5 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name NOTE: pid, sid and command matching are broken on SMP FWIW mine is also iptables 1.4.14, $ lsb_release -rd Description:Debian GNU/Linux 7.0 (wheezy) Release:7.0 $ iptables -V iptables v1.4.14 So somewhere between the 1.3.5 and 1.4.14, the capability disappeared Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522dc402.9050...@gmail.com
Re: block a program from access the Internet.
On 09.09.2013 14:58, ken wrote: On 09/09/2013 05:54 AM Lars Noodén wrote: On 9/9/13 3:14 PM, atar wrote: Thanks for replying! Unfortunately, when invoking the 'iptables' command with the arguments you've suggested, the program says: iptables v1.4.14: unknown option --cmd-owner Try `iptables -h' or 'iptables --help' for more information. Regards! atar. My mistake. It seems that the tutorial is way out of date. $ iptables -m owner --help ... owner match options: [!] --uid-owner userid[-userid]Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists So it looks like cmd-owner is no longer used. Apparmor or SELinux mentioned by Claudius are the next things to try, though they are more complex. Hmmm. I get this: # iptables -V iptables v1.3.5 # iptables -m owner --help ... OWNER match v1.3.5 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name NOTE: pid, sid and command matching are broken on SMP One possible explanation might be SMP: $ uname -a Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2+deb7u2 i686 GNU/Linux Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522dc5c9.1080...@gmail.com
Re: block a program from access the Internet.
On 2013-09-09 15:50:10 +0300, Lars Noodén wrote: So somewhere between the 1.3.5 and 1.4.14, the capability disappeared Yes, according to http://unix.stackexchange.com/questions/32264/per-process-firewall --cmd-owner was removed because it didn't work properly. -- Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130909143409.gb19...@ypig.lip.ens-lyon.fr
Re: block a program from access the Internet.
Lars wrote: One possible explanation might be SMP: $ uname -a Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2+deb7u2 i686 GNU/Linux Regards, /Lars Sorry, but what's your meaning by 'SMP'? Regards, atar. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/op.w25yatoae4gg2u@localhost
Re: block a program from access the Internet.
On 10.09.2013 00:36, atar wrote: Lars wrote: One possible explanation might be SMP: $ uname -a Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2+deb7u2 i686 GNU/Linux Regards, /Lars Sorry, but what's your meaning by 'SMP'? Regards, atar. Ken's message had this line: NOTE: pid, sid and command matching are broken on SMP SMP is symmetric multiprocessing[1] and the kernel I have is using it. You can see what kernel you are running with 'uname' uname -a Vincent's link suggests that --cmd-owner was removed from iptables entirely. It would be important to find a more authoritative source on that like the netfilter list or the kernel list. But for now, it is enough to know that your particular version does not have it. You'll have to find another way. Regards, /Lars [1] http://en.wikipedia.org/wiki/Symmetric_multiprocessing -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522e1b76.2030...@gmail.com
Re: block a program from access the Internet.
Lars Noodén a écrit : Vincent's link suggests that --cmd-owner was removed from iptables entirely. Actually it was removed from the kernel part of iptables, not from the iptables userland. It would be important to find a more authoritative source on that like the netfilter list or the kernel list. Is the Linux 2.6.14 changelog authoritative enough ? commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig h...@lst.de Date: Sun Aug 14 17:33:59 2005 -0700 [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/522e5190.2010...@plouf.fr.eu.org