Re: forbid internet access to an application?

"lucatrv" <lucatrv@xxxxxxx> writes:

That would of course be entirely trivial to evade. Just make a hard link
to
the program with a different name.

It is like denying access to a building to anyone who says their name is
John.
How long would that be effective?

I understand, but that would be the behaviour of a malign code. I'm not
talking of that, but only of preventing some normal application to access
the network. Since I use gentoo with kernel 2.6.20 SMP, from your answers I
have a confirmation that there's no way to do that with netfilter...
As for now, the only idea I have is if it is possible to define a selinux
policy with no access to the network, and then apply it to the applicatoin's
files. But it's only a supposition, since I actually haven't good knowledge
of selinux, and I guess it's not really easy to set it up with gentoo.

If you told us which program you wanted to restrict, then we could perhaps
give better advice.

Ok, so let's for instance consider ping.

That one is simple. Don't run it. Then it will not access the net.

I meant "What is the real problem you are tring to solve". Yours is a
hypothetical one. If you do not want ping to access the network and you are
not talking about rogue programs, the do not use ping. It is that simple.
But I suspect that is not the answer you want.
NOw, you have a concern about some program you are running, presumably on
purpose, which can sometimes access the net, but you do not want it to.
How does it access the net? Is it a dns lookup, is it http, or what? Your
specification is not good enough and your idiotic example is just that.



Luca


.

Relevant Pages

  • Re: forbid internet access to an application?
    ... policy with no access to the network, and then apply it to the applicatoin's ... so let's for instance consider ping. ... not talking about rogue programs, ... Why not use kiosktool from inside KDE? ...
    (comp.os.linux.networking)
  • Re: Mshome is not accessible
    ... Windows Network, and select the workgroup I get: ... Mshome is not accessible. ... All computers are running Windows XP SP2 and are members of the MSHOME ... Computer A can ping using ping hom100fr001. ...
    (microsoft.public.windowsxp.network_web)
  • network slowness/freez-up since update 10/11
    ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
    (freebsd-current)
  • network slowness/freez-up since update 10/11
    ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
    (freebsd-current)
  • Re: Networking problem
    ... I finally got it to the point that from the desktop i can ping the ip ... of the laptop and get a response. ... It seems some network configuration is not ok on the laptop. ... each machine hooked to ethernet ports of wireless router. ...
    (microsoft.public.windowsxp.general)