• firewall that regulates programs?

    From Todd@110:110/2002 to All on Wed Oct 8 21:12:46 2014
    Hi All,

    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    Many thanks,
    -T

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Chris Davies@110:110/2002 to All on Thu Oct 9 10:05:15 2014
    Reply-To: chris@roaima.co.uk

    Todd <Todd@invalid.invalid> wrote:
    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    No, but you can control what ports (services), and sometimes protocols,
    can be accessed. So if you wanted to block SMTP to tcp/25 that could be
    done. But you cannot block exim, for example, but permit postfix.

    Chris

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Roaima. Harrogate, North Yorkshire, UK (110:110/2002@linuxnet)
  • From Joe Beanfish@110:110/2002 to All on Thu Oct 9 13:28:24 2014
    On Wed, 08 Oct 2014 14:12:46 -0700, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or ]equivalent to control what programs get to outbound access the Internet?

    Many thanks,
    -T

    Perhaps you want selinux to control down to the program level.

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Todd@110:110/2002 to All on Thu Oct 9 19:57:38 2014
    On 10/09/2014 06:28 AM, Joe Beanfish wrote:
    On Wed, 08 Oct 2014 14:12:46 -0700, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or ]equivalent to
    control what programs get to outbound access the Internet?

    Many thanks,
    -T

    Perhaps you want selinux to control down to the program level.


    Can't tell if you are cracking a joke or are serious.

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From William Unruh@110:110/2002 to All on Fri Oct 10 15:45:21 2014
    On 2014-10-09, Todd <Todd@invalid.invalid> wrote:
    On 10/09/2014 06:28 AM, Joe Beanfish wrote:
    On Wed, 08 Oct 2014 14:12:46 -0700, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or ]equivalent to
    control what programs get to outbound access the Internet?

    No. However you can control outbound port access
    But the system has no idea what program initiated the network request.


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Denis Corbin@110:110/2002 to All on Sat Oct 11 20:08:48 2014
    On 10/10/2014 17:45, William Unruh worte:
    On 2014-10-09, Todd <Todd@invalid.invalid> wrote:
    On 10/09/2014 06:28 AM, Joe Beanfish wrote:
    On Wed, 08 Oct 2014 14:12:46 -0700, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or ]equivalent to >>>> control what programs get to outbound access the Internet?

    No. However you can control outbound port access
    But the system has no idea what program initiated the network request.

    No you may have what you need without SElinux complexity:

    Run you programs, daemons like squid proxy, user programs like ssh
    client, with appropriated user and/or group ownership
    (using sg and/or su command or making use of sudo at your convenience,
    shell alias, scripts may also help to avoid changing the way user have
    to "play"). Then have a table for each user or group you want to allow
    Internet outbound access:

    iptables -N outernet
    iptables -F outernet
    # first target for users (because more specific than for group)
    iptables -A outernet --match owner --uid-owner clamav -j out_clam
    iptables -A outernet --match owner --uid-owner squid -j out_squid
    [...]
    # second targets for groups
    iptables -A outernet --match owner --gid-owner ssh -j out_ssh
    [...]
    # last the catch all targets to log and drop
    iptables -A outernet -j LOG --log-prefix "Troyan activity? "
    --log-level 3 --match limit --limit-burst 10 --limit 1/hour
    --log-uid
    iptables -A outernet -j DROP

    I will not expose what out_clam, out_ssh and other tables contain, but whatever, you can then add this 'outernet' table to your interface(s)
    toward Internet:

    iptables -I OUTPUT -i eth0 -j outernet

    It works pretty well here for some years now. :)

    Cheers,
    Denis.

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: http://dar.linux.free.fr/ (110:110/2002@linuxnet)
  • From Todd@110:110/2002 to All on Sat Oct 11 23:56:48 2014
    On 10/11/2014 01:08 PM, Denis Corbin wrote:
    On 10/10/2014 17:45, William Unruh worte:
    On 2014-10-09, Todd <Todd@invalid.invalid> wrote:
    On 10/09/2014 06:28 AM, Joe Beanfish wrote:
    On Wed, 08 Oct 2014 14:12:46 -0700, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or ]equivalent to >>>>> control what programs get to outbound access the Internet?

    No. However you can control outbound port access
    But the system has no idea what program initiated the network request.

    No you may have what you need without SElinux complexity:

    Run you programs, daemons like squid proxy, user programs like ssh
    client, with appropriated user and/or group ownership
    (using sg and/or su command or making use of sudo at your convenience,
    shell alias, scripts may also help to avoid changing the way user have
    to "play"). Then have a table for each user or group you want to allow Internet outbound access:

    iptables -N outernet
    iptables -F outernet
    # first target for users (because more specific than for group)
    iptables -A outernet --match owner --uid-owner clamav -j out_clam
    iptables -A outernet --match owner --uid-owner squid -j out_squid
    [...]
    # second targets for groups
    iptables -A outernet --match owner --gid-owner ssh -j out_ssh
    [...]
    # last the catch all targets to log and drop
    iptables -A outernet -j LOG --log-prefix "Troyan activity? "
    --log-level 3 --match limit --limit-burst 10 --limit 1/hour
    --log-uid
    iptables -A outernet -j DROP

    I will not expose what out_clam, out_ssh and other tables contain, but whatever, you can then add this 'outernet' table to your interface(s)
    toward Internet:

    iptables -I OUTPUT -i eth0 -j outernet

    It works pretty well here for some years now. :)

    Cheers,
    Denis.


    Thank you!

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From buck@110:110/2002 to All on Sun Oct 12 17:53:29 2014
    Todd <Todd@invalid.invalid> wrote in news:m149cd$8pg$1@dont-email.me:

    Hi All,

    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    Many thanks,
    -T

    I'm surprised that nobody has mentioned tcpd. To a limited extent,
    you can specify what programs are allowed using it.

    Here is my hosts.deny:
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as
    decided
    # by the '/usr/sbin/tcpd' server.
    #
    # Version: @(#)/etc/hosts.deny 1.00 05/28/93
    # Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
    # Format is <service list>: <host list>[: command]
    ALL: PARANOID: spawn (echo -n "Denying %d to %h at " ; date)
    /var/log/syslog
    ALL: ALL: spawn (echo -n "Denying %d to %h at " ; date)
    /var/log/syslog
    # End of hosts.deny.

    Here is a snip from my hosts.allow:
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided by
    # the '/usr/sbin/tcpd' server.
    # Version: @(#)/etc/hosts.allow 1.00 05/28/93
    # Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
    # See NET3-4-HOWTO and `man 5 hosts_access'
    # Format is <service list>: <host list>[: <command>]
    # Eg `wu.ftpd,www: LOCAL' allows both ftp and www
    # Services NOT in inetd.conf are not controlled! www (above) is an
    example.
    # <service list> is the executable name and is a comma-delimited list
    # Example: telnet line below is not valid; in.telnetd is
    # <host list> may also be a comma-delimited list
    # "spawn"s below tend to be taken as parameters to the executable :{

    ALL: 192.168.2.127: spawn (echo -n "Allow %d from %c at " ; date)
    /dev/tty11
    in.tftpd: 192.168.2.0/255.255.255.0
    --
    buck

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Say What? (110:110/2002@linuxnet)
  • From Richard Kettlewell@110:110/2002 to All on Sun Oct 12 18:33:04 2014
    buck <buck@private.mil> writes:
    Todd <Todd@invalid.invalid> wrote in news:m149cd$8pg$1@dont-email.me:

    Just out of curiosity, is there a way to get iptables or equivalent
    to control what programs get to outbound access the Internet?
    ^^^^^^^^

    I'm surprised that nobody has mentioned tcpd. To a limited extent,
    you can specify what programs are allowed using it.

    How many programs use tcpd to control outbound connections?

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Anjou (110:110/2002@linuxnet)
  • From Chris Cox@110:110/2002 to All on Sun Oct 12 20:00:09 2014
    On 10/08/2014 04:12 PM, Todd wrote:
    Hi All,

    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    Many thanks,
    -T

    You should be able to do this sort of thing to some extent using apparmor. Especially if you're an openSUSE fan.


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)