Application firewalling with netfilter
Today I've stumbled upon a post from my friend Feth, asking whether allowing only firefox to access the internet was possible on Linux... Of course it is! Here's one of the many ways:
# setup the firewall sudo iptables -F OUTPUT sudo iptables -P OUTPUT REJECT sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --dport 80 --syn -m cgroup --cgroup 1 -j ACCEPT sudo iptables -A OUTPUT -p tcp --dport 443 --syn -m cgroup --cgroup 1 -j ACCEPT # create a cgroup named firefox sudo cgcreate -t $LOGNAME:users -a $LOGNAME:users -g net_cls:firefox # allocate an identifier to the cgroup echo 1 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid # run firefox cgexec -g net_cls:firefox iceweasel &
The following commands might be useful to debug what's going on:
$ls -ld /sys/fs/cgroup/net_cls/firefox/ drwx------ 2 nextgens users 0 Jul 23 18:03 /sys/fs/cgroup/net_cls/firefox/ $cat /sys/fs/cgroup/net_cls/firefox/cgroup.procs
Attentive readers will notice that the above doesn't work for at least two reasons:
- Distros don't ship a version of netfilter with cgroup support just yet
- A browser without DNS resolution is only marginally useful ;)
Tomorrow I might blog about how to recompile/repackage a recent-enough version of iptables; Or maybe a different way of doing the same thing involving SElinux and/or network namespaces; Or maybe rant on how useless application firewalls are (both as a security control and an anti-privacy leakage mitigation).
Feel free to let me know what you prefer in the comments.