Florent Daignière's blog

Posted 23 Jul, 2015

Application firewalling with netfilter

Today I've stumbled upon a post from my friend Feth, asking whether allowing only firefox to access the internet was possible on Linux... Of course it is! Here's one of the many ways:

# setup the firewall
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 --syn -m cgroup --cgroup 1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 --syn -m cgroup --cgroup 1 -j ACCEPT

# create a cgroup named firefox
sudo cgcreate -t $LOGNAME:users -a $LOGNAME:users -g net_cls:firefox
# allocate an identifier to the cgroup
echo 1 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid

# run firefox
cgexec -g net_cls:firefox iceweasel &

The following commands might be useful to debug what's going on:

$ls -ld /sys/fs/cgroup/net_cls/firefox/
drwx------ 2 nextgens users 0 Jul 23 18:03 /sys/fs/cgroup/net_cls/firefox/
$cat /sys/fs/cgroup/net_cls/firefox/cgroup.procs

Attentive readers will notice that the above doesn't work for at least two reasons:

Tomorrow I might blog about how to recompile/repackage a recent-enough version of iptables; Or maybe a different way of doing the same thing involving SElinux and/or network namespaces; Or maybe rant on how useless application firewalls are (both as a security control and an anti-privacy leakage mitigation).

Feel free to let me know what you prefer in the comments.

Category: Blog
Tags: sysadmin blog