WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: limiting programs lan / internet access  (Read 3645 times)

Offline TinyFun

  • Newbie
  • *
  • Posts: 33
limiting programs lan / internet access
« on: January 18, 2014, 07:51:38 AM »
Hi all,

I use some free but proprietary software like FoxitReader for which there is no source code. After starting wifiguard (used deb2tcz script), it started telling me that an update was available, which means it phones home. I like the prog, but don't see the need for the makers to get a message every time I use it. Thought about analyzing packets w wireshark and blocking in iptables. But that means time consuming log reading.

Googling, found this post: http://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux. Liked the idea and have adapted it to Tinycore

Result is 2 scripts (attached).

make_onlybox:
makes new user and group onlybox, uses iptables to block all LAN/WLAN access to the group (therefore also user) onlybox and creates script onlybox. Script onlybox uses "su" to execute commands as restricted user.

USAGE:
-run as root
-start programs with command like "onlybox firefox" (w.o. quotes) from terminal
program started this way will have no connections at all

make_onlylan
makes new user and group onlylan, uses iptables to block all WLAN access to the group (therefore also user) onlylan, but allows access to LAN and creates script onlylan. Script onlylan uses "su" to execute commands as restricted user.

USAGE:
-IMPORTANT: adapt the adress range in line 33 to match your local network
-run as root
-start programs with command like "onlylan firefox" (w.o. quotes) from terminal
program started this way will have access to LAN, but not internet

RESTRICTIONS:
1. You need to have iptables installed
2. The scripts work fine (at least on my box) for programs that are loaded onboot or loaded through "apps->install locally. It fails for progs that are ondemand.

Scripts are commented heavily, hope all is clear.
If you like (one of) them, you can put them in /opt/bootlocal.sh BELOW basic-firewall
« Last Edit: January 18, 2014, 07:54:41 AM by TinyFun »

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: limiting programs lan / internet access
« Reply #1 on: January 20, 2014, 01:17:52 AM »
I use some free but proprietary software like FoxitReader for which there is no source code. After starting wifiguard (used deb2tcz script), it started telling me that an update was available, which means it phones home. I like the prog, but don't see the need for the makers to get a message every time I use it.

Not only have I never seen any such with FoxitReader, but neither would the menu item "Check for Updates (Click to open the update page in web browser)" do anything at all, which is easily explained with the fact that there is no mechanism to determine a specific (default) browser on my system.

Do you happen to have xdg-utils or anything else providing for determination of a default browser installed?

Seeing the purpose of your scripts, I don't think that they could prevent any app from accessing the net through IPC, e.g. simply piping data through basic net utilities like nc, wget et al.
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline TinyFun

  • Newbie
  • *
  • Posts: 33
Re: limiting programs lan / internet access
« Reply #2 on: January 20, 2014, 10:01:59 AM »
@Tinypoodle,

Sorry if my first post was not clear. It was the program wifiguard that "phoned home", not FoxitReader.  Wifiguard is supposed to check wifi network for all connected devices. It did that, but also popped up a window about update and opened up a new tab in firefox that showed the homepage of the company.

xdg-utils are not on my system. I did tell firefox to make itself the default browser on first use (as it is my only browser).

IPC is (another) new term to this newbie, but a quick look at http://www.tldp.org/LDP/tlk/ipc/ipc.html
gives :
Quote
Not every process in the system can send signals to every other process, the kernel can and super users can. Normal processes can only send signals to processes with the same uid and gid or to processes in the same process group1.

Did try this:
As user tc, started a terminal and issued "wget ftp://distro.ibiblio.org/tinycorelinux/5.x/x86/Xsetup.sh"
result: downloads the requested file

as user tc, opened terminal, ran script make_onlybox,  issued "onlybox aterm". This gave me a new window terminal as user onlybox. In this window, issued "wget ftp://distro.ibiblio.org/tinycorelinux/5.x/x86/Xsetup.sh".
result: wget: bad adress 'distro.ibiblio.org'

Am I missing something, or is the script blocking wget as it is supposed to do ?

The scripts block, based on the gid of users "onlybox" or "onlylan". Any child processes would run with the same gid and are therefore blocked as well. Is this not correct ?

Edit:
Btw, the user onlybox created by the script is not an sudoer.
The user onlybox CAN use "su tc" to change the user. However, don't think that is programmed into apps. Could be prevented by setting password ? Will check.

Please be critical, please do comment. If I make stupid mistakes, it helps me learn.

Edit2:
Few hours later. reading back I regret the "I do not know what the hell you are talking about but I will defend my (adopted) baby" tone. The script is not a fortress, but a simple picket fence.

Could you show me how the process of
Quote
simply piping data through basic net utilities like nc, wget et al.
works ?

Edit3:
Hope it is clear that there was no intention to discredit Foxitreader !! On the contrary, it is my favourite pdf-viewer.

And as for softperfect: they give away their software fo free so I should not complain.  And telling me about an update is nice...in a way.
« Last Edit: January 20, 2014, 02:23:16 PM by TinyFun »

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: limiting programs lan / internet access
« Reply #3 on: January 20, 2014, 11:09:44 PM »
Sorry if my first post was not clear. It was the program wifiguard that "phoned home", not FoxitReader.  Wifiguard is supposed to check wifi network for all connected devices.

I've never heard about an app named "wifiguard", but your description of characteristics matches with what I know about FoxitReader which you mentioned, so I assumed that was what you referred to.

After your further clarification I still wonder though how FoxitReader is involved/related in/to subject.

Quote
It did that, but also popped up a window about update and opened up a new tab in firefox that showed the homepage of the company.

xdg-utils are not on my system. I did tell firefox to make itself the default browser on first use (as it is my only browser).

Hmm, really curious how that would work, as Core AFAIK has no inherent mechanism to specify a system-wide default browser.
Never having used firefox myself under Core, I wonder if I am missing something - though I had more or less briefly tried out various other $NETSCAPE browsers with a claim of a lighter footprint as found in repo, and for a while I had seamonkey installed.

Quote
IPC is (another) new term to this newbie, but a quick look at http://www.tldp.org/LDP/tlk/ipc/ipc.html
gives :
Quote
Not every process in the system can send signals to every other process, the kernel can and super users can. Normal processes can only send signals to processes with the same uid and gid or to processes in the same process group1.

Did try this:
As user tc, started a terminal and issued "wget ftp://distro.ibiblio.org/tinycorelinux/5.x/x86/Xsetup.sh"
result: downloads the requested file

as user tc, opened terminal, ran script make_onlybox,  issued "onlybox aterm". This gave me a new window terminal as user onlybox. In this window, issued "wget ftp://distro.ibiblio.org/tinycorelinux/5.x/x86/Xsetup.sh".
result: wget: bad adress 'distro.ibiblio.org'

Am I missing something, or is the script blocking wget as it is supposed to do ?

The scripts block, based on the gid of users "onlybox" or "onlylan". Any child processes would run with the same gid and are therefore blocked as well. Is this not correct ?

Seems like it was rather me missing that specific aspect of IPC, as I had never a reason to look into such a case. Reading this, I guess it makes all sense.
Apologies for ringing an alarm bell in vain.

Quote
Please be critical, please do comment. If I make stupid mistakes, it helps me learn.

Well, if you want my opinion:
1. I would rather check for connected clients on a router or AP level than on a connected client, every router I have seen would provide such info.
2. I would rather use free software for such a task (e.g. kismet or airodump-ng come to mind), than proprietary software where you couldn't really know how exactly it would work and what it would do, and where you then have to set up such a complex workaround just to avoid its undesirable side effects.

Quote
Could you show me how the process of
Quote
simply piping data through basic net utilities like nc, wget et al.
works ?

e.g.:
Code: [Select]
echo QED|nc solusipse.net 9999
or if you happen to have bash installed:
Code: [Select]
bash -c 'cat </dev/tcp/time.nist.gov/13'
Quote
Edit3:
Hope it is clear that there was no intention to discredit Foxitreader !! On the contrary, it is my favourite pdf-viewer.

Well,  FoxitReader - about which I learned of in this very forum, is one of the very few apps I'd use despite being proprietary, considering it technically as "least of all evils" for the given purpose, so if you would - as I had wrongly understood - find some nagging features I would have been concerned.

Quote
And as for softperfect: they give away their software fo free so I should not complain.  And telling me about an update is nice...in a way.

IMHO in ideal case such should be configurable according to user preference.
« Last Edit: January 21, 2014, 12:50:48 AM by tinypoodle »
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline TinyFun

  • Newbie
  • *
  • Posts: 33
Re: limiting programs lan / internet access
« Reply #4 on: January 21, 2014, 04:13:53 AM »
Should not even have mentioned Foxit, it's only involved in that is is not FOSS, like wifiguard.

Don't know the mechanism involved, just what my eyes showed me. Use Firefox 26, updated as per:
http://www.m-opensolutions.com/?p=253.

Totally agree about checking on router. Have not used kismet or aerodump before, will check them out later.

However, this is background: am using TC to make a bootable USB-stick that my parents (father soon to be 80 years) can use for internet-banking. They use win7 and boy am I glad for Clonezilla and an external HD.
Booting from USB, checking wifi, then connecting to the bank is a hell of a lot safer than using their W7 which may? be reasonably OK after I cleaned it out, but probably is not safe two days later. Have done the same before with a stripped/remastered knoppix..
As their system is wifi connected to router, checking all devices on wifi are "known" is important. Wifiguard shows devices with a simple green or red dot so: "all green" means OK, do your banking.
Cannot ask them to interpret cli output.

Thanks for examples of IPC, it seems it is the "ordinary" piping etc. that is commonly used in linux. I thought maybe you could use them in a "smart" way that I didn't know about.

Edit:
Turns out there is a menu option to choose wheter or not to check for updates in wifiguard's menu.Short between my ears. Make things complicated when they are not.

Yes, MAC-spoofing is relatively easy. But compared to malware on W7?
« Last Edit: January 21, 2014, 12:52:58 PM by TinyFun »