Jump to content

restrict outgoing traffic by ip/port with tomoyo


blublob

Recommended Posts

Hello all,

this will be long; two parts, but don't be afraid, I will make it easy for you.

Part One is backstory (you can skip this entirely), part two is current problem, and I will even include a TL;DR in the end.

--------Part One--------

Help me get away from big data?

I have been wanting to setup my desktop with linux for quite some time now, and have began working with it inside VirtualBox so I am sure I can get all the settings, and programs working that I will use, before I install it natively.

However when I came across this article Choosing a Linux Music Player I hit a massive roadbump.

I did catch some internet activity from Clementine. A few seconds after launching, the player connects to Magnatune and Google. If you dont use it, Magnatune can be disabled which will stop that connection. The Google call, however, persisted even when all the extras were disabled.

Clementine sent a GET request to a 1e100 server wanting my geolocation (by IP address) info. Google responded with the date and time, my city name, latitude & longditude and country. This happens every time Clementine starts and the developers said its used by the Songkick API to find concerts in my area for artists I was listening to.

So now my search began for something similar to Little Snitch for Linux.

The problem is that every forum post I manage to find, that even mention application based firewall for linux, are littered with besserwissers who speak about how linux need no such thing as it is not windows, and therefore is no target of malware and trojans and the likes. Others speak of how you should trust the programs in the offical repos, and need no option to block any outgoing traffic.

Basically every such topic derails massively without any real solutions given, other than 'if linux had a need for this, someone would have made it allready!'.

Now I will try my luck with you guys.

Is there currently a way for me to block unknown outgoing traffic as it first happens on an application level?

If it is retroactive it might be too late, as it might have gotten info to change contact server, and me blocking the ip it used last time is of no use.

Maybe block all traffic not approved, and log any that attempts, so I can give it access before next time it tries.

(Keep in mind that some programs might have tcp traffic on port 80 that I want, but traffic on port 443 and 80 to a different ip that I have no interest in granting them.

Others might use p2p, like skype, so they will not have static ip's they contact.)

--------Part Two--------

It took some more searching, but I found out that a LSM could do this for me.

So I turned on TOMOYO.

After reading these two pages I was able to turn it from blacklist to whitelist, and block network on a per application basis.

https://forum.manjaro.org/index.php?topic=6408.0

http://tomoyo.sourceforge.jp/2.5/chapter-9.html.en

Now my problem is how to whitelist, or blacklist a given ip over a given port for a certain program.

In this page it lists:

Restrict remote IP addresses and port numbers for outgoing connections? Y

Restrict remote IP addresses and port numbers for outgoing packets? Y

Restrict local IP addresses and port numbers? Y

Restrict remote UNIX addresses for outgoing connections? Y

Restrict remote UNIX addresses for outgoing packets? Y

Restrict local UNIX addresses? Y

That means it should be possible, right?

As an example,

how and where would I edit to allow firefox access to the web, except 23.32.84.110 tcp port 80 ?

And how would I do it if I wanted firefox to only be able to access 23.32.84.110 tcp port 80 ?

--------TL;DR--------

Using TOMOYO Linux

I would like to know where and how I need to edit something to block a program from doing outgoing calls to a given ip over a given port and protocol.

Link to comment
Share on other sites

Wow. I didn't know LSMs could do that. I typically just have a local DNS return localhost for hosts I don't like (Google Analytics, I'm looking at YOU!)

What puzzles me is why you apparently want to restrict this on a per-application basis instead. But that's not the point.

This is also the first time I've seen mention of a "remote UNIX address" which means absolutely nothing to me. If people can give me a definition, I'd be very pleased. My Google-fu isn't helping me here.

Now, going over the tomoyo documentation, chapter 4 seems particularly relevant to the question you're asking. I suspect you should start the policy editor, run Firefox and go to the IP/port combo. Find the 'firefox domain' in there, locate this action and disallow it there. Perhaps you can access some other website instead, change the access attempt such that it shows the IP you actually want to block, then set it to block, save and be done with it.

Link to comment
Share on other sites

  • 2 weeks later...

I have not had time to look into this much since last time, but I have now tried some more.

These two sites did provide some information:

http://netfilter-devel.vger.kernel.narkive.com/mzw6VT2E/patch-net-2-6-25-add-packet-filtering-based-on-process-ssecurity-context

http://tomoyo.sourceforge.jp/1.7/tutorial-7.html.en

But they do seem to talk about a different version.

However I was able to stop access to an ip.

In Domain Policy Editor I can go into

/usr/bin/x-www-browser

and add

network inet stream connect 23.32.84.110 80

Now I can access that site over port 80 with iceweasel, but if I remove it, I can no longer access it.

The webpages speak about

allow_network TCP accept/bind/listen <ip> <port number>

This is however for 1.7, and I am on 2.5 I believe since my kernel is 3.2.0.4.

The problem is that I would also like the option to block certain ip/ports, not just allow them.

Link to comment
Share on other sites

Did some reading and the guy behind TOMOYO moved on to CaitSith in part to specifically solve the issue of "I want to blacklist something, not whitelist" which apparently is something TOMOYO is really poor at (=effectively incapable of).

http://caitsith.sourceforge.jp/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...