0

By alternative it's not meant the program needs to be gui. Any method that allows a program to logs when something calls listen() and only allows selected programs to listen to the interface:port will works. I've seen opensnitch but it woeks with outbound connections only.

If such program doesn't exist can anyone point to how to create? Like using nftable rules. What I'm not looking for is to run a program in separate net namespace etc. The solution should work for all userland programs in general.

Improve this question
8
  • Does this answer your question? Block network access of a process? Commented Sep 5, 2021 at 11:51
  • No. 1. "What I'm not looking for is to run a program in separate net namespace etc.". 2. I'm interested in allowing a progeam to listen on some interface. Not interested in outbound traffic. Commented Sep 5, 2021 at 12:43
  • well, but what you describe reads a lot like a network namespace! in Linux, networking isn't "bound" to a process per se; the method of having network behave differently for different userland software is network namespaces, as far as I can tell. The problem with all Linux nftables/netfilter-based approaches is that packets don't have a property "comes from process XYZ" or "goes to process XYZ" internally. Commented Sep 5, 2021 at 14:14
  • All I asked is program x binds and calls listen to port y. The os (or something else) check a whitelist and allows it. If the program no longer listens to the port, the port is closed. If an unauthorized program tries to listen that port it fails silently ie that programs see no packets coming. This is what application firewall does. Without resorting to mach ports. Commented Sep 5, 2021 at 14:29
  • 1
    I know what an application firewall is. Linux doesn't think in applications. Commented Sep 5, 2021 at 14:40

1 Answer 1

Reset to default
0
Improve this answer
13
  • this is interesting! It looks to me like they took a few surprising design choices on the kernel side; I'll be honest: the fact that this seems to have a usable UI is fantastic! Doesn't mean I trust the underpinnings for productive usage (seems it only hooks the outgoing filter chain), but it's pretty cool overall Commented Sep 5, 2021 at 11:59
  • Note that the fact I find design choices interesting might be caused by the fact that the invention of douane basically coincided with people inventing Linux networking namespaces, which honestly are a simple and very effective method to achieve the same, but without need for a third-party kernel module; however, that fact doesn't give you a nice UI that a normal user could realistically make use of. Commented Sep 5, 2021 at 12:02
  • Does this app work for listen()? Or only outbound traffic? Commented Sep 5, 2021 at 12:44
  • 1
    Check firejail please Commented Sep 5, 2021 at 14:48
  • 1
    Added OpenSnitch. Must be working and compatible with modern Linux distros. Commented Sep 5, 2021 at 16:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.