Recently I was asked if Linux supports application-wise network filters. Despite the debatable sense behind such a function I was interested in the technical possibilities and current implementations. It turned out that there is no currently active project atm.
Application-wise network filtering is a controversial topic: in Windows such frameworks are quite common (ZoneAlarm, Norton Internet Security) and are the nightmare of every Help Desk. Additionally they are designed to interact with the user who most often has no idea – and they tend to spread fear among the users to show how “effective” they are while there is nothing to fear.
For Linux it was often mentioned that application-wise network filters are not needed since Linux cannot be infected as easily as Windows. However, I could imagine other tasks: think for example of computers you offer to your children or to customers, locked down with programs like KDE’s Kiosk. In such cases you would also like to make sure that no one can simply copy an executable and try to launch it to access the Internet somehow. And there the possibility of application-wise network filtering would come in handy.
User friendly solutions
While the scope and the technical details of all attempts vary, they all share that an additional kernel module is needed to get them running. Together with the module you also get a user space program which lets you control which application is allowed to access the Internet and which is not. So they all fulfil the mentioned needs.
However, all these projects seem to be dead more or less – no one of the mentioned programs had any update in the last 12 months, meaning that they are very like abandoned. It is unlikely that you can compile the over a year old modules on today’s kernels, making these programs useless.
But at least in theory there is also another way: I was told that a application-wise network filtering can also be achieved with SELinux. It does require a certain amount of own work (creating new policies and so on), but it is possible. Also there is work ongoing to make it easier to easily close down a system in this regard.
AppArmor, another well known security solution for Linux, can only block programs it was configured for before. Therefore any new application can do what it want. But yet again there are at least some thoughts that it would be nice to have only “trusted” applications to access the Internet.
The last program I found was LIDS – as SELinux it is also an implementation of a Mandatory access control and therefore should be able to lock down a computer appropriate.
But while there is a LIDS patch available for the kernel 2.6.21 the documentation is outdated and I wasn’t able to figure out if LIDS can really be used for the mentioned filtering.
So the bottom line is that there is currently no easy way to implement application-wise network filtering afaik. It can be discussed how useful it is anyway, but from the technical point of view this is sad.
Many users responded to the here raised question. The most notable comments are:
- Kai mentioned that iptables can filter by commands, but also pointed out that this feature was dropped.
- SMP also suggested iptables, this time pointing to the possibility of filtering by UID as a workaround.
- Chad Sellers posted a link to Tresys which offer a solution based on SELinux.
Thanks for all these helpful and interesting comments, I really appreciate that.
Two other ways of filtering were proposed:
- A possible solution could be a system monitoring the PIDs and UIDs dynamically to create iptables filter rules related to the appropriate PID.
- Marian suggested NuFW, a Netfilter/Iptables based filter extension which requires a user to authenticate and therefore is capable of filtering based on different users and protocols. NuFW is more designed for corporate environments but nevertheless is an interesting solution.
Special thanks for insightful and helpful comments to blackhole, SM and SMP!