Lädt...


🔧 Homemade application firewall for Linux


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

Firewalls on Linux normally work on network interfaces, managing and controlling the networking traffic basing on defined rules. If you want to block any request of goes on the port 80, for example, a simple configuration could be done. No UDP allowed; no problem at all. However, how to block traffic for only one application? The Application Firewall shows up.

In a simple summarize, An Application Firewall blocks or limits the application to receiving or sending traffic to/from a destination. It can have plenty of utilities, since Servers' applications to Desktops' one, what I was looking for.

I was working on an old game; trying to understand its Network protocol, and how the binary behavior when something on the connections goes wrong, and something comes to my mind: "What if I could block the traffic to this server only for this process?" what brings me to OpenSnitch.

OpenSnitch (n.d.). OpenSnitch allows you to create rules for which apps to allow to access the internet and which to block. Retrieved from It's Foss. Nothing bad to say about it, but I thought it would be too much for my use case, so I have continued questing.

Some days after, a light came to my mind: "Should Linux namespaces fit for it?" I have read about it, but never applied directly, so my theory was: Could I create a namespace for the application, use UFW or IP Tables to build my rules, and have a simpler version of the Application Firewall? The answer is Yes!

The steps to make this test were:

On the host machine, I created a P2P interfaces...

sudo ip link add veth0 type veth peer name veth1

Have configured the IP address...

sudo ip addr add 10.0.0.1/24 dev veth0

And started the network interface.

sudo ip link set veth0 up

Enable IP forwarding.

sudo sysctl -w net.ipv4.ip_forward=1

With the interface started, we need to create the namespace, isolating the
network stack, what can be done using the unshare command.

sudo unshare --net /bin/bash

Shows the namespace's PID.

echo $$

Sends the interface veth1 to the namespace.

This command should be run in the Host environment.

sudo ip link set veth1 netns <PID> 

Have configured the IP address...

sudo ip addr add 10.0.0.2/24 dev veth1

Start the network interface...

sudo ip link set veth1 up

And configure the default route to the host machine.

ip route add default via 10.0.0.1

To complete the setup, on the host environment too, one extra step is necessary:
allow IP routing to the external interface.

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o <INTERFACE> -j MASQUERADE

After this configuration process, the bash initialized with unshare could be used to set UWF rules, for example, to block the desirable traffic, essentially blocking only the application/applications that runs inside this bash instance.

It's a straightforward approach, but it works! Thanks for reading, and I hope
this helps.

...

🔧 Homemade application firewall for Linux


📈 36.44 Punkte
🔧 Programmierung

🐧 DIY Homemade ARM Board Running Linux


📈 22.78 Punkte
🐧 Linux Tipps

📰 Your web application firewall should be more than a firewall – it should be a noise filter too


📈 22.01 Punkte
📰 IT Security Nachrichten

🕵️ Homemade TEMPEST Receiver


📈 20.68 Punkte
🕵️ Reverse Engineering

🔧 From Homemade HTTP Router to New ServeMux


📈 20.68 Punkte
🔧 Programmierung

🎥 Homemade 405 line TV standards converter


📈 20.68 Punkte
🎥 Video

🎥 Homemade 405 line TV standards converter


📈 20.68 Punkte
🎥 IT Security Video

🔧 Homemade pasta


📈 20.68 Punkte
🔧 Programmierung

🎥 Lathe cut record - test of homemade record cutting lathe machine


📈 20.68 Punkte
🎥 Video

🎥 Lathe cut record - test of homemade record cutting lathe machine


📈 20.68 Punkte
🎥 IT Security Video

🐧 Ideas on what to do with a homemade server?


📈 20.68 Punkte
🐧 Linux Tipps

📰 Flat Earther Now Wants to Launch His Homemade Rocket Into Space


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 False Prophet: a Homemade Time Series Regression Model


📈 20.68 Punkte
🔧 AI Nachrichten

📰 Simple homemade encryption


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Europol arrests individual for selling 3D printer designs for homemade weapons on dark web


📈 20.68 Punkte
📰 IT Security Nachrichten

🐧 Can't we just get along and work together like this homemade render farm?


📈 20.68 Punkte
🐧 Linux Tipps

📰 Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 UK Police Deploy Homemade Mobile Fingerprint Scanners


📈 20.68 Punkte
📰 IT Security Nachrichten

🐧 [Homemade] Japanese Curry


📈 20.68 Punkte
🐧 Linux Tipps

📰 Homemade keypad security system (surprising uncomplicated).


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Gun Detection AI is Being Trained With Homemade 'Active Shooter' Videos


📈 20.68 Punkte
📰 IT Security Nachrichten

🔧 Homemade GPT JS


📈 20.68 Punkte
🔧 Programmierung

📰 Flat Earther Fails To Launch His Homemade Rocket -- Yet Again


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Twitch Users Protest Its DMCA Policy By Streaming Videos With Homemade Sound Effects


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Flat Earther Now Wants To Launch His Homemade Rocket From a Balloon


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Hacker tricked ChatGPT into providing detailed instructions to make a homemade bomb


📈 20.68 Punkte
📰 IT Security Nachrichten

📰 Flat Earther's Homemade Rocket Launcher Breaks Down in His Driveway


📈 20.68 Punkte
📰 IT Security Nachrichten

🕵️ Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs


📈 20.68 Punkte
🕵️ Hacking

📰 Flat Earther Plans To Launch Homemade Manned Rocket


📈 20.68 Punkte
📰 IT Security Nachrichten

matomo