Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: How to set internet just for firefox?

  1. #1
    Join Date
    Apr 2015
    Location
    The Earth
    Posts
    498

    Default How to set internet just for firefox?

    Hi
    How to set
    I don't know how can I allow the permission (internet) for just firefox in the opensuse firewall?
    I want block access internet for other apps
    Thanks
    Dual-boot openSUSE and win10
    OpenSUSE Tumbleweed ; Plasma 5.15.x:" LVM encrypted"
    My Partition: GPT and UEFI system
    Hp ProBook 450 G1

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: How to set internet just for firefox?

    I firewall does not know which application (process) is sending packets. It can only check on IP addresses and ports.

    E.g. when you allow outgoing traffic to post 80 on all IP addesses (thus all HTTP servers on the internet), that would not only allow Firefox, but also Konqueror, Chrome, wget, etc.

    OTOH, you probably also want to allow traffic to HTTPS servers and maybe even to non standard HTTP servers using e.g. 8080.

    And FF will probably also support other protocols like FTP to use FTP servers.

    But I have the strong idea that you just ask some step in a path to what you really want. That iis not a good way to ask questions: http://www.catb.org/%7Eesr/faqs/smar...ions.html#goal
    Henk van Velden

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,527
    Blog Entries
    15

    Default Re: How to set internet just for firefox?

    Hi
    Look at AppArmor... there is a thread here;
    https://forums.opensuse.org/showthre...nternet-access
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,949
    Blog Entries
    2

    Default Re: How to set internet just for firefox?

    1. Configure a Web Proxy like Squid either on your Default Gateway or on another machine configured normally (with a Default Gateway)
    2. Configure your Host machine without a default gateway.
    3. In your Firefox settings, configure to point to your Web Proxy.

    This supports any/all Hosts in your LAN, no matter the OS or machine.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: How to set internet just for firefox?

    Quote Originally Posted by tsu2 View Post
    1. Configure a Web Proxy like Squid either on your Default Gateway or on another machine configured normally (with a Default Gateway)
    2. Configure your Host machine without a default gateway.
    3. In your Firefox settings, configure to point to your Web Proxy.

    This supports any/all Hosts in your LAN, no matter the OS or machine.

    TSU
    Like mine and the other advices here, their usability depends much on what the OPs goal is. Which he did not explain at all.

    In your solution steps 1 and 2 are typical system/network management steps and thus can be forced upon the users.

    Step 3 however is a user step. Now one can of course argue that the user will do this, else he will have no HTTP connection to the internet at all. But he then could also do the same (configuring a proxy) in all other HTTP clients he wants to use (e.g. Konqureor, wget) and this does not answer the question asked: how to block for others then Firefox.

    Also, as I understand the Apparmor solutions, they block Network access per executable. But the OP asks for Internet only and not for the LAN.

    But again, taking the question asked literally raises much ?????
    And adding all sorts of assumptions creates this wide range of solutions.
    Henk van Velden

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,949
    Blog Entries
    2

    Default Re: How to set internet just for firefox?

    Quote Originally Posted by hcvv View Post
    Like mine and the other advices here, their usability depends much on what the OPs goal is. Which he did not explain at all.

    In your solution steps 1 and 2 are typical system/network management steps and thus can be forced upon the users.

    Step 3 however is a user step. Now one can of course argue that the user will do this, else he will have no HTTP connection to the internet at all. But he then could also do the same (configuring a proxy) in all other HTTP clients he wants to use (e.g. Konqureor, wget) and this does not answer the question asked: how to block for others then Firefox.

    Also, as I understand the Apparmor solutions, they block Network access per executable. But the OP asks for Internet only and not for the LAN.

    But again, taking the question asked literally raises much ?????
    And adding all sorts of assumptions creates this wide range of solutions.
    Actually, step 3 can also be automated.
    Web proxies can be configured with WPAD, and all web browsers by default install with it enabled by default.
    And, of course in an Enterprise network, you can push a policy that makes sure that setting is still enabled and not tweaked by someone.
    WPAD works sort of like DHCP, the web browser settings are pushed from the web proxy.

    BTW - There are also "lighter" web proxy solutions than running squid... If you don't want the additional features and just want to forward web requests (http/https/ftp/ftps), then there are simple scripts you can run (eg javascript, python, etc).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: How to set internet just for firefox?

    Quote Originally Posted by tsu2 View Post
    And, of course in an Enterprise network, you can push a policy that makes sure that setting is still enabled and not tweaked by someone.
    I do believe you when you say that network policy can be forced upon network using systems. But I doubt that you can force with a network policy which executable programs (Firefox yes, Chrome no) can be used to use the network (still obeying it's policy).
    And that is what the OP asks: FF must be able, Chrome, Konqueror, wget, httrack, Lynx, ..... not.
    And it certainly can not be done through a firewall (a real one on the network boundary, or a "personal" one on the system itself) as the OP asks.
    Henk van Velden

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,949
    Blog Entries
    2

    Default Re: How to set internet just for firefox?

    Quote Originally Posted by hcvv View Post
    I do believe you when you say that network policy can be forced upon network using systems. But I doubt that you can force with a network policy which executable programs (Firefox yes, Chrome no) can be used to use the network (still obeying it's policy).
    And that is what the OP asks: FF must be able, Chrome, Konqueror, wget, httrack, Lynx, ..... not.
    And it certainly can not be done through a firewall (a real one on the network boundary, or a "personal" one on the system itself) as the OP asks.
    I'm referring to the word "policy" loosely...
    Besides machine configuration like what is available in Active Directory (and if extended even Linux machines), even without this kind of capability
    1. Typically, all web apps support configuration by script, which can for instance be run on network legon
    2. All web browsers support creating customized versions, an Enterprise can take the further step to not allow generic versions of a web browser to be installed, and push only its own custom version.

    Yes,
    Although a web proxy will generally support any kind of web connection (ie the specific protocols I listed in my prior post) and that means <any> application, in a highly secure network, authorized applications in the network would be highly restricted... ie Users would not have install/update permissions, and authorized applications would likely be pre-installed on every machine. But, in a less restrictive network, the User would be able to use any web browser of choice, and even applications that aren't web browsers (eg YaST) or command line app.

    Additionally,
    Web proxies like any other kind of proxy firewall might also have features that allow filtering, so it may also be possible to filter/block https headers that identify specific applications (or whitelist) or client machines, etc.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: How to set internet just for firefox?

    Maybe we have opened now a can of worms big enough to let the OP tell what his goal is, so people can narrow down the huge amount of possible solutions to one that is workable for him in his environment.
    Henk van Velden

  10. #10
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: How to set internet just for firefox?

    Whilst deferring to everyone else's expertise here, & acknowledging that the OP might wish to clarify their objective, i humbly suggest an alternative solution might be to install & use Firejail to sandbox as many programs as desired by the OP. I do this routinely in my PCs, & make extensive use of the option
    Code:
    --protocol=unix
    to fully block all internet access for programs which do not need to have internet access for their standard functionality [ie, i thus explicitly block them from sneakily "calling home"]. Eg:
    Code:
    firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/wps              # WPS Office Writer
    firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/wpp              # WPS Office Presentation
    firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/et                 # WPS Office Spreadsheet
    firejail --noprofile --protocol=unix -- taskcoach.py                             # Task Coach
    firejail --protocol=unix -- cherrytree                                                   # CherryTree
    firejail --protocol=unix -- shutter                                                        # Shutter
    firejail --protocol=unix -- kmymoney                                                 # KMyMoney
    firejail --protocol=unix -- /opt/master-pdf-editor-4/masterpdfeditor4    # Master PDF Editor
    firejail --protocol=unix -- clementine                        # Clementine - Local music only
    firejail --blacklist=/Seagate --private -- clementine # Clementine - Streaming [can't see my SSD & HDD]
    firejail --protocol=unix – keepassxc                                                  # KeePassXC
    firejail --protocol=unix -- libreoffice --writer                                   # LibreOffice Writer
    firejail --protocol=unix -- libreoffice --calc                                     # LibreOffice Calc
    firejail --protocol=unix -- /usr/bin/gwenview                                       # Gwenview
    If that outcome was actually what the OP was thinking about, then FJ could help.

    Additionally, since firejail_0.9.46 , it has offered optional "full desktop integration", meaning that even when the User has not created any custom launchers [like mine above], an array of common programs automatically run in the FJ sandbox each time they are invoked. By itself, this does not stop any of the User's /home data being potentially visible to the internet [for that, use custom launchers as i showed above], but it means that no malicious pgm can delete or change any data in /home. Eg, my FDI list at the moment, using FJ 0.9.50-1, is:


    Browsers, of course, must by definition have full internet access, but Firejail by design protects all the user's /home partition data. With use of additional launcher options one can also protect data in nominated additional partitions / drives.

    Firejail works really well for me, & might be useful also for the OP.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •