Hi
How to set
I don’t know how can I allow the permission (internet) for just firefox in the opensuse firewall?
I want block access internet for other apps
Thanks
I firewall does not know which application (process) is sending packets. It can only check on IP addresses and ports.
E.g. when you allow outgoing traffic to post 80 on all IP addesses (thus all HTTP servers on the internet), that would not only allow Firefox, but also Konqueror, Chrome, wget, etc.
OTOH, you probably also want to allow traffic to HTTPS servers and maybe even to non standard HTTP servers using e.g. 8080.
And FF will probably also support other protocols like FTP to use FTP servers.
But I have the strong idea that you just ask some step in a path to what you really want. That iis not a good way to ask questions: http://www.catb.org/~esr/faqs/smart-questions.html#goal
Hi
Look at AppArmor… there is a thread here;
https://forums.opensuse.org/showthread.php/498827-AppArmor-Profile-Deny-internet-access
- Configure a Web Proxy like Squid either on your Default Gateway or on another machine configured normally (with a Default Gateway)
- Configure your Host machine without a default gateway.
- In your Firefox settings, configure to point to your Web Proxy.
This supports any/all Hosts in your LAN, no matter the OS or machine.
TSU
Like mine and the other advices here, their usability depends much on what the OPs goal is. Which he did not explain at all.
In your solution steps 1 and 2 are typical system/network management steps and thus can be forced upon the users.
Step 3 however is a user step. Now one can of course argue that the user will do this, else he will have no HTTP connection to the internet at all. But he then could also do the same (configuring a proxy) in all other HTTP clients he wants to use (e.g. Konqureor, wget) and this does not answer the question asked: how to block for others then Firefox.
Also, as I understand the Apparmor solutions, they block Network access per executable. But the OP asks for Internet only and not for the LAN.
But again, taking the question asked literally raises much ???
And adding all sorts of assumptions creates this wide range of solutions. 
Actually, step 3 can also be automated.
Web proxies can be configured with WPAD, and all web browsers by default install with it enabled by default.
And, of course in an Enterprise network, you can push a policy that makes sure that setting is still enabled and not tweaked by someone.
WPAD works sort of like DHCP, the web browser settings are pushed from the web proxy.
BTW - There are also “lighter” web proxy solutions than running squid… If you don’t want the additional features and just want to forward web requests (http/https/ftp/ftps), then there are simple scripts you can run (eg javascript, python, etc).
TSU
I do believe you when you say that network policy can be forced upon network using systems. But I doubt that you can force with a network policy which executable programs (Firefox yes, Chrome no) can be used to use the network (still obeying it’s policy).
And that is what the OP asks: FF must be able, Chrome, Konqueror, wget, httrack, Lynx, … not.
And it certainly can not be done through a firewall (a real one on the network boundary, or a “personal” one on the system itself) as the OP asks.
I’m referring to the word “policy” loosely…
Besides machine configuration like what is available in Active Directory (and if extended even Linux machines), even without this kind of capability
- Typically, all web apps support configuration by script, which can for instance be run on network legon
- All web browsers support creating customized versions, an Enterprise can take the further step to not allow generic versions of a web browser to be installed, and push only its own custom version.
Yes,
Although a web proxy will generally support any kind of web connection (ie the specific protocols I listed in my prior post) and that means <any> application, in a highly secure network, authorized applications in the network would be highly restricted… ie Users would not have install/update permissions, and authorized applications would likely be pre-installed on every machine. But, in a less restrictive network, the User would be able to use any web browser of choice, and even applications that aren’t web browsers (eg YaST) or command line app.
Additionally,
Web proxies like any other kind of proxy firewall might also have features that allow filtering, so it may also be possible to filter/block https headers that identify specific applications (or whitelist) or client machines, etc.
TSU
Maybe we have opened now a can of worms big enough to let the OP tell what his goal is, so people can narrow down the huge amount of possible solutions to one that is workable for him in his environment.
Whilst deferring to everyone else’s expertise here, & acknowledging that the OP might wish to clarify their objective, i humbly suggest an alternative solution might be to install & use Firejail to sandbox as many programs as desired by the OP. I do this routinely in my PCs, & make extensive use of the option
--protocol=unix
to fully block all internet access for programs which do not need to have internet access for their standard functionality [ie, i thus explicitly block them from sneakily “calling home”]. Eg:
firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/wps # WPS Office Writer
firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/wpp # WPS Office Presentation
firejail --protocol=unix -- /opt/kingsoft/wps-office/office6/et # WPS Office Spreadsheet
firejail --noprofile --protocol=unix -- taskcoach.py # Task Coach
firejail --protocol=unix -- cherrytree # CherryTree
firejail --protocol=unix -- shutter # Shutter
firejail --protocol=unix -- kmymoney # KMyMoney
firejail --protocol=unix -- /opt/master-pdf-editor-4/masterpdfeditor4 # Master PDF Editor
firejail --protocol=unix -- clementine # Clementine - Local music only
firejail --blacklist=/Seagate --private -- clementine # Clementine - Streaming [can't see my SSD & HDD]
firejail --protocol=unix – keepassxc # KeePassXC
firejail --protocol=unix -- libreoffice --writer # LibreOffice Writer
firejail --protocol=unix -- libreoffice --calc # LibreOffice Calc
firejail --protocol=unix -- /usr/bin/gwenview # Gwenview
If that outcome was actually what the OP was thinking about, then FJ could help.
Additionally, since firejail_0.9.46 , it has offered optional “full desktop integration”, meaning that even when the User has not created any custom launchers [like mine above], an array of common programs automatically run in the FJ sandbox each time they are invoked. By itself, this does not stop any of the User’s /home data being potentially visible to the internet [for that, use custom launchers as i showed above], but it means that no malicious pgm can delete or change any data in /home. Eg, my FDI list at the moment, using FJ 0.9.50-1, is:
https://paste.opensuse.org/images/95901019.png
Browsers, of course, must by definition have full internet access, but Firejail by design protects all the user’s /home partition data. With use of additional launcher options one can also protect data in nominated additional partitions / drives.
Firejail works really well for me, & might be useful also for the OP.
Hm, interesting tool and explanation about it’s use.
Do you mean by that "the users home directory? Because anything the user does can only work on his/her data and there is more in /home then just his/her home directory.
Again a bit confusing to me. A user has no partitions. And certainly he has no /home partition. He normally “has” a /home/<username>/ and while that can be a partition, it in most cases is not and I assume that is not what you mean.
So is this protection now by “partition” or by directory, or even by home directory?
And when it is by “partition”, then isn’t it in fact by file sytem? Or does it only work on partitions and not on other volumes like whole disks, LVM logical volumes, MD devices aka Linux Software RAID?
Just trying to understand.
Hi Henk. Sony that my poor explanation caused confusion. I’ll try to improve on that here. When i wrote the word “User” before, i deliberately capitalised it into a proper-noun so as to imply just some generic person; i was not meaning in a strict Linux jargon sense of “user”. Maybe substitute my earlier use of “User” with “computer operator person”?
Now i might be misunderstanding you here, but all i was meaning was that i tend to think of the /home directory [which IS indeed also a separate partition, the way i set it up] in my computers as belonging to “me”, whereas most of the other directories belong to “root”. As i think i understand it, Firejail operates on the /home directory & sub-directories], not also on stuff owned by root, given that is already protected by the basic Linux design [ie, root privilege is needed to change or delete anything owned by root; obviously that’s untrue for “my” directory/ies].
Why you said
there is more in /home then just his/her home directory
confuses me. That’s untrue for me; all there is in “my” /home directory is the one sub-directory bearing my name:
https://paste.opensuse.org/images/21007875.png
…whilst it of course then holds all “my” important sub-directories & files:
https://paste.opensuse.org/images/60233770.png
All of the stuff shown in my pictures above are the content which Firejail protects, in various ways depending on specific ways the User / Computer Operator chooses to setup & run Firejail.
Again, i meant something more like “…but Firejail by design protects all the computer operator person’s /home partition data”. For me, anyway, that is a valid statement, as per my pics above; my /home directory IS also a separate partition, it is not just part of / [indeed, the default Ruby installer, if the human installer person accepts it, will create a btrfs [i]/ partition (with lots of complex-looking structures inside that which i’d never seen before i began using oS & btrfs) & a separate /home partition]. I had not previously realised that other people might have quite different directory structures.
Oh, i just realised perhaps why i confused you. I tend to speak of the drive’s partitions, & their associated mount points, interchangeably, which is possibly naughty of me. So eg when i think of my “root partition” & my “home partition”, even though in my Tower’s TW partition table they are /dev/sda2 & /dev/sda3 respectively, i simply regard them as my “/” partition & my “/home” partition. I admit i might be lax in that usage, but i just did a quick DuckDuckGo search for “Linux home partition” & saw that there’s lots of people who use similar loose conventions as me. I agree that does not make it correct, but i’m just trying to help you understand what i was meaning earlier.
Because i have no doubt still done a lousy job of trying to explain, it might be better for me to shut up but instead share a few Firejail links that have been very helpful for me over the past couple of years, & hope that they might let you have a more technically robust understanding of it than my feeble attempts are able. The first three links pertain to the website of the actual Firejail Developer.
- https://firejail.wordpress.com/
- https://firejail.wordpress.com/2017/05/15/linux-mint-sandboxing-guide/
- https://firejail.wordpress.com/features-3/man-firejail/
- https://github.com/rahiel/firectl
- http://manpages.ubuntu.com/manpages/wily/en/man1/firejail.1.html
- https://forums.linuxmint.com/viewtopic.php?f=42&t=240157
Sorry for all confusion i might have caused.
Thanks for your extensive explanation.
Indeed a big misunderstanding between you and me about me thinking that you mean with the User, the end-user (a user defined in the system, but NOT root), and you just meaning a human being that fumbles on the several buttons and knobs of the system.
Main reason for the misunderstanding is that a Linux system does not understands such a human being. It only knows about users, defined by their UID (user id, a number) and tht have a usrr name (that we mostly use as well as on the system itself as in conversation here) connected to it. And there is one Superuser, which is defined as such my the kernel having UID 0 and which has in all systems I know of the user name root.
And those UIDs are the owner of running processes on one side and objects (files) on the other side. And what processes can do to the objects id defined by permissions.
And in short that means at an end-user can not do anything on /home or thing inside it except for his own om directory.
What follows then is more or less written from a complete wrong point of view from my site. Thus I will refrain from going into most points because they are of no importance.
Just one or two.
That's untrue for me; all there is in "my" */home* directory is the one sub-directory bearing my name:
That is so by incident, you apparently having just one and only one end-user configured on the system (but IIRC you had another system where you hd at least two). But there being only one, does not nullify general statements like: the home directories of the end-users are in /home.
And yes, There is a huge difference between mass storage volumes/containers, of which partitions are only one form of existence), and their contents, which might be a file system.
And file systems (irrespective of the type of volume/container are stored on) can be mounted on a mount point (just a directory where the system manager decided that the directory tree on that file system should be added into the one directory tree that is used by a Unix/Linux system). And that is specially done to hide the fact that parts of the directory tree is on different volumes away from the end-user (contrary to another series of opearating systems where every file system and thus every volume, is very visible to the end user by starting a separate tree for each of them denoted by A:, B:, etc.).
I know that people tend to use these terms very loose and in many cases the reader/listener may understand with almost 100% correctness what he wanted to say, but also very often. correct usage will be required as here where I though you were talking about an end-user and about partitions, where an end-user has nothing to say at all.
But I now understand that t he tool is used and configured by the system manager (root).