Hello guys,
I would like to use my smartphone as an access point to surf on the internet on my netbook while I’m travelling. The thing is that my data plan is limited to about 1GB of data a month. Is there a simple way to prevent every program except those specified in a predefined whitelist from having access to the internet?
I would really like the rule to be based upon a list of applications, not protocol or port.
I’m running OpenSuse 11.4 & 12
Cheers !
On 2012-05-24 02:06, jajamd wrote:
>
> Hello guys,
>
> I would like to use my smartphone as an access point to surf on the
> internet on my netbook while I’m travelling. The thing is that my data
> plan is limited to about 1GB of data a month. Is there a simple way to
> prevent every program except those specified in a predefined whitelist
> from having access to the internet?
Yes, there is.
You have to make all those applications SGID, and adjust the firewall so
that packages from a certain group are disallowed:
> iptables -A OUTPUT -m owner --gid-owner talker -j LOG --log-prefix 'Do not talk home: '
> iptables -A OUTPUT -m owner --gid-owner talker -j REJECT
You can put that in “SuSEfirewall2-custom” (and enable that custom script)
That is, all programs are allowed, except those that run as that group
(thus needs SGID set). Maybe the rule can be reversed, but I don’t know
enough about iptables to do it.
Not a simple way, I know.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Carlos E. R. wrote:
> On 2012-05-24 02:06, jajamd wrote:
>> Hello guys,
>>
>> I would like to use my smartphone as an access point to surf on the
>> internet on my netbook while I’m travelling. The thing is that my data
>> plan is limited to about 1GB of data a month. Is there a simple way to
>> prevent every program except those specified in a predefined whitelist
>> from having access to the internet?
>
> Yes, there is.
>
> You have to make all those applications SGID, and adjust the firewall so
> that packages from a certain group are disallowed:
I don’t know enough to say for sure, but would adjusting AppArmor
profiles be another way?
On 2012-05-24 11:21, Dave Howorth wrote:
> I don’t know enough to say for sure, but would adjusting AppArmor
> profiles be another way?
It might.
I know that there was work in that direction years ago, I don’t know what
is the status.
The thing with AA is that the YaST interface has almost been abandoned
since the AA team was fired from Novel. If it is possible to block
connections, YaST does not say.
However, AA blocks specific binaries, you can not lock the entire system
with it. You have to go blocking service after service, one binary after
another.
Both approaches are similar in this respect.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Maybe this is worth to have a look at
http://sourceforge.net/projects/leopardflower/
“Per-application firewall for Linux OS”
I have not tried it myself
–
PC: oS 12.1 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.3 | GeForce GT 420
ThinkPad E320: oS 12.1 x86_64 | i3@2.30GHz | 8GB | KDE 4.8.3 | HD 3000
eCAFE 800: oS 12.1 i586 | AMD Geode LX 800@500MHz | 512MB | KDE 3.5.10
On 2012-05-24 02:06, jajamd wrote:
>
> Hello guys,
>
> I would like to use my smartphone as an access point to surf on the
> internet on my netbook while I’m travelling.
On the other hand, the only application likely to connect without your
knowledge is packagekit, so uninstall its frontends like apper. The rest
will be applications you start manually.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Thank you for your answers ! I will look into that and let you guys know