Hacker News new | ask | show | jobs
by c618b9b695c4 1811 days ago
The reddit thread raises a good question I have often wondered. What is my best option for an application level firewall? I want to deny network connections by default and specifically enable who can speak to the outside world.
7 comments
miles 1811 days ago
OpenSnitch[1] is mentioned[2] in the reddit thread and was most recently featured on HN last year[3].

[1] https://github.com/evilsocket/opensnitch

[2] https://old.reddit.com/r/linux/comments/od3h8b/audacity_may_...

[3] https://news.ycombinator.com/item?id=22206116

link
matheusmoreira 1810 days ago
> I want to deny network connections by default and specifically enable who can speak to the outside world.

I also want to filter the network data. I want my firewall to inspect what the software is sending over the network and delete, randomize or nullify all data that isn't strictly necessary for it to perform the desired function. Like uBlock Origin but for the network stack.

This would enable normal operation of the software while also at least partially subverting the "legitimate business interests" of these corporations.

link
phone8675309 1810 days ago
> I want my firewall to inspect what the software is sending over the network and delete, randomize or nullify all data that isn't strictly necessary for it to perform the desired function. Like uBlock Origin but for the network stack.

You'll have to TLS man-in-the-middle yourself for this to be viable.

link
matheusmoreira 1808 days ago
Absolutely. Interception is okay when we're the ones doing it. Software exists to serve us, it doesn't have the right to establish private communications with third parties against our wishes.

I've intercepted the traffic of many mobile apps to see what information they're sending. I hear developers are pinning certificates now. I can just replace the pinned certificate, right?

link
jfrunyon 1810 days ago
That's easy, since you have control over trusted CAs. And also, not true; it could be done in the TLS library.
link
alpaca128 1810 days ago
Could also work with file access. Most applications never need to access the whole filesystem. My browser mostly needs access to the profile-specific data and the downloads folder. A music player doesn't need access to anything outside the music directory and also no networking unless maybe that one URL it uses to load album cover images.

Although I'd only prefer this approach if it's actually done right. Android, Flatpak etc. mostly showed ways to do it badly.

link
matheusmoreira 1810 days ago
Agreed. We need ways to filter every Linux system call. Not just disallow the system calls themselves. We need the ability to apply policies to parameters and filter I/O in a transparent way.
link
jfrunyon 1810 days ago
https://en.wikipedia.org/wiki/Systrace https://en.wikipedia.org/wiki/Linux_Security_Modules
link
jfrunyon 1810 days ago
https://wiki.ubuntu.com/AppArmor ???
link
iliketrains 1810 days ago
On Windows I use henrypp/simplewall. It is lightweight UI on top of Windows Filtering Platform. My only complaint is to all the self-updating programs that keep changing its binary and I need to re-enable them periodically...
link
lioeters 1810 days ago
On macOS, LuLu: https://objective-see.com/products/lulu.html
link
sneak 1810 days ago
Netlimiter on Windows, Little Snitch on macOS.
link
simcop2387 1811 days ago
For linux, check out firejail for isolating it.
link
pmontra 1810 days ago
I didn't know about firejail. Thanks.

The gist of it is

  sudo apt install firejail
  firejail audacity
I guess that the line

  net none
in /etc/firejail/audacity.profile prevents any network connections. And

  man firejail
for many useful functionalities.
link
throwawayboise 1810 days ago
Run it under a different user and firewall that user off from network access.
link