Hacker News new | ask | show | jobs
by mikedelfino 453 days ago
I'm not sure about the other commenter's intentions, but on desktop, I wish every program started in a restricted network namespace. Instead of blocking all incoming and outgoing connections by default, it would request user permission interactively and adjust access accordingly.
2 comments
coppsilgold 453 days ago
On Linux you can do the next best thing which is to move out all the interfaces from the default network namespace and use iptables rules for it which block everything just in case.

Then you have to explicitly launch applications in a desired network namespace such as physical (eth0, wlan0 etc) or vpn (wg0).

Accidentally launched applications, or something like the desktop environment have no network connectivity.

link
ranger_danger 453 days ago
opensnitch does this
link
y7 453 days ago
Are you sure? Because last I checked OpenSnitch used different techniques from namespaces, that seemed more brittle to me.
link
ranger_danger 453 days ago
I was referring to "request user permission interactively and adjust access accordingly"... it can do that. It uses eBPF though
link