How to configure UFW on a per application basis

[LinuxSpring1]

I am running MX Linux 23.3 with Kernel 6.1.0-25-amd64 and KDE plasma. UFW is running and configured. I want to change the UFW policy such that
Incoming = Ignore
Outgoing = Deny

and then on a per application basis update the firewall rule to allow connection to internet. For example give access to Firefox and Thunderbird binaries to connect to internet but not to python to connect to internet. Give access to dpkg/apt/aptitude but not to Kwrite or SSH or telnet or to connect to internet.

Is this possible with UFW? If yes can you please give some pointers? And if no then what is the alternative that can be used?

[Eadwine Rose]

With all help requests, as per forum rules (which, if you haven't, please read), please share your full Quick System Info, do not edit.
If need be, you can do this with the LiveUSB, thanks.

[DukeComposed]

Is this possible with UFW? If yes can you please give some pointers? And if no then what is the alternative that can be used?

There is already an existing thread that discussed this recently.

[fehlix]

Is this possible with UFW? If yes can you please give some pointers?

No. UFW is just helper to set iptables (nftable) rules to tell kernels packetfilter to apply. No app is identified by those rules.

And if no then what is the alternative that can be used?

Use SElinux or AppArmor, to let the kernel restrict send/receive calls based on app armor profiles. And on top add process namespaces restrictions to creat a highe secure system, where user and network namespaces are in isolation.
All this is not setup in MX Linux, as the assumption is made that most MX Linux users may not deal with sensitive, confidential, or critical data where high-security systems is to be considerd to setup.

[LinuxSpring1]

Is this possible with UFW? If yes can you please give some pointers? And if no then what is the alternative that can be used?

There is already an existing thread that discussed this recently.

Thanks @DukeComposed. When I had searched for UFW yesterday this post did not come up.

Is this possible with UFW? If yes can you please give some pointers?

No. UFW is just helper to set iptables (nftable) rules to tell kernels packetfilter to apply. No app is identified by those rules.

Thanks for the clarification.

And if no then what is the alternative that can be used?

Use SElinux or AppArmor, to let the kernel restrict send/receive calls based on app armor profiles. And on top add process namespaces restrictions to creat a highe secure system, where user and network namespaces are in isolation.
All this is not setup in MX Linux, as the assumption is made that most MX Linux users may not deal with sensitive, confidential, or critical data where high-security systems is to be considerd to setup.

@fehlix so using AppArmor profiles network calls can be restricted ? But what happens if an application is started without a AppArmor call ? Or a background service were to try to use the network?

[fehlix]

@fehlix so using AppArmor profiles network calls can be restricted ? But what happens if an application is started without a AppArmor call ? Or a background service were to try to use the network?

Not sure I understand. This topic is about how to restrict/protect network access of an app. The answer was given to point to ways to achieve this. Now you ask, something like if you don't prepare the protection e.g with apparmor, whether apparmor protection is still applied.
No, you can simply bypass the protection by apparmor, either by turn apparmor off or by don't setting up apparmor profile for a specific executable. It's the responsibility of the admin of your system to setup protective rules, as combination of firewall rules and application level rules. Suggest to read and learn about, and provide some howtos, the community will benefit from your experiences made.
Thanks

[davidy]

Heres a nice webpage for application blocking using ufw and ubuntu.
https://super-unix.com/ubuntu/ubuntu-ho ... plication/
You could create a "no-internet" group first and then add rules in ufw by running that process in that group with:

Code: Select all

sudo -g no-internet -c "processFullPath args"

Code: Select all

sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

I use opensnitch which is actually pretty good at doing all that without using cmd line arguments. It can let you specify what ap and what network interface to block, or just a single host or IP.
Op should understand that ufw is an ip address/host/port manipulation application. It does not do executables. I only found that out by reading that webpage.

[LinuxSpring1]

Heres a nice webpage for application blocking using ufw and ubuntu.
https://super-unix.com/ubuntu/ubuntu-ho ... plication/
You could create a "no-internet" group first and then add rules in ufw by running that process in that group with:

Code: Select all

sudo -g no-internet -c "processFullPath args"

Code: Select all

sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

I use opensnitch which is actually pretty good at doing all that without using cmd line arguments. It can let you specify what ap and what network interface to block, or just a single host or IP.
Op should understand that ufw is an ip address/host/port manipulation application. It does not do executables. I only found that out by reading that webpage.

This is an intriguing solution, using groups and ip-tables to block access. But it can be easily bypassed if the sg command is used with some other group. This approach is a bit dated, being proposed in 2008/9 and even then there were people who had issues with this. Will evaluate OpenSnitch and use that. That seems to be a much more appropriate solution.

However using AppArmor to block the access to internet now that is worthy of being explored. Thanks for that.

[davidy]

Yeah, I really wish we had easier options such as in windows. Portmaster I tried (https://safing.io/) but I could not get the daemon to run so the gui never worked. I think it has something to do with sysvinit, not sure. Portmaster when I did get the gui to work seemed overly complicated and a bit hard to figure out to simply block an ap from connecting which was irritating.