Set so Even ET Can't Phone Home


#1

Just on general paranoia, is there a way to:

  1. Keep app or all aps from phoning home via internet
  2. Keep apps running in Wine from phoning home
  3. Shut down all internet (cf. “Airplane” mode

I’ve seen various discussions of varying degrees of complexity but, based on the latest stable release, what’s the bottom line.

Thanks
J.


#2

A. GUI
ControlPanel SystemManagement Firewall

B. TUI
% sudo ipfw show
Look at it. Deny everything.

C. Activate Total ParentalControl on HomeRouter.


#3

Thanks !!

J.


#4

By default the firewall setting only block incoming connections - it will not stop outgoing connection/messages such as “phone-home” routines in applications. If you want to stop those within the firewall, you will need to adjust the rules to deny a lot more outgoing stuff too.

/etc/ipfw.rules

#!/bin/sh
# To re-apply rules, you can run "sh /etc/ipfw.rules"

# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

# No restrictions on loopback
####################################################################
$cmd 00020 allow all from any to any via lo0
####################################################################

# Check the state of packets
####################################################################
$cmd 01000 check-state
$cmd 01050 allow tcp from any to any established
$cmd 01100 allow udp from any to any established
####################################################################

# Allow all outgoing packets
####################################################################
$cmd 02000 allow ip from any to any out keep-state
$cmd 02050 allow ip6 from any to any out keep-state
$cmd 02100 allow ipv6-icmp from any to any keep-state
$cmd 02150 allow icmp from any to any keep-state
####################################################################

# Allow specific ports IN now
# Add items to /etc/ipfw.openports in the format
# {tcp|udp} <portnum>
####################################################################
nextnum=10000
if [ -e "/etc/ipfw.openports" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    port="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$port" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to any $port in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openports
fi
####################################################################

# Allow specific IPs incoming traffic now (Used for jails mainly)
# Add items to /etc/ipfw.openip in the format
# {ip4|ip6} <ip>
####################################################################
nextnum=20000
if [ -e "/etc/ipfw.openip" ] ; then
  while read line
  do
    echo $line | grep -q "^#"
    if [ $? -eq 0 ] ; then continue ; fi
    proto="`echo $line | awk '{print $1}'`"
    ip="`echo $line | awk '{print $2}'`"
    if [ -z "$proto" -o -z "$ip" ] ; then continue ; fi
    $cmd $nextnum allow $proto from any to $ip in keep-state
    nextnum=`expr $nextnum + 1`
  done < /etc/ipfw.openip
fi
####################################################################


# Deny all other incoming troublemakers
####################################################################
$cmd 64000 deny log all from any to any
####################################################################

# Check for user custom rules
if [ -e "/etc/ipfw.custom" ] ; then
  sh /etc/ipfw.custom
fi

#5

I’ve always found firewall rules discussions interesting. Your starting position is more important than some folks think.
Are you a “default deny” or a “default allow” person? I’m “default deny” even on outbound traffic (starting from that makes pf rules easy to write). In a home network, default deny may make it a little tougher because you have to go turn things on (your only clue is spouse or kids saying something is broken) but you wind up not needing a whole lot for normal every day stuff (about a dozen between UDP and TCP ports). You also know exactly what’s on your network and you can prevent leaking things out your broadband. If you do change to default deny, make sure you understand how the tool performs matching: first match wins or last match wins. pf is last match wins (unless there’s a quick on a previous rule), I believe that ipfw is first match wins.


#6

I just wish it was like Fedora Linux where you go to network manager and select “Airplane Mode” or whatever it’s called and all Internet activity is shut off.

I have no idea what ipfw rules are but suggest that if TrueOS is ever to get up there with a large useage base like Macs, they need to automate this kind of stuff.

After Snowden (may the maker bless him and his bold moves, risking all to let us know the full extent of the constitutional evasions, betrayals and rationalizations for …“security” by our …“Intelligence” (pause for laughter here) agencies), one cannot be too careful about apointing oneself master of what information is sent out there rather than letting some software company or “social” media billionaire (hint: he makes money off of your personal life, friends, interests and comments by collecting and selling them to interested parties or governments).

There was a tool in OSX, which worked up to Yosemite, called TCPBlock. This handy app allowed you to select apps and shut off phoning home with a simple mouse click. I haven’t figured it out if you can also use it to block Wine apps.

I suppose one must learn to use something like Wireshark to be really sure of what’s coming in … and going out of one’s internet connection.

Sorry for the long winded pontification but this is really an important thing of which I think we are all lulled into a false sense of unimportance by the industry when it is really quite important.

“Default deny” seems like a very wise idea these days.

Now back to my herbal book writing.


#7

The firewall rules are really only used for modifying an “active” network configuration. If you want something like “airplane mode” that is basically just turning off the network (sudo service network stop). That will put you in a “no-connection” mode until you turn it back on later.

The reason we don’t ship a default-deny-all ruleset is because that will essentially result in a non-network-functional system out-of-box (even web browsers won’t work) until you manually go through and start opening outgoing ports. While this is great from a security perspective, it is not so good from a usability perspective and requires a competant system administrator to setup your networking rules before the system is usable.


#8

In the BottomPanel’s TrayArea, You can easily “Disable this network device”.


#9

Yep, I know it’s not for the faint of heart, it’s more about seeing people with a default allow and never turn off stuff they don’t need so they leave a vector in place. Of course the default installed rules can always be “default deny, enable outbound http,https,smtp, ntp…” :slight_smile: I have no problem with the choice the project has taken, it’s the right one for a consumer. I can always change it locally on my systems so it’s not hurting me.

service network stop: does that bring down just the physical interfaces, leaving localhost available for internal processing or does it bring down that too?


#10

Well it’s overkill but still good to know, many thanks !

I mentioned “Airplane” mode only to emphasize how easy these sort of things can be if some gui is set up to provide for the capability.

In the case of Wine, the emulation process may create subprograms which themselves may communicate with the internet even if the main program doesn’t (DLL’s etc.) so if the process there was complicated it would be no surprise. Anyway, not a high priority, I’m just tired of software regarding my privacy as within their purview, control or “domain”. And NO I don’t want any updates dear Adobe, GET LOST (on Mac I can’t get rid of the damn updater) !!!

J.


#11

“Here, have a nice cup of chamomile tea. It will help soothe you”. :slight_smile:


#12

@mer :
I just tested out the “service network restart” on my laptop and it completely stops/removes all network interfaces except the loopback device. This does prevent pings to “localhost” and such from working, so perhaps simply settings the devices to “down” (ifconfig [device] down) will work a bit better as an airplane mode alternative.


#13

Thanks; I wondered if that would be the case. Perhaps a new “airplane mode” button in sysadm-client could do them all at once.


#14

Yeah, definitely a good area to streamline the process.
Please open a feature request ticket about it on the SysAdm repo and I will try to get that worked-in the next time I get a moment.


#15

Done. Issue #32.


#16

Chamomile ? Ha ha ha ! GOOD idea !

J :slight_smile:


#17

I don’t know if you’ve run across these before, there may be some old folk lore of interest.