Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
08-14-2023, 04:24 PM
#1
Member
Registered: Oct 2003
Location: Canada
Posts: 923
Rep:
What options are available to me if i want to take full control of network activity on my NIC?
To explain in more detail, I am imagining a GUI (or system tray icon), that flashes every time, any time, a new application tries to make a network connection and it will prompt me to permit it this time or every time from there on.
Waaaay back in the day I remember having a firewall on Windows called Zone Alarm that did this and I have been craving that kind of simple awareness every since.
Does such a thing exist in linux land? Tips in the right direction greatly appreciated.
Thanks LQ!
08-14-2023, 04:53 PM
#2
Senior Member
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 3,616
1 members found this post helpful.
08-15-2023, 02:24 PM
#3
Member
Registered: Oct 2003
Location: Canada
Posts: 923
Original Poster
Rep:
Looks like OpenSnitch is really all that is available.
I'll give it a go. Thank you.
08-15-2023, 05:43 PM
#4
Senior Member
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 3,616
As I wrote, I do not consider OpenSnitch a viable option. I cannot trust it and I must be able to trust security software.
08-15-2023, 10:06 PM
#5
LQ Guru
Registered: Oct 2004
Distribution: Arch
Posts: 5,146
My 2 cents.
Interesting. I wanted to see that work. You'll need python bindings for that if you use python.
Code:
pacman -S libnetfilter_queue
I compiled a little bit of C for my test.
netfil.c
Code:
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <arpa/inet.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/types.h>
#include <linux/netfilter/nfnetlink_queue.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
static struct mnl_socket *nl;
static void
nfq_send_verdict(int queue_num, uint32_t id) {
char buf[MNL_SOCKET_BUFFER_SIZE];
struct nlmsghdr *nlh;
struct nlattr *nest;
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);
nest = mnl_attr_nest_start(nlh, NFQA_CT);
mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));
mnl_attr_nest_end(nlh, nest);
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
}
static int queue_cb(const struct nlmsghdr *nlh, void *data) {
struct nfqnl_msg_packet_hdr *ph = NULL;
struct nlattr *attr[NFQA_MAX+1] = {};
uint32_t id = 0, skbinfo;
struct nfgenmsg *nfg;
uint16_t plen;
if (nfq_nlmsg_parse(nlh, attr) < 0) {
perror("problems parsing");
return MNL_CB_ERROR;
}
nfg = mnl_nlmsg_get_payload(nlh);
if (attr[NFQA_PACKET_HDR] == NULL) {
fputs("metaheader not set\n", stderr);
return MNL_CB_ERROR;
}
ph = mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);
plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);
skbinfo = attr[NFQA_SKB_INFO] ? ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO])) : 0;
if (attr[NFQA_CAP_LEN]) {
uint32_t orig_len = ntohl(mnl_attr_get_u32(attr[NFQA_CAP_LEN]));
if (orig_len != plen)
printf("truncated ");
}
if (skbinfo & NFQA_SKB_GSO)
printf("GSO ");
id = ntohl(ph->packet_id);
printf("packet received (id=%u hw=0x%04x hook=%u, payload len %u",
id, ntohs(ph->hw_protocol), ph->hook, plen);
if (attr[NFQA_HWADDR]) {
struct nfqnl_msg_packet_hw *hw = mnl_attr_get_payload(attr[NFQA_HWADDR]);
unsigned int hwlen = ntohs(hw->hw_addrlen);
const unsigned char *addr = hw->hw_addr;
unsigned int i;
printf(", hwaddr %02x", addr[0]);
for (i = 1; i < hwlen; i++) {
if (i >= sizeof(hw->hw_addr)) {
printf("[truncated]");
break;
}
printf(":%02x", (unsigned char)addr[i]);
}
printf(" len %u", hwlen);
}
if (skbinfo & NFQA_SKB_CSUMNOTREADY)
printf(", checksum not ready");
puts(")");
nfq_send_verdict(ntohs(nfg->res_id), id);
return MNL_CB_OK;
}
int main(int argc, char *argv[])
{
char *buf;
size_t sizeof_buf = 0xffff + (MNL_SOCKET_BUFFER_SIZE/2);
struct nlmsghdr *nlh;
int ret;
unsigned int portid, queue_num;
if (argc != 2) {
printf("Usage: %s [queue_num]\n", argv[0]);
exit(EXIT_FAILURE);
}
queue_num = atoi(argv[1]);
nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
perror("mnl_socket_open");
exit(EXIT_FAILURE);
}
if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
perror("mnl_socket_bind");
exit(EXIT_FAILURE);
}
portid = mnl_socket_get_portid(nl);
buf = malloc(sizeof_buf);
if (!buf) {
perror("allocate receive buffer");
exit(EXIT_FAILURE);
}
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
ret = 1;
mnl_socket_setsockopt(nl, NETLINK_NO_ENOBUFS, &ret, sizeof(int));
for (;;) {
ret = mnl_socket_recvfrom(nl, buf, sizeof_buf);
if (ret == -1) {
perror("mnl_socket_recvfrom");
exit(EXIT_FAILURE);
}
ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);
if (ret < 0){
perror("mnl_cb_run");
exit(EXIT_FAILURE);
}
}
mnl_socket_close(nl);
return 0;
}
//Compile
//gcc netfil.c -g3 -ggdb -Wall -lmnl -lnetfilter_queue -o nfil
I made an iptables rule to give it packets.(Use your own interface)
Code:
iptables -A INPUT -i enp2s0 -j NFQUEUE --queue-num 0
You can cancel that with.
Code:
iptables -D INPUT -i enp2s0 -j NFQUEUE --queue-num 0
And that I ran with
Pinged google and was able to catch packets.
08-16-2023, 12:18 AM
#6
Member
Registered: Oct 2003
Location: Canada
Posts: 923
Original Poster
Rep:
Quote:
Originally Posted by
boughtonp
As I wrote, I do not consider OpenSnitch a viable option. I cannot trust it and I must be able to trust security software.
Please elaborate on why you don't trust it?
08-16-2023, 10:28 AM
#7
Senior Member
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 3,616
If I'm using security software I want developers who know what they're doing, can demonstrate understanding, transparency, and have a basic level of competence.
From looking at recent issues, commit history, and the source code, I found numerous problems with all of those.
I started explaining in more details but it was taking too long, and right now I need to focus my time on other things.
1 members found this post helpful.
08-16-2023, 11:25 AM
#8
Member
Registered: Oct 2003
Location: Canada
Posts: 923
Original Poster
Rep:
Quote:
Originally Posted by
boughtonp
If I'm using security software I want developers who know what they're doing, can demonstrate understanding, transparency, and have a basic level of competence.
From looking at recent issues, commit history, and the source code, I found numerous problems with all of those.
I started explaining in more details but it was taking too long, and right now I need to focus my time on other things.
Understood.
08-16-2023, 11:26 AM
#9
Member
Registered: Oct 2003
Location: Canada
Posts: 923
Original Poster
Rep:
Quote:
Originally Posted by
teckk
My 2 cents.
Interesting. I wanted to see that work. You'll need python bindings for that if you use python.
Code:
pacman -S libnetfilter_queue
I compiled a little bit of C for my test.
netfil.c
Code:
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <arpa/inet.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/types.h>
#include <linux/netfilter/nfnetlink_queue.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
static struct mnl_socket *nl;
static void
nfq_send_verdict(int queue_num, uint32_t id) {
char buf[MNL_SOCKET_BUFFER_SIZE];
struct nlmsghdr *nlh;
struct nlattr *nest;
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);
nest = mnl_attr_nest_start(nlh, NFQA_CT);
mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));
mnl_attr_nest_end(nlh, nest);
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
}
static int queue_cb(const struct nlmsghdr *nlh, void *data) {
struct nfqnl_msg_packet_hdr *ph = NULL;
struct nlattr *attr[NFQA_MAX+1] = {};
uint32_t id = 0, skbinfo;
struct nfgenmsg *nfg;
uint16_t plen;
if (nfq_nlmsg_parse(nlh, attr) < 0) {
perror("problems parsing");
return MNL_CB_ERROR;
}
nfg = mnl_nlmsg_get_payload(nlh);
if (attr[NFQA_PACKET_HDR] == NULL) {
fputs("metaheader not set\n", stderr);
return MNL_CB_ERROR;
}
ph = mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);
plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);
skbinfo = attr[NFQA_SKB_INFO] ? ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO])) : 0;
if (attr[NFQA_CAP_LEN]) {
uint32_t orig_len = ntohl(mnl_attr_get_u32(attr[NFQA_CAP_LEN]));
if (orig_len != plen)
printf("truncated ");
}
if (skbinfo & NFQA_SKB_GSO)
printf("GSO ");
id = ntohl(ph->packet_id);
printf("packet received (id=%u hw=0x%04x hook=%u, payload len %u",
id, ntohs(ph->hw_protocol), ph->hook, plen);
if (attr[NFQA_HWADDR]) {
struct nfqnl_msg_packet_hw *hw = mnl_attr_get_payload(attr[NFQA_HWADDR]);
unsigned int hwlen = ntohs(hw->hw_addrlen);
const unsigned char *addr = hw->hw_addr;
unsigned int i;
printf(", hwaddr %02x", addr[0]);
for (i = 1; i < hwlen; i++) {
if (i >= sizeof(hw->hw_addr)) {
printf("[truncated]");
break;
}
printf(":%02x", (unsigned char)addr[i]);
}
printf(" len %u", hwlen);
}
if (skbinfo & NFQA_SKB_CSUMNOTREADY)
printf(", checksum not ready");
puts(")");
nfq_send_verdict(ntohs(nfg->res_id), id);
return MNL_CB_OK;
}
int main(int argc, char *argv[])
{
char *buf;
size_t sizeof_buf = 0xffff + (MNL_SOCKET_BUFFER_SIZE/2);
struct nlmsghdr *nlh;
int ret;
unsigned int portid, queue_num;
if (argc != 2) {
printf("Usage: %s [queue_num]\n", argv[0]);
exit(EXIT_FAILURE);
}
queue_num = atoi(argv[1]);
nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
perror("mnl_socket_open");
exit(EXIT_FAILURE);
}
if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
perror("mnl_socket_bind");
exit(EXIT_FAILURE);
}
portid = mnl_socket_get_portid(nl);
buf = malloc(sizeof_buf);
if (!buf) {
perror("allocate receive buffer");
exit(EXIT_FAILURE);
}
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}
ret = 1;
mnl_socket_setsockopt(nl, NETLINK_NO_ENOBUFS, &ret, sizeof(int));
for (;;) {
ret = mnl_socket_recvfrom(nl, buf, sizeof_buf);
if (ret == -1) {
perror("mnl_socket_recvfrom");
exit(EXIT_FAILURE);
}
ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);
if (ret < 0){
perror("mnl_cb_run");
exit(EXIT_FAILURE);
}
}
mnl_socket_close(nl);
return 0;
}
//Compile
//gcc netfil.c -g3 -ggdb -Wall -lmnl -lnetfilter_queue -o nfil
I made an iptables rule to give it packets.(Use your own interface)
Code:
iptables -A INPUT -i enp2s0 -j NFQUEUE --queue-num 0
You can cancel that with.
Code:
iptables -D INPUT -i enp2s0 -j NFQUEUE --queue-num 0
And that I ran with
Pinged google and was able to catch packets.
That is well beyond me but very inspiring. I really need to learn more.
All times are GMT -5. The time now is 07:23 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News