1

I want to block access to the Internet for all apps and process on my machine except for ones specifically allowed. I used to achieve this with Firewall when I was using Windows. I have a very tight data plan (3rd world country problems) so I have to watch which apps use the Internet. How can I achieve this in Ubuntu 16.04 LTS?

Edit: Most of the answers I found here are either about blocking certain sites or blocking a certain app rather than blocking the entire app list and allowing only a handful apps.

tamrat
  • 253

1 Answers1

0

This might be not as easy as you might want, firewalls can be a tricky topic. A widely used Linux firewall is 'ufw' it is part of the standard install. There is a graphical interface called 'gufw' which has an easy setting mode for getting started quickly, but also allows to fine tune rules in the graphical application. Just install it with the line

sudo apt install gufw

However, please note that all Linux firewalls I am aware of are based on ports, not with applications. Actually the firewall only sees network traffic going in or going out, but I can not tell which application sent that traffic. All applications send their traffic to a certain port, e.g. Port 80 for standard HTTP traffic. You can very fine tune what happends to your traffic based on ports and it can get complicated very quickly (for example with FTP) but you can not say for example firefox can send traffic on port 80 but chrome can not. I do not know how the windows firewall does it, or whether it only seems to do that. I just now that the dialog there gives a list of applications.

So if you can work out your problem based on ports that your application use, you have all fexlibility you need. What I like about the gufw tool is that is has a rather safe quick setup mode that is quite useful to quickly lock up a mobile computer completely when using a public hotspot and just open a single hole for a specific port only.

Hope it helps.

CatMan
  • 1,399
  • Neither iptables or ufw/gufw will filter by application. You can use iptables to filter by process owner. – Panther Jul 20 '17 at 22:51
  • Its odd that Linux uses port based firewall. I don't know much about this stuff but based on your explanations, I think I can't block specific apps but rather services/protocols, right? For example I can stop all HTTP by blocking port 80. Am I right? – tamrat Jul 21 '17 at 05:18
  • Your are right. There is a way, as bodhi.zazen points out, via the PID. The firewall could find out the PID an as each running app has a unique PID there could be a lookup on process information for that PID. But thats very advanced firewall setup and programming. But adding complexity like that into a firewall is usualy way to decrease security, not to increase it. For a non expert of firewall interia its probably way out of reach. I think you will find that you already come a long way to your target by using what ufw has to offer. – CatMan Jul 21 '17 at 10:41
  • @the downvoter. I always think its quite unfair to downvote an answer without telling why. I can not see what is wrong with it, please advice. – CatMan Jul 21 '17 at 10:44
  • You can not filter by pid. – Panther Jul 21 '17 at 15:57
  • Thanks for the info. I did not mean filter directly, but more working out at a low level in the ip table definitions. I am quite sure it did work, because I had intended to achieve the same as the OP when coming from windows, but it seems nightmarish and very cumbersome to solve. But I would have to look up the details again. Anyway not a good idea thing to do, still – CatMan Jul 21 '17 at 17:50
  • @CatMan filtering by PID, if possible, would be tedious since I'll have to change the PID every time I reopen the process. – tamrat Jul 21 '17 at 18:03
  • @tamrat - No iptables will not filter by PID. See http://www.spinics.net/lists/netfilter/msg49716.html – Panther Jul 22 '17 at 19:44
  • OK, I have looked quite a lot in to this. And I think I figured out why there aren't a lot of such apps around. I connected my machine to the Internet via my phone's cellular hotspot and noticed something beautiful under the Resources tab in System Monitor. There aren't any applications that use Internet because the received and sent bytes stay constant. I am not sure, but it appears that Ubuntu doesn't use a lot of background data. – tamrat Jul 25 '17 at 06:45
  • Hey that is great. Just to be on the safe side I would still recommend you to install the firewall and open the ports you expect to need. – CatMan Jul 27 '17 at 19:03