How to block a app from connecting the internet with firewall,and?[SOLVED]

[helloworld]

i just wanna block a app, i cant find how to add a app into a blacklist。
And ,how do i set different wallpaper for each desktop? has been SOLVEDhttps://oldforum.puppylinux.com/viewtop ... =94470&i=1
+++++++++++++++++++++++++++++++++++++++++++++start

################################run as root
adduser offline ###add a new user, if necessary,reboot
iptables -I OUTPUT 1 -m owner --uid-owner offline -j DROP ###add a new iptables rule to first line
iptables -L --line-numbers | grep owner ###check if the new iptables rule is there.
su offline -l ###login as offline
########maybe next, (run-as offline palemoon)
######################### run as offline,
export DISPLAY=':0' ## make environment variable for display
xhost + ####make X can be accessed
palemoon ###see if browser can access internet,it should be offline
#####################runas root
iptables -L --line-numbers | grep offline ###get line number of the rule added
iptables -D OUTPUT 1 ######delete the rule added
#####################go back to the above offline

palemoon ###see if browser can access internet, it should be online
+++++++++++++++++++++++++++++++++++++++++++++end

[bigpup]

What is the app?

[helloworld]

What is the app?

Sometimes,i need to download and run some apps which are not from offcial repos.That means they dont have high trust-level

[bigpup]

Still need to know what they specifically are, so I know what they may or may not do, over the network.

[bigpup]

If they are something, that you want to make sure, they do not do anything, over the Internet.
Just disconnect from INTERNET when using them.
Network tray icon can disconnect/connect from it's right click menu.

WARNING:
This is a bug in Fossapup64 9.5
To use this right click menu.
Put mouse pointer over the tray network icon.
Press and hold the right mouse button.
Move pointer to selection.
Release right mouse button to select.

If you disconnect. It does it quickly.
When you select connect.
It takes a little time to go through the connection process. So, give it some time to work.

[helloworld]

Still need to know what they specifically are, so I know what they may or may not do, over the network.

[helloworld]

Still need to know what they specifically are, so I know what they may or may not do, over the network.

a musick player named mu ,it is less likely to do bad things,but i just want to block it,you know ,just in case.IT is a beautiful-look player

[bigpup]

got a web site or download link for it?

Doing a search for mu, does not really bring up anything, I know for sure, is what you are talking about.

Is this it?
https://www.fossmint.com/mu-music-playe ... for-linux/

[helloworld]

got a web site or download link for it?

Doing a search for mu, does not really bring up anything, I know for sure, is what you are talking about.

Is this it?
https://www.fossmint.com/mu-music-playe ... for-linux/

Bingo.Disconnecting the whole network does work ,but it is not friendly to others which need to keep online meantime.If there was a way for both,it would be perfect

[bigpup]

How did you get mu installed and working in Fossapup64 9.5?

Wonder if running mu as spot, would be enough security.

I assume the exec file name is mu.
In terminal run-as-spot mu

This is what running as spot is.

spot

This brings us to 'spot', which is a classical name for a dog. But, spot is not a normal user, you don't login as user spot. Instead, you bootup in the normal way as the root user, but you can choose to run some Internet applications as the restricted user spot.
This means that you have unfettered access to your local system, all the benefits of root, no hassles with file/directory ownerships and permissions, no restrictions on access to all hardware.
But, you can run, for example, SeaMonkey (browser, Composer, mail&news, IRC-chat suite), as spot. The home directory for spot is /home/spot, and SeaMonkey will only be able to (normally) edit/create/write files inside /home/spot.

With spot, you have the best of both worlds. Freedom in your local system, a restricted user for Internet access.

Run any application as spot with: run-as-spot app [arguments]

If that is enough for you.
Could edit the /usr/share/applications/ mu.desktop file.
edit the exec= run-as-spot mu

[helloworld]

How did you get mu installed and working in Fossapup64 9.5?

Wonder if running mu as spot, would be enough security.

I assume the exec file name is mu.
In terminal run-as-spot mu

This is what running as spot is.

spot

This brings us to 'spot', which is a classical name for a dog. But, spot is not a normal user, you don't login as user spot. Instead, you bootup in the normal way as the root user, but you can choose to run some Internet applications as the restricted user spot.
This means that you have unfettered access to your local system, all the benefits of root, no hassles with file/directory ownerships and permissions, no restrictions on access to all hardware.
But, you can run, for example, SeaMonkey (browser, Composer, mail&news, IRC-chat suite), as spot. The home directory for spot is /home/spot, and SeaMonkey will only be able to (normally) edit/create/write files inside /home/spot.

With spot, you have the best of both worlds. Freedom in your local system, a restricted user for Internet access.

Run any application as spot with: run-as-spot app [arguments]

If that is enough for you.
Could edit the /usr/share/applications/ mu.desktop file.
edit the exec= run-as-spot mu

thanks for your help,as you said,running as spot is a better way ,if i have a higher trust for a app.If you have to run some low_trust_level app,i think run_as_spot and blocking its net acess are what you should do,afterall,it still can furtively upload sth even running as spot with network access.I will keep looking for a more better way,if done,i will post it in the forum for everyone's benefit

[bigpup]

Maybe try using Firejail to run MU.
https://firejail.wordpress.com/
You can install Firejail from the Puppy Package Manager(PPM) in Fossapup64 9.5
Do a search for Firejail.
It will have 3 listed items.
I would install all of them.
Should have menu entry in Utility to run Firejail.

[mikewalsh]

Mm. I was thinking along the same lines myself.

It IS possible to block an individual item from accessing the internet while leaving other stuff on-line, but you're getting into very esoteric, complicated, highly-granular iptables stuff there. And you would need to be able to run the app anyway, to find out specifically which port it connects with.....

Most people know how to set-up a firewall, but this is invariably done via some kind of a GUI. Even in the Linux world, there's not many who are comfortable with - or expert at - working directly with the iptables "backend" itself.

I suppose you could set-up the firewall with mu's ports as exceptions, but you still need to know what those ports ARE.

So bigpup's idea of using a 'sandbox' is probably the next best option. It's certainly easier for most people to set-up that way.

Mike.

[rcrsn51]

Bingo.Disconnecting the whole network does work ,but it is not friendly to others which need to keep online meantime.If there was a way for both,it would be perfect

I don't understand this comment. Are you suggesting that bigpup's instructions bring down the internet for EVERYONE on your LAN?

Did you actually experience this situation?

[helloworld]

Bingo.Disconnecting the whole network does work ,but it is not friendly to others which need to keep online meantime.If there was a way for both,it would be perfect

I don't understand that comment. Are you suggesting that bigpup's instructions bring down the internet for EVERYONE on your LAN?

not my lan network ,just my one pc network .i mean there are lots of apps needing to run online,like you run a browser downloading files,meantime you run a app which is not necessary to access internet,in this case,you cant disconnect your this pc's network access

[helloworld]

Mm. I was thinking along the same lines myself.

It IS possible to block an individual item from accessing the internet while leaving other stuff on-line, but you're getting into very esoteric, complicated, highly-granular iptables stuff there. And you would need to be able to run the app anyway, to find out specifically which port it connects with.....

Most people know how to set-up a firewall, but this is invariably done via some kind of a GUI. Even in the Linux world, there's not many who are comfortable with - or expert at - working directly with the iptables "backend" itself.

I suppose you could set-up the firewall with mu's ports as exceptions, but you still need to know what those ports ARE.

So bigpup's idea of using a 'sandbox' is probably the next best option. It's certainly easier for most people to set-up that way.

Mike.

bigpup's sandbox idea is good,but for what to pick up puppy,one important reason is it is amazingly light weight for old computer,sandboxing will work well on newer machine,for very old pc,sandboxing could be a disaster

[Grey]

With games, things are easier. I recently installed Linux version of Quake 4 for my nephew. To bypass the license protection, it was necessary to prevent Quake 4 from checking the cd-key.
I added the following line to the /etc/hosts:

Code: Select all

127.0.0.1 q4master.idsoftware.com

Voila!