You are not logged in.
- Topics: Active | Unanswered
#1 2016-09-25 21:57:00
- codemac
- Member
- From: Cliche Tech Place
- Registered: 2005-05-13
- Posts: 794
- Website
Block network access from apps when tethered?
Hi!
I ride on the train a lot to commute, and I tether network access through my phone. My phone bills have gone through the roof, and a lot of it is many automatic processes I have on my laptop that check/use wifi access to sync git repos, run backups, update software automatically, etc.
Something I'd really like to do is block network access from everything, and then add back network access to processes based on what I'm using. I thought about using unshare/containers or other things, but it would require me to restart every process on my laptop based on when I'm tethered or not.
Does anyone have any suggestions for blocking networking access by process?
Thanks for any help! I'm going to be investigating network namespaces (containers), but it's looking way over the top complicated for what I want.
Offline
#2 2016-09-25 21:59:13
- codemac
- Member
- From: Cliche Tech Place
- Registered: 2005-05-13
- Posts: 794
- Website
Re: Block network access from apps when tethered?
Example use case:
- use laptop at home on wifi, full network everywhere
- close laptop, hop on train
- open laptop, start tethering, enable "restricted" network mode or something
- only allow firefox & offlineimap/mbsync to access network.
- get to work, disable "restricted" mode.
ufw and others all do it by port, which almost all my traffic ends up going over 443, so it makes it a little pointless to block by port.
Offline
#3 2016-09-25 22:13:02
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,418
Re: Block network access from apps when tethered?
Might be complicated since network is usually global...
It should be possible to iptables filter by process. It's just that routers don't do so as they don't see the processes, they just route other machines stuff.
You could also match by owner, if those other processes run as root or other user name than what you normally use. Or create a separate "tethering" user just for that purpose.
Or just locate all those cron jobs etc. that is running stuff and come up with a way to temporarily disable all of them. It's your box - you should be in control of what things are running. If you allow firefox but have a large download pending you'd still have a phone bill so in the end you have to watch things yourself either way.
Maybe some kind of xosview that shows you how much traffic is running atm to avoid unexpected surprises.
Offline
#4 2016-09-26 21:28:59
- codemac
- Member
- From: Cliche Tech Place
- Registered: 2005-05-13
- Posts: 794
- Website
Re: Block network access from apps when tethered?
Currently seeing if I cant do ip netns exec <my x session>, and then when I'm tethered disable the networking to that network namespace. Then I just launch applications outside of that namespace.. but I can't confirm NetworkManager behavior.
Offline