Sandboxing is a technique for confining an application to access specific resources and protect the operating system from vulnerabilities and threats.<\/p>\n
Additionally, I also mentioned how to use the APPARMOR<\/strong><\/p>\n AppArmor is a Kernel Enhancement that allows for sandboxing applications, giving it only the minimum amount of resources that it needs to perform its tasks, but nothing else.<\/p>\n To enforce all profiles or a single profile, use the following syntax:<\/p>\n FIREJAIL<\/strong><\/p>\n Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted or vulnerable applications with low overhead.<\/p>\n Execute any application with Firejail to apply restrictions or limitations:<\/p>\n Other examples:<\/p>\n Limiting bandwidth:<\/p>\n Optionally create a Bridge Network (using BONUS Restrict the desired application to only run through the desired network interface, such as a VPN, for example.<\/p>\n Or create additional rules to guarantee it is still accessible from the local network on specific ports while restricted to using the VPN interface to reach the Internet.<\/p>\n See also the next post with examples of usage and configuration for ProxyChains [Link<\/a>] to learn how to restrict a specific application to strictly use the Tor Network.<\/p>\n Open Snitch<\/strong> and Little Snitch<\/strong><\/p>\n Monitor and intercept requests to start a new network connection, allowing one to approve or deny before it happens.<\/p>\niptables<\/code> to restrict applications by uid<\/code> or gid<\/code> to only use a VPN connection (tun0<\/code> from OpenVPN) and the application called proychains<\/code> that tunnel all traffic over a Proxy server or even use the Tor Network.<\/p>\n
\nsudo apt install apparmor-profiles apparmor-utils -y\r\nsudo aa-status<\/pre>\n
sudo aa-enforce \/etc\/apparmor.d\/*\r\nsudo aa-enforce \/etc\/apparmor.d\/usr.sbin.traceroute<\/pre>\n
\nsudo apt install firejail firejail-profiles -y\r\nfirejail --help<\/pre>\n
firejail --net=none firefox\r\nfirejail --net=tun0 firefox<\/pre>\n
firejail --private --dns=8.8.8.8 --hosts-file=\/etc\/hosts firefox\r\nfirejail --net=eth0 --defaultgw=192.168.1.1 firefox\r\nfirejail --cpu=2,3 firefox<\/pre>\n
firejail --name=slow --private --net=eth0 firefox -no-remote\r\nfirejail --bandwidth=slow set eth0 200 100<\/pre>\n
bridge-utils<\/code> and uml-utilities<\/code>) attached to the VPN interface and force the desired application over the Bridge Interface.<\/span><\/p>\n
\n
\n<\/strong><\/p>\nsudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \\! -o tun0 -j REJECT\r\nsudo -u debian-transmission transmission-gtk &<\/pre>\n
sudo iptables -A OUTPUT -d 192.168.0.0\/16 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT\r\nsudo iptables -A OUTPUT -d 192.168.0.0\/16 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o wlan0 -j ACCEPT\r\nsudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT\r\nsudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT\r\nsudo iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT<\/pre>\n