2
How would one make it impossible for Ubuntu 12 to talk to the network, even though there's a network card present (which may have a cable plugged-in)?
I found this answer which advocates removing the NIC drivers, but I'm concerned that the driver might be re-installed during an upgrade. I don't have much experience of administering linux.
Is there a best practice for running GNU/linux without networking capabilities?
jah
Posted 2013-12-04T19:31:29.473
Reputation: 243
2
You can do this by disabling different network capabilities in the the Linux kernel. It will be destructive to disable ALL networking options (because some programs do use loopback interface for operation - one of them is X server). But what can help - disable any NIC device drivers from kernel. This will ensure no external network activity.
But here is another point - as you stated:
but I'm concerned that the driver might be re-installed during an upgrade
This assumes user who is doing updates has root access to the system. If this is the case - you can't solve the problem with software-like solution. Since user has root access (and knowledge) - user will be able to make any changes.
Another point - even if user does not have root access - there is possibility to boot Linux live distribution and make any changes to config files of the computer including substituting kernel image with new one (thus enabling NIC drivers).
This all is about that simple fact - if one has physical access to the computer - one can change anything on it (providing one has knowledge and tools).
So following are some possible ways:
If users do not have advanced Linux knowledge than compiling Linux kernel without NIC drivers (do not forget about USB network cards) in the kernel will be sufficient IMO.
Also, you can disable network card in the BIOS settings - but again, these settings can be reset if one has physical access to computer.
You can set iptables rules to reject any external network traffic.
Use physical security device like port lock kit;
VL-80
Posted 2013-12-04T19:31:29.473
Reputation: 3 867
Thanks. I've attempted to compile a kernel without Ethernet drivers, USB net adapters and wireless LAN using the "The Old-Fashioned Debian Way" from the doc you linked to, but ran in to some problems which I need to investigate. Nonetheless, this seems like the way to go. I am surprised that there seems to be very little in the way of written guidance for this sort of thing. – jah – 2013-12-05T18:24:30.837
@jah, you're welcome. Linux Ubuntu has installer which will determine how to configure and compile kernel for you. I do not know how easy is that to bypass the system and recompile kernel for Ubuntu. It might be surprising, but in Gentoo Linux it can take just 7-10 minutes to make these changes to the kernel. I never used Ubuntu and please do not consider links which I gave to you as best data source for recompiling kernel. So, if you want, you can Google more for good articles about recompiling kernel in Ubuntu. – VL-80 – 2013-12-05T18:55:06.227
0
CONFIG_NET=n
This options controls network support in the kernel. But as the docs themselves say, this might break many userland programs that do network-ish looking things:
menuconfig NET
bool "Networking support"
select NLATTR
select GENERIC_NET_UTILS
select BPF
---help---
Unless you really know what you are doing, you should say Y here.
The reason is that some programs need kernel networking support even
when running on a stand-alone machine that isn't connected to any
other computer.
If you are upgrading from an older kernel, you
should consider updating your networking tools too because changes
in the kernel and the tools often go hand in hand. The tools are
contained in the package net-tools, the location and version number
of which are given in <file:Documentation/Changes>.
For a general introduction to Linux networking, it is highly
recommended to read the NET-HOWTO, available from
<http://www.tldp.org/docs.html#howto>.
I have tested that option at: https://github.com/cirosantilli/linux-kernel-module-cheat/blob/71d673bac48f43a2e38f5e1e4f94b10da15b7cee/kernel_config_fragment#L58
Outcome: many (all?) networking system return a failure status and do nothing, e.g.:
# nc -l -p 8000 127.0.0.1
nc: socket: Function not implemented
TODO: UNIX sockets? Not present on that version of nc and I was lazy to try it out.
I can still use the shell and call basic utilities. but for example X-server requires networking system calls to work, and won't start properly.
Ciro Santilli 新疆改造中心法轮功六四事件
Posted 2013-12-04T19:31:29.473
Reputation: 5 621
A user with
– Ciro Santilli 新疆改造中心法轮功六四事件 – 2017-09-30T06:34:31.377sudocan in theory load a kernel module that does networking, so maybe this question should be restricted to non-sudo users. Related non-permanent: https://superuser.com/questions/181254/how-do-you-boot-linux-with-networking-disabled