1
I want to prevent code from making http connections to other, specific hosts. My understanding is this can be done in /etc/hosts.deny. What would that look like?
Nate Reed
Posted 2011-02-28T19:59:54.277
Reputation: 111
How can I prevent code from initiating outbound http connections?
Answers
1
You could map the hostnames to localhost in /etc/hosts (its easier to setup than hosts.deny, but lacks granular control).
Example entry in hosts file:
google.com 127.0.0.1
someotherdomain.com 127.0.0.1
Oh btw, this question is better suited for serverfault.com.
John2496
Posted 2011-02-28T19:59:54.277
Reputation: 1 989
0
A good breakdown of the host files: http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm
0
The /etc/hosts/ approach is a poor one since on whatever address you redirect the "forbidden host" to, another web-server might listen.
If you have write access to /etc/hosts, you're generally root and also in charge of setting up your firewall. This is where you should set up rules concerning outgoing traffic.
Linus Kleen
Posted 2011-02-28T19:59:54.277
Reputation: 667
0
The linux kernel has firewall capabilities. these will probably give you the best results. It's not clear from you question if you want to block all http connection from your machine to the specific hosts, or only a specific program - but if needed you can also filter traffic by originating application or user.
I usually use FireHOL which is a convenient wrapper around the basic firewall configuration commands.
Ophir Yoktan
Posted 2011-02-28T19:59:54.277
Reputation: 230
0
No, hosts.deny will not do it. Nor will hacking /etc/hosts make any difference (it may break the resolver library, but not prevent an application making outbound connections if it does not use the standard resolver, or finds addresses in some other way).
Using a firewall is really the most obvious way. For locally-generated traffic, iptables is able to block outbound packets by user ID, group ID or process ID, which means you can restrict it to specific processes. Probably the easiest way is to do it by user ID, and run it under some restricted user.
MarkR
Posted 2011-02-28T19:59:54.277
Reputation: 999
This is what I tried initially but it gave me unexpected results. For one, as another poster mentioned, if there is a webserver listening on localhost, it would respond to the request. Also, some programs cache hostname lookups indefinitely. If I'm interested in only temporarily disabling connections, then I would have to restart that program to refresh its DNS cache. – Nate Reed – 2011-02-28T21:32:10.623
@Nate Try setting it an internal address that isn't in use on your network. Eg. google.com 192.168.20.250 – John2496 – 2011-02-28T22:40:32.693