Good day,

I'm using a lot of WINE apps under Linux which work just fine, but one thing I am specifically looking for right now is to block their access to the internet (outgoing), with exception of very few wine applications.

I found out, I can make a new User on the system, and deny it all outgoing traffic for the ethernet interface with Iptables, and then just use this User whenever I want to run WINE apps that I want blocked. Like so:

iptables -I OUTPUT -o ethX -m owner --uid-owner UserB -j DROP

However, for the sake of this example, let's say I want to have one WINE app that does connect to the internet... for simplicity let's use Firefox under WINE (as example).

So, I will use UserA which has internet to run Firefox in WINE, and UserB to run every other WINE app and have it blocked.

This is good, but I seen some people claim this can be circumvented in some ways. I'm not worried about the apps being "Linux aware" or advanced malware like that, since they're Windows apps and I will take such risk that they won't try to go around the block, and I most definitely do not want a chroot jail, that's too much & complicated for me for something so basic.

My question finally is: does WINE allow apps to send traffic by themselves? How does WINE work on networking exactly? Because if the app sends by itself, then the packets will have UserB uuid and it will be dropped easily. But if the app uses something like... wineserver or some other daemon to communicate with, and then the daemon sends the actual network traffic... that would fail obviously, cause the packet won't have the UserB uuid.

How can I be sure? Most apps I want blocked are apps I don't "trust" per se, even if they just send trivial data out there, I'm just paranoid. They're silent about it obviously, so I can't monitor this easily to my knowledge. So if there's a way to monitor this and see if it works (or a simple confirmation from someone who does know) that would be great.

Anyone knows how WINE does this? Or if there's anything else I should do just to block all WINE apps on UserB from having any outgoing access. Or is just blocking all UserB packets sufficient?

Thanks a bunch!

UPDATE:

It looks like "wineserver" is separate for each WINEPREFIX, so for those who know what that is, I believe that by just creating a different WINEPREFIX for each of the 2 users, one with internet and the one without, all problems should be solved.

I'm not 100% sure if it does block any way to escape, but it should be sufficient as most Windows apps aren't even aware they run on Liunx anyway so how could they break out of it? Unless they're some really big bad malware.

Each WINEPREFIX has a different simulated windows installation, so I find it easier to symbolic link them to a common dir where all apps are, makes it easier without having to worry about these 2 separate WINEPREFIX.

And just make a shell script to launch the apps on each user. e.g one for the internet access and one without.

If anyone has more awesome ideas how this could be improved, please share. For now I'd say I'm quite satisfied.