How can block mozilla firefox in my software firewall

Asked by aneesh

How can I block mozilla firefox browser in my software firewall ? Is there any port number for mozilla firefox ?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Ian Ace (iaculallad) said :
#1

Why would you want to block Mozilla Firefox on your UFW firewall? For any reason, you can block port 80/8080/443 on UFW.

HTH.

Revision history for this message
aneesh (aneesholv) said :
#2

Through other browser I want to let them browse ..

On Sat, Apr 10, 2010 at 2:33 PM, Ian Ace A. Culallad <
<email address hidden>> wrote:

> Your question #106974 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/106974
>
> Status: Open => Answered
>
> Ian Ace A. Culallad proposed the following answer:
> Why would you want to block Mozilla Firefox on your UFW firewall? For
> any reason, you can block port 80/8080/443 on UFW.
>
> HTH.
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+question/106974/+confirm?answer_id=0
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+question/106974
>
> You received this question notification because you are a direct
> subscriber of the question.
>

--
------with regards,

                      Aneesh.T.V
                      Mob:9544067525

Revision history for this message
Huygens (huygens-25) said :
#3

There seems to be a bit of confusion here.
A firewall, technically speaking, can usually work at different levels, the IP, TCP and Packet Inspection (stateful firewall). This means that you can block network ingoing and outgoing access based on a few rules, each rule being described in network terms (port, IP address, protocol, etc.) but not in term of application.
If you want to enforce application control. Let's say you want to block Mozilla Firefox web access but want to allow KDE Konqueror web access, you cannot do it from a firewall like UFW (or the underlying iptables) because they are not aware of the application that requests the service.
On Linux, there are several security tools to enforce what service an application can access or not. And they are not called firewall (which some Windows vendors confused), but usually MAC Application (Mandatory Access Control).
The default MAC Application on Ubuntu is AppArmor. Since Ubuntu 9.04 it is activated by default but not for all applications.

You could try to configure a profile for Firefox to block it from accessing the web. I will give you few instructions (compatible Ubuntu 9.10 aka Karmic Koala)
First you will need to delete a file under /etc/apparmor.d/disable there should be a file (a symbolic link actually) named usr.bin.firefox-3.5 which you should delete.
Then, you go to the /etc/apparmor.d/ directory and you edit the file usr.bin.firefox-3.5 which contains something like:

/usr/lib/firefox-3.5.*/firefox {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/X>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # should maybe be in abstractions
  /etc/ r,
[...]

You should modify this file and comment the line about the nameserver (which allows network connexion) and the line about the networking, so the above lines should look like this:
/usr/lib/firefox-3.5.*/firefox {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
# #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/X>

  # for networking
# network inet stream,
# network inet6 stream,
# @{PROC}/[0-9]*/net/if_inet6 r,
# @{PROC}/[0-9]*/net/ipv6_route r,

  # should maybe be in abstractions
  /etc/ r,
[...]

Now, you have to tell AppArmor that you want to enforce Firefox and then to restart AppArmor, just do this:
sudo aa-enforce firefox
sudo service apparmor restart

Try to launch Firefox, and you should see that it is blocked to access the internet.

Check the online AppArmor resources for more information, there are plenty of them out there.

Can you help with this problem?

Provide an answer of your own, or ask aneesh for more information if necessary.

To post a message you must log in.