• [How-To] Application oriented firewall simple and easy using Tomoyo


    I already made that contribution to Manjaro few years ago the link to the original article can be found on their old forum:
    https://classicforum.manjaro.org/index.php?topic=6408.0

    here’s the updated version:

    NOTE:
    To work with this tutorial you first need to install a custom kernel from AUR, this inconvenience is due to Arch team removing every MAC except SELinux from their kernel sources
    the following AUR packages must be installed first:
    https://aur.archlinux.org/packages/linux-lts-tomoyo/
    https://aur.archlinux.org/packages/tomoyo-tools/

    NOTE:
    if you want to speed up the build process and make the kernel optimized for YOUR LOCAL MACHINE’S cpu
    edit /etc/makepkg.conf
    and change your CFLAGS and CXXFLAGS to
    CFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong"
    CXXFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong"
    and MAKEFLAGS="-j<1.5x your PHYSICAL core count>“
    so if you have 8 cores in your cpu the syntax would go like MAKEFLAGS=”-j12"*

    After you have the kernel installed and entered into the grub config follow the tutorial:

    NOTE:
    In order to edit all the files described below and to execute any of the described commands you’ll need local root access rights.

    NOTE:
    The firewall setting works as a white list, when you’re done with this tutorial, any Internet access to or from any application on your computer will be blocked by default,
    you will need to enable it explicitly for selected application by using tomoyo-editpolicy and changing it’s profile from 0 to 1 as simple as that.

    if you already configured tomoyo, goto step 6.

    Step 1:
    Edit /boot/grub/grub.cfg
    You have to add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:

    ## BEGIN /etc/grub.d/10_linux ###
    menuentry 'Manjaro Linux (Kernel: 3.9.11-1-MANJARO x64)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.9.11-1-MANJARO x64-true-blablablablablablablablabla' {
            savedefault
            load_video
            set gfxpayload=keep
            insmod gzio
            insmod part_gpt
            insmod ext2
            set root='hd3,gpt2'
            if [ x$feature_platform_search_hint = xy ]; then
              search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2  blablablablablablablablabla
            else
              search --no-floppy --fs-uuid --set=root blablablablablablablablabla
            fi
            echo    'Loading Linux 3.9.11-1-MANJARO x64 ...'
            linux   /vmlinuz-39-x86_64 root=UUID=00000000-0000-0BLA00-0000-000000000 rw   resume=UUID=blablablablablablablablatimebla9848944984 security=tomoyo TOMOYO_trigger=/sbin/init
            echo    'Loading initial ramdisk ...'
            initrd  /initramfs-39-x86_64.img
    }
    

    Step 2:
    Edit /etc/default/grub
    add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:

    GRUB_DEFAULT=saved
    GRUB_TIMEOUT=5
    GRUB_DISTRIBUTOR="Manjaro"
    GRUB_CMDLINE_LINUX_DEFAULT=" resume=UUID=00000000-0000-0BLA00-0000-000000000 security=tomoyo TOMOYO_trigger=/sbin/init"
    GRUB_CMDLINE_LINUX=""
    
    # If you want to enable the save default function, uncomment the following
    # line, and set GRUB_DEFAULT to saved.
    GRUB_SAVEDEFAULT=true
    
    # Preload both GPT and MBR modules so that they are not missed
    GRUB_PRELOAD_MODULES="part_gpt part_msdos"
    

    Step 3:
    Install tomoyo-tools
    type in the terminal:

    pacman -S tomoyo-tools
    

    Step 4:
    Reboot your OS.

    Step 5:
    Initialize tomoyo default configs and profiles
    type in the terminal:

    /usr/lib/tomoyo/init_policy
    

    Step 6:
    edit /etc/tomoyo/policy/current/profile.conf, Import or override your entries with the following code:

    PROFILE_VERSION=20110903
    0-COMMENT=-----block network inet-----
    0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
    0-CONFIG={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=no }
    0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
    1-COMMENT=-----allow all-----
    1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
    1-CONFIG={ mode=disabled grant_log=no reject_log=no }
    2-COMMENT=-----Permissive Mode-----
    2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
    2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
    3-COMMENT=-----Enforcing Mode-----
    3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
    3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
    

    Step 7:
    Reboot your OS.

    USAGE:
    you can edit any rule by executing:

    tomoyo-editpolicy
    

    then, by pressing s you can change application’s profile 0=block all Internet access, 1=allow all Internet access
    you can exit the policy editor by pressing q.

    NOTE:
    after any changes you made to the policy, you need to save it to the disk, to do so, just type in the terminal:

    tomoyo-savepolicy
    

    NOTE:
    Before you can allow an application you have to run it at least once, that way tomoyo notes the application’s existence.
     
    NOTE:
    to find an application a bit quicker in the tomoyo’s policy editor, just press f while in policy editor, and then type the first few letters of the application, after that press enter,
    press n to look for the next occurrence of the application in the domain policy list

    IF YOU STILL DON’T HAVE A CLUE HOW TO USE TOMOYO’s POLICY EDITOR:
    READ THE DOCUMENTATION:
    http://tomoyo.sourceforge.jp/2.5/index.html.en

  • you should add this to our wiki :)
    https://antergos.com/wiki/

    [updates once a week] = [90% less problems]
    http://gofccyourself.com
    my-blog#k
    how to add system logs
    i3 GNOME

  • @joekamprad
    No problem will do it as soon as i got some more free time

Posts 4Views 153
Log in to reply