{"id":22852697,"url":"https://github.com/sha0coder/laf","last_synced_at":"2025-04-30T09:20:42.845Z","repository":{"id":21660694,"uuid":"24981578","full_name":"sha0coder/LAF","owner":"sha0coder","description":"This firewall allows only communications made from allowed processes. ","archived":false,"fork":false,"pushed_at":"2016-08-10T19:55:52.000Z","size":78,"stargazers_count":13,"open_issues_count":0,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-30T14:41:55.890Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"florianv/exchanger","license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sha0coder.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-10-09T09:07:16.000Z","updated_at":"2019-08-24T03:00:44.000Z","dependencies_parsed_at":"2022-08-17T16:05:51.858Z","dependency_job_id":null,"html_url":"https://github.com/sha0coder/LAF","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sha0coder%2FLAF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sha0coder%2FLAF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sha0coder%2FLAF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sha0coder%2FLAF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sha0coder","download_url":"https://codeload.github.com/sha0coder/LAF/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251674962,"owners_count":21625712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-13T06:08:56.437Z","updated_at":"2025-04-30T09:20:42.819Z","avatar_url":"https://github.com/sha0coder.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"== Introduction ==\n\nLAF - Linux Application Firewall\nThis kernel driver blocks network sockets, allowing only whitelisted process to connect to the LAN and the Internet.\n\nWhile iptables filter by ip and port, it cannot filter by process name - laf.ko is a simple driver to do this.\n\nThe following diagram describes the inner workings:\n\n   +--------+     add     +--------+\n   | sysctl | \u003c---------\u003e | laf.ko | --------+\n   +--------+ enabled = 0 +--------+ NETLINK |\n     ^        debug   = 0     ^              |\n     |        log     = 1     | upload       |\n     |                        | whitelist    | get events              KERNEL\n   - |  -    -    -    -    - |  -    -    - |  -   -   -    -    -    -    -\n     |                +-------+           +------+  events  +------+     USER\n     | sets           | NETLINK           | lafd | -------\u003e | DBus |\n     | enabled = 1    |                   +------+          +------+\n   +--------------------+   launch  +---------+                |\n   |       lafctl       | \u003c-------- | systemd |                | QtDBus\n   +--------------------+           +---------+             +------+\n             ^  read whitelist       ^                      | qlaf | \n             |                       |                      +------+\n      +--------------+ +---------------------------------+\n      | /etc/laf.cfg | | /lib/systemd/system/laf.service |\n      +--------------+ +---------------------------------+\n\n\n== Configuration == \n\nEdit /etc/laf.cfg\n\nThere are two whitelists. The first is for specifying the entire process name that we want to allow access to network sockets.\n\nThe second is for strings to be compared with strstr(), if you want to allow all process with a name containing a specific word, then this is the wordlist for doing that. For example, Chrome changes its process name, so this wordlist should be used.\n\n== Installing and running ==\n\n$ make\n# make install\n\nThis will compile and copy the module on /lib/modules.\nYou can load it with:\n\n# modprobe laf\n\nAdd the module to /etc/modules or similar...\n\n# vi /etc/laf.cfg\n# lafctl -u -f /etc/laf.cfg\n\nTo make the qLAF GUI:\n\n$ cd qlaf\n$ qmake\n$ make\n# cp qlaf /usr/bin\n\nIf you want to see what is blocking the LAF driver:\n\ntail -f /var/log/kern.log\n\n[ 9006.541447] LAF: Enabled\n[ 9010.042030] LAF: call 01 fam 0x100000002 blocked: iexplore.exe (24763:24730) parent: wine (24728)\n[ 9015.586690] LAF: call 01 fam 0x100000002 blocked: kk.x86 (24769:24769) parent: bash (10343)\n[13118.760088] LAF: call 01 fam 0x100000002 blocked: wineserver (25729:25729) parent: systemd (1)\n[16569.004590] LAF: fam 10 proto 00 blocked: VBoxXPCOMIPCD (26102:26102) parent: systemd (1)\n[16569.048654] LAF: fam 10 proto 00 blocked: VBoxSVC (26107:26107) parent: systemd (1)\n\nAnd if lafd is started you also can monitor the dbus:\n\n$ dbus-monitor --system \"interface='laf.signal.source'\"\n\nsignal sender=:1.529 -\u003e dest=(null destination) serial=19 path=/laf/signal/alert; interface=laf.signal.source; member=event\n   string \"/2/0/kk/27293/27293/bash/27255\"\n\n== Philosophy ==\n\nThis is not a comprehensive solution against advanced attackers. There are many ways to bypass this kind of protection. However, it makes for an additional barrier for the attacker to overcome - think of it as defense in depth. The typical use case would be to isolate vainilla spyware, privacy issues and to block most common shellcodes.\n\nIn the past we protected our open ports to the Internet, nowadays the problem is in the client side, client apps sending data to the Internet.\n\n== Authors ==\n\n@sha0coder: https://twitter.com/sha0coder\n@capi_x: https://twitter.com/capi_x\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsha0coder%2Flaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsha0coder%2Flaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsha0coder%2Flaf/lists"}