From 330f2fbe21389f5248cc7d9f636f98ba9d8bfbec Mon Sep 17 00:00:00 2001 From: tobias Date: Sun, 8 Mar 2026 21:31:42 +0000 Subject: [PATCH] Update README.md --- README.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9636a76..90124f4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # No-Internet Group ## Description -Simple methodology to prevent specified Linux desktop programs having access to the public Internet via iptables +Simple methodology to prevent specified Linux programs having access to the public Internet via iptables ## Getting Started @@ -70,5 +70,21 @@ Note: a similar effect could be achived via crontab by making an entry along the ``` ### Modifying .desktop entries +.desktop files are used within graphical Linux shells to launch programs +Simply put when you a program is ran through an application launcher the .desktop file is what is what is being read from and executed in the background +They are typically located within ~/.local/share/applications +An example of a program which I want to deny network access to due to its persistent and bothersome connections is Lutris +Before modification it's Exec value will likely look something like +``` +Exec=/usr/bin/lutris +``` +However we are going to modify this so it runs under the group "no-internet" any time it is launched thereby having outbound connections dropped +This may be achieved by changing the line like so: +``` +Exec=/usr/bin/sg no-internet /usr/bin/lutris +``` +Note: your binaries may be located in a different place type "which [program_name]" to find their path +Now any time lutris is launched from my desktop it will be ran through the "no-internet" group + ### Limitations As iptables operates at layer 3 programs ran through this sandboxed group will still be able to reach devices within the same broadcast domain \ No newline at end of file