netjail Homepage

Mailing List
SourceForge Project Page

The One-Liner

netjail is a user-space mechanism for restricting net access from a process, which is useful for detecting or defeating spyware and hidden "home-calling" features.


For many of us, the ideal would be to only install and use open source software, the source code to which we would thoroughly inspect before using it so that we knew exactly what it did. Of course, this isn't really practical for most people, either because they don't have the time to inspect the increasingly complex applications that they rely on, or because as open source catches on with the masses, many users don't have the knowledge to inspect the source. Also, proprietary software is often a fact of life which rarely comes with the ability to look at the code.

One of the unfortunate side-effects of binary-only distributions from vendors is the fact that they can get away with adding things that the user doesn't know about. One of those things is the ability to send data about the user back to the vendor, which the vendor can then sell as marketing data, or use it to advance their own business plan. In general, this seems pretty harmless, especially since in most cases, the vendor has little incentive to tie the data to a particular user; the data is more useful to them as aggregate data anyway. Harmless or not, when these "features" are not documented, it is still a violation of the users' privacy.

To push the scenario even further, closed source shareware and freeware is also often a fact of life, especially when open source equivalents don't exist to provide the same functionality. Unfortunately, this category of software often comes from an anonymous developer somewhere rather than from a company that is more likely to value its reputation. It is even more likely that this kind of software will compromise privacy and security, either intentionally or unintentionally.



Multiple solutions exist for this problem, but most are based on firewalling the machine on which the software will run. This works fine for desktop systems, since the user generally also has administration access. But in the UN*X world, often the user doesn't have root access and is not the only user on the box. In this case we need a user-space solution that can work on a per-process or per-session basis. This is the gap that netjail tries to fill.

netjail works by providing a shared library object which can be preloaded at run-time with the $LD_PRELOAD environment variable mechanism (or equivalent) provided by most modern UN*X and UN*X like systems. This library intercepts calls to the socket() and connect() standard library calls, logs them, and configurably denys the connection attempts based on the remote address, making it look to the application like the remote host refused the connection.



I needed the functionality that netjail provides one day and did a Google search for it. I was very surprised that I couldn't find anything like it. So, I banged out the prototype code over the next half hour and fulfilled the need that I had. Then I figured I'd clean it up and share it, in case it occurred to anyone else to search for prior implementations of this obvious solution.

netjail is open source software originally written by Craig B. Agricola, released under the GNU Public License (version 2), and hosted by Other projects by Craig can be found on his junk page .

This project is hosted at Logo