For many of us, the ideal would be to only install and
use open source software, the source code to which we would
thoroughly inspect before using it so that we knew exactly
what it did. Of course, this isn't really practical for
most people, either because they don't have the time to
inspect the increasingly complex applications that they rely
on, or because as open source catches on with the masses,
many users don't have the knowledge to inspect the source.
Also, proprietary software is often a fact of life which
rarely comes with the ability to look at the code.
One of the unfortunate side-effects of binary-only
distributions from vendors is the fact that they can get away
with adding things that the user doesn't know about. One of
those things is the ability to send data about the user back
to the vendor, which the vendor can then sell as marketing
data, or use it to advance their own business plan. In
general, this seems pretty harmless, especially since in
most cases, the vendor has little incentive to tie the data
to a particular user; the data is more useful to them as
aggregate data anyway. Harmless or not, when these
"features" are not documented, it is still a violation of
the users' privacy.
To push the scenario even further, closed source shareware
and freeware is also often a fact of life, especially when
open source equivalents don't exist to provide the same
functionality. Unfortunately, this category of software
often comes from an anonymous developer somewhere rather than
from a company that is more likely to value its reputation.
It is even more likely that this kind of software will
compromise privacy and security, either intentionally or
Multiple solutions exist for this problem, but most are based
on firewalling the machine on which the software will run.
This works fine for desktop systems, since the user
generally also has administration access. But in the UN*X
world, often the user doesn't have root access and is not
the only user on the box. In this case we need a user-space
solution that can work on a per-process or per-session
basis. This is the gap that netjail tries to fill.
netjail works by providing a shared library object which can
be preloaded at run-time with the $LD_PRELOAD
environment variable mechanism (or equivalent) provided by
most modern UN*X and UN*X like systems. This library
intercepts calls to the socket() and
connect() standard library calls, logs them, and
configurably denys the connection attempts based on the
remote address, making it look to the application like the
remote host refused the connection.