New network/internet access restriction scheme, plans and discussion...

[DavidXanatos]

Sandboxie currently blocks network access by denying the access to the underlying windows network stack objects, this often results in an application trying to use the internet crashing instead of just thinking its offline, as described in issues: #665 and #121

Currently it is possible to specify ports that can not be accessed by boxed applications, but its not possible to specify IP's or IP ranges, as requested in #96 it may be useful though to allow communication over the network of sandboxed processes with each other only. Also this limitation is not enforced on a kernel level and those can be bypassed.

And it may be useful to force the binding of newly created sockets to a given IP or NIC like requested in #893 and #237

Last but not least there may be a use case for network speed limiting #25

All this enhancements would mean the way sandboxie handles network restrictions need to be reworked, its required to add a kernel level packet filter that would allow to block some or all network communication by sandboxes applications on a packet level without blocking the entire network stack.

This would be a rather big rework but is something I plan to do in future.

If you have any feature requests related to sandboxies network aspects please post them in this issue if it is not already mentioned. Other issues on networking subjects will be closed on sight.

[c-sanchez]

Hi @DavidXanatos about your https://github.com/sandboxie-plus/Sandboxie/issues/893#issuecomment-860052051 can you give me a link to some tutorial/guide to do this if possible? please

I would like to have at least two active connections on my computer, with things like Firefox using my local IP and Chrome using an OpenVPN connection.

Virtual machines are the only option I can find for now, but they consume too many resources for my taste, I would like to do this in a better way.

I know I can make this kind of things with Proxifier who allows have rules per proxy/program, but I wonder if possible use this with OpenVPN.

Maybe proxifier (or any other similar software) can be used as an optional third party tool for network options with Sandboxie? I suppose this might be an easier way to do, if possible.

[ImSpecial]

This sounds like it needs to be its own thing. Keep Sandboxie for isolation, make some Firewall side app/program/hook for this "feature".

[c-sanchez]

Ok I found something very interesting :D https://github.com/saucecontrol/VpnDialerPlus Now I need to see how to set this up with OpenVPN / Tap. I hope I can get it, if anyone knows how to make it work let me know.

Also I found this https://github.com/mullvad/win-split-tunnel I don't know but maybe that driver will be useful for sandboxie.

Regards.

[mikamidd]

In terms of suggestions, as long as it doesn't take too much work to implement, it would be handy to have some kind of simple network monitor tool in Sandboxie that'd allow to quickly see and log what network connections a sandboxed app is making.

[DavidXanatos]

A WFP based packet filter will be included in the 0.9.0 and later builds

[ImSpecial]

Do you plan on releasing a "bug fix" release to 0.8.8 that fixes the msi installer stuff before such a major change? I think you should fix up all the known bugs first, release a stable that's super stable, then and only then release new features like this and so on.

[DavidXanatos]

There will be a 0.8.9 build with some bugfixers including MSI server, better icons and etc...

[ImSpecial]

Sounds great, and thanks for keeping up with everything, I know it's a lot of work for pretty much one guy to handle, but you're doing great my man!

Sandboxie has come a long way in such a short time and is only getting better and better with every release, I just don't want to see a "feature creep" happen that might cause for you a "bite off more than you can chew" type situation that you then start getting overwhelmed from backlog issues.

[e-t-l]

NETWORK FEATURE REQUEST

Bind sandboxes to specific network adapters. e.g. to force a sandbox to only route through a particular VPN, aka block the sandbox's internet access if that VPN connection is not available.

[o1654416798]

I have multiple usb routers (dcom 4g) can I connect each browser individually to each router?

[Ale3ex]

A much needed update. At the moment, this restriction is essentially ineffective: if it can be bypassed, as the OP pointed out, then it is also a blow to security, because many users will activate the restriction, being sure that suspicious software and viruses will not have access to the Internet, but it can.

Also, many programs crash if the restriction is activated. In fact, the only way to reliably launch a program inside Sandboxie without Internet access and crashes is to allow all programs to access the Internet inside the sandbox, and then physically pull out the network cable. Only then launch the program.

Maybe someone was able to find a reliable alternative solution on how to lock a program inside the sandbox without pulling out the cable?

[e-t-l]

Maybe someone was able to find a reliable alternative solution on how to lock a program inside the sandbox without pulling out the cable?

Best method I've found so far is just to use a 3rd party firewall app like Postmaster (very feature rich, granular control) to block the network access of the target apps before running them. I suppose you could also do the same with Windows Firewall.

[typpos]

Confused. So what exactly is the unresolved risk supposed to be after 0.9.3 was released? WFP-filtering used with supporter certificate runs in the driver and controls TCP/UDP, so it can't be circumvented by skipping hooks. Most - but not all - of my installs now work with "intra-sandbox" communication, eg, server & client chatter in same sandbox. Nothing calls home.

https://sandboxie-plus.com/wfpsupport/

https://github.com/sandboxie-plus/Sandboxie/discussions/1085